Skip to content

Commit

Permalink
Added a PoC for SeShutdownPrivilege
Browse files Browse the repository at this point in the history
  • Loading branch information
@daem0nc0re
daem0nc0re committed Jun 26, 2022
1 parent ddfec09 commit e4e702b
Show file tree
Hide file tree
Showing 6 changed files with 327 additions and 1 deletion.
6 changes: 6 additions & 0 deletions PrivilegedOperations/PrivilegedOperations.sln
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SeCreateTokenPrivilegePoC",
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SeTcbPrivilegePoC", "SeTcbPrivilegePoC\SeTcbPrivilegePoC.csproj", "{2297A528-E866-4056-814A-D01C1C305A38}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SeShutdownPrivilegePoC", "SeShutdownPrivilegePoC\SeShutdownPrivilegePoC.csproj", "{9E36AE6E-B9FD-4B9B-99BA-42D3EACD7506}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Expand All @@ -33,6 +35,10 @@ Global
{2297A528-E866-4056-814A-D01C1C305A38}.Debug|Any CPU.Build.0 = Debug|Any CPU
{2297A528-E866-4056-814A-D01C1C305A38}.Release|Any CPU.ActiveCfg = Release|Any CPU
{2297A528-E866-4056-814A-D01C1C305A38}.Release|Any CPU.Build.0 = Release|Any CPU
{9E36AE6E-B9FD-4B9B-99BA-42D3EACD7506}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{9E36AE6E-B9FD-4B9B-99BA-42D3EACD7506}.Debug|Any CPU.Build.0 = Debug|Any CPU
{9E36AE6E-B9FD-4B9B-99BA-42D3EACD7506}.Release|Any CPU.ActiveCfg = Release|Any CPU
{9E36AE6E-B9FD-4B9B-99BA-42D3EACD7506}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
Expand Down
6 changes: 6 additions & 0 deletions PrivilegedOperations/SeShutdownPrivilegePoC/App.config
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
</configuration>
36 changes: 36 additions & 0 deletions PrivilegedOperations/SeShutdownPrivilegePoC/Properties/AssemblyInfo.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;

// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("SeShutdownPrivilegePoC")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("SeShutdownPrivilegePoC")]
[assembly: AssemblyCopyright("Copyright © 2022")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]

// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]

// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("9e36ae6e-b9fd-4b9b-99ba-42d3eacd7506")]

// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
224 changes: 224 additions & 0 deletions PrivilegedOperations/SeShutdownPrivilegePoC/SeShutdownPrivilegePoC.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,224 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;

namespace SeShutdownPrivilegePoC
{
class SeShutdownPrivilegePoC
{
/*
* P/Invoke : Enums
*/
[Flags]
enum FormatMessageFlags : uint
{
FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x00000100,
FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200,
FORMAT_MESSAGE_FROM_STRING = 0x00000400,
FORMAT_MESSAGE_FROM_HMODULE = 0x00000800,
FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000,
FORMAT_MESSAGE_ARGUMENT_ARRAY = 0x00002000
}

enum HARDERROR_RESPONSE
{
ResponseReturnToCaller,
ResponseNotHandled,
ResponseAbort,
ResponseCancel,
ResponseIgnore,
ResponseNo,
ResponseOk,
ResponseRetry,
ResponseYes
}

enum HARDERROR_RESPONSE_OPTION
{
OptionAbortRetryIgnore,
OptionOk,
OptionOkCancel,
OptionRetryCancel,
OptionYesNo,
OptionYesNoCancel,
OptionShutdownSystem
}

enum MESSAGEBOX_RETURN
{
IDOK = 1,
IDCANCEL = 2,
IDABORT = 3,
IDRETRY = 4,
IDIGNORE = 5,
IDYES = 6,
IDNO = 7,
IDTRYAGAIN = 10,
IDCONTINUE = 11
}

enum MESSAGEBOX_TYPE : uint
{
MB_APPLMODAL = 0x00000000u,
MB_DEFBUTTON1 = 0x00000000u,
MB_OK = 0x00000000u,
MB_OKCANCEL = 0x00000001u,
MB_ABORTRETRYIGNORE = 0x00000002u,
MB_YESNOCANCEL = 0x00000003u,
MB_YESNO = 0x00000004u,
MB_RETRYCANCEL = 0x00000005u,
MB_CANCELTRYCONTINUE = 0x00000006u,
MB_ICONSTOP = 0x00000010u,
MB_ICONERROR = 0x00000010u,
MB_ICONHAND = 0x00000010u,
MB_ICONQUESTION = 0x00000020u,
MB_ICONEXCLAMATION = 0x00000030u,
MB_ICONWARNING = 0x00000030u,
MB_ICONINFORMATION = 0x00000040u,
MB_ICONASTERISK = 0x00000040u,
MB_DEFBUTTON2 = 0x00000100u,
MB_DEFBUTTON3 = 0x00000200u,
MB_DEFBUTTON4 = 0x00000300u,
MB_SYSTEMMODAL = 0x00001000u,
MB_TASKMODAL = 0x00002000u,
MB_HELP = 0x00004000u,
MB_SETFOREGROUND = 0x00010000u,
MB_DEFAULT_DESKTOP_ONLY = 0x00020000u,
MB_TOPMOST = 0x00040000u,
MB_RIGHT = 0x00080000u,
MB_RTLREADING = 0x00100000u,
MB_SERVICE_NOTIFICATION = 0x00200000u
}

