kudaes / elevator Goto Github PK

View Code? Open in Web Editor NEW

596.0 11.0 69.0 90 KB

UAC bypass by abusing RPC and debug objects.

License: MIT License

C++ 53.13% C 1.31% Rust 45.46% Python 0.09%

hacking redteam rust uac-bypass windows

elevator's People

Contributors

Stargazers

Watchers

Forkers

bubutzza oakkaya fuzzyun1c0rn gavz rbcrack askyeye phuong39 y11en test1213145 icodein bahadirtmzr nocomp rajivraj killvxk fengjixuchui ellen2015 nisfan crimsonlabs-io richardsonjf dannymas msf-ntdll psanjay679 wangyanan131 0xrobert miralayipouya topotam watch-later vjingbi vanpersiexp bhassani xcalibure2 nyamekesse sec-fork sunnyneo raitomx cvlabsio hxlxmjxbbxs jakouis crispud fourcorelabs cediegreyhat pewpew111 guanglianniubi iamasbcx seahop hzmslx codingman aoikirito wuxueeee noorahsmith ahrendsschmidt xciscox jermainlaforce zayanrumi inosec2 zha0 emdnaia kahluri ddawxaf dkstar11q red-infosec c0de-sin

elevator's Issues

Releases

No offense , can upload in Releases the ready exe with any key you want .

Elevator.cargo\configis deprecated in favor ofconfig.tomlnote: if you need to support cargo 1.38 or earlier, you can symlinkconfigtoconfig.toml`

thank you

RPCC Client Path

I am running in windows 10 version 21H2 (os build 19044.1889)

getting code error

File "C:\Users\XXXXX\Downloads\Elevator-main\Elevator\Cargo.toml", line 7
rpcclient = { path = "rpcclient" }
^^^^^^^^^^^^^^^^^^
SyntaxError: invalid syntax. Maybe you meant '==' or ':=' instead of '='?

please support

RPC call to RAiLaunchAdminProcess failed

Not sure this is an issue, but when I tested this on a very hardened system, I get an "RPR call to RAiLaunchAdminProcess failed" message. Any suggestions?

Initial process creation debug event not received

I get the following error when running elevator.exe --new-console C:\windows\System32\cmd.exe

[+] Unelevatad notepad.exe process created.
[+] Reference to debug object retrieved.
[+] Debug object successfully detached.
[+] Elevated taskmgr.exe process created.
[+] Initial process creation debug event obtained.
[+] Full access handle obtained.
[x] The new process could not be spawned.

compile error LITCRYPT_ENCRYPT_KEY environment variable not set.

hi,
thx a lot for your time and this dev, i am struggling compiling facing this isse, any tip for solve it? thxx a lot

PS C:\Users\nocomp\tools\Elevator\Elevator> set LITCRYPT_ENCRYPT_KEY="fondue"
PS C:\Users\nocomp\tools\Elevator\Elevator> cargo build --release
Compiling dinvoke v0.1.0 (C:\Users\nocomp\tools\Elevator\Elevator\dinvoke)
error: proc macro panicked
--> dinvoke\src\lib.rs:3:1
|
3 | use_litcrypt!();
| ^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:519:24
|
519 | return Err(lc!("[x] Failed to call module's entry point (DllMain -> DLL_PROCESS_ATTACH)."));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:597:60
|
597 | let module_base_address = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:598:46
|
598 | dynamic_invoke!(module_base_address,&lc!("LdrGetProcedureAddress"),func_ptr,ret,hmodule,fun_name,ordinal,return_address);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:624:60
|
624 | let module_base_address = get_module_base_address(&lc!("kernel32.dll"));
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:625:46
|
625 | dynamic_invoke!(module_base_address,&lc!("SetUnhandledExceptionFilter"),func_ptr,ret,address);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:653:60
|
653 | let module_base_address = get_module_base_address(&lc!("kernel32.dll"));
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:654:46
|
654 | dynamic_invoke!(module_base_address,&lc!("LoadLibraryA"),func_ptr,ret,function_name);
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:687:60
|
687 | let module_base_address = get_module_base_address(&lc!("kernel32.dll"));
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:688:46
|
688 | dynamic_invoke!(module_base_address,&lc!("OpenProcess"),func_ptr,ret,desired_access,inherit_handle,process_id);
| ^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:723:46
|
723 | let ntdll = get_module_base_address(&lc!("kernel32.dll"));
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:724:32
|
724 | dynamic_invoke!(ntdll,&lc!("CloseHandle"),func_ptr,ret,handle);
| ^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:752:46
|
752 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:756:53
|
756 | let addr = get_function_address(ntdll, &lc!("NtWriteVirtualMemory")) as usize;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:770:32
|
770 | dynamic_invoke!(ntdll,&lc!("NtWriteVirtualMemory"),func_ptr,ret,handle,base_address,buffer,size,bytes_written);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:789:46
|
789 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:793:53
|
793 | let addr = get_function_address(ntdll, &lc!("NtAllocateVirtualMemory")) as usize;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:803:32
|
803 | dynamic_invoke!(ntdll,&lc!("NtAllocateVirtualMemory"),func_ptr,ret,handle,base_address,zero_bits,size,allocation_type,protection);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:821:46
|
821 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:825:53
|
825 | let addr = get_function_address(ntdll, &lc!("NtProtectVirtualMemory")) as usize;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:839:32
|
839 | dynamic_invoke!(ntdll,&lc!("NtProtectVirtualMemory"),func_ptr,ret,handle,base_address,size,new_protection,old_protection);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:857:46
|
857 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:861:53
|
861 | let addr = get_function_address(ntdll, &lc!("NtOpenProcess")) as usize;
| ^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:877:32
|
877 | dynamic_invoke!(ntdll,&lc!("NtOpenProcess"),func_ptr,ret,handle,access,attributes,client_id);
| ^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:896:46
|
896 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:897:32
|
897 | ... dynamic_invoke!(ntdll,&lc!("NtQueryInformationProcess"),func_ptr,ret,handle,process_information_class,process_information,length,re...
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:915:46
|
915 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:916:32
|
916 | dynamic_invoke!(ntdll,&lc!("RtlAdjustPrivilege"),func_ptr,ret,privilege,enable,current_thread,enabled);
| ^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:934:46
|
934 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:935:32
|
935 | dynamic_invoke!(ntdll,&lc!("RtlInitUnicodeString"),func_ptr,_ret,destination_string, source_string);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:948:46
|
948 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:949:32
|
949 | dynamic_invoke!(ntdll,&lc!("RtlZeroMemory"),func_ptr,_ret,address,length);
| ^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:963:46
|
963 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:964:32
|
964 | dynamic_invoke!(ntdll,&lc!("NtOpenFile"),func_ptr,ret,file_handle,desired_access,object_attributes,io,share_access,options);
| ^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:982:46
|
982 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:983:32
|
983 | ... dynamic_invoke!(ntdll,&lc!("NtDuplicateObject"),func_ptr,ret,source_phandle,source_handle,target_phandle,target_handle,desired_acce...
| ^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:1002:46
|
1002 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: proc macro panicked
--> dinvoke\src\lib.rs:1021:32
|
1021 | ... dynamic_invoke!(ntdll,&lc!("NtCreateThreadEx"),func_ptr,ret,thread,access,attributes,process,function,args,flags,zero,stack,reserve...
| ^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.

error: could not compile dinvoke due to 38 previous errors
PS C:\Users\nocomp\tools\Elevator\Elevator>

Can you release a finished product?

Can you release a finished product? There is no compilation environment on this machine. Thank you!

Compiling and execution error

When