/*
* P/Invoke : Win32 APIs
*/
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
static extern int FormatMessage(
FormatMessageFlags dwFlags,
IntPtr lpSource,
int dwMessageId,
int dwLanguageId,
StringBuilder lpBuffer,
int nSize,
IntPtr Arguments);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool FreeLibrary(IntPtr hLibModule);

[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Ansi)]
static extern IntPtr LoadLibrary(string lpFileName);

[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
static extern int MessageBox(
IntPtr hWnd,
string lpText,
string lpCaption,
MESSAGEBOX_TYPE uType);

[DllImport("ntdll.dll")]
static extern int NtRaiseHardError(
int ErrorStatus,
uint NumberOfParameters,
IntPtr /* PUNICODE_STRING */ UnicodeStringParameterMask,
IntPtr Parameters,
HARDERROR_RESPONSE_OPTION ResponseOption,
out HARDERROR_RESPONSE Response );


static string GetWin32ErrorMessage(int code, bool isNtStatus)
{
var message = new StringBuilder();
var messageSize = 255;
FormatMessageFlags messageFlag;
IntPtr pNtdll;
message.Capacity = messageSize;

if (isNtStatus)
{
pNtdll = LoadLibrary("ntdll.dll");
messageFlag = FormatMessageFlags.FORMAT_MESSAGE_FROM_HMODULE |
FormatMessageFlags.FORMAT_MESSAGE_FROM_SYSTEM;
}
else
{
pNtdll = IntPtr.Zero;
messageFlag = FormatMessageFlags.FORMAT_MESSAGE_FROM_SYSTEM;
}

int ret = FormatMessage(
messageFlag,
pNtdll,
code,
0,
message,
messageSize,
IntPtr.Zero);

if (isNtStatus)
FreeLibrary(pNtdll);

if (ret == 0)
{
return string.Format("[ERROR] Code 0x{0}", code.ToString("X8"));
}
else
{
return string.Format(
"[ERROR] Code 0x{0} : {1}",
code.ToString("X8"),
message.ToString().Trim());
}
}

static bool RaiseBSOD()
{
int STATUS_SUCCESS = 0;
int STATUS_ACCESS_VIOLATION = Convert.ToInt32("0xC0000005", 16);

int ntstatus = NtRaiseHardError(
STATUS_ACCESS_VIOLATION,
0,
IntPtr.Zero,
IntPtr.Zero,
HARDERROR_RESPONSE_OPTION.OptionShutdownSystem,
out HARDERROR_RESPONSE Response);

if (ntstatus != STATUS_SUCCESS)
{
Console.WriteLine("[-] Failed to raise hard error.");
Console.WriteLine(" |-> {0}\n", GetWin32ErrorMessage(ntstatus, true));

return false;
}

Console.WriteLine("[+] NtRaiseHardError API is called successfully.");

return true;
}

static void Main()
{
Console.WriteLine("[*] If you have SeShutdownPrivilege, you can raise hard error.");
Console.WriteLine("[*] This PoC tries to cause BSOD with hard error.");

int ret = MessageBox(
IntPtr.Zero,
"This PoC will cause BSOD.\nAre you ready?",
"Alert",
MESSAGEBOX_TYPE.MB_OKCANCEL);

if ((MESSAGEBOX_RETURN)ret != MESSAGEBOX_RETURN.IDOK)
{
Console.WriteLine("[*] Abort.");
return;
}

Console.WriteLine("[>] Trying to raise hardware error.");

RaiseBSOD();
}
}
}
54 changes: 54 additions & 0 deletions PrivilegedOperations/SeShutdownPrivilegePoC/SeShutdownPrivilegePoC.csproj
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{9E36AE6E-B9FD-4B9B-99BA-42D3EACD7506}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>SeShutdownPrivilegePoC</RootNamespace>
<AssemblyName>SeShutdownPrivilegePoC</AssemblyName>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>..\bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>..\bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="SeShutdownPrivilegePoC.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>
2 changes: 1 addition & 1 deletion PrivilegedOperations/SeTcbPrivilegePoC/SeTcbPrivilegePoC.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -777,7 +777,7 @@ static void Main()
var groupSids = new string[]{ BACKUP_OPERATORS_SID };

Console.WriteLine("[*] If you have SeTcbPrivilege, you can perform S4U Logon.");
Console.WriteLine("[*] This PoC try to perform S4U Logon and add \"Builtin\\Backup Operators\" to current token group.");
Console.WriteLine("[*] This PoC tries to perform S4U Logon and add \"Builtin\\Backup Operators\" to current token group.");

hS4uToken = GetMsvS4uLogonToken(
Environment.UserName,
Expand Down

0 comments on commit e4e702b

Please sign in to comment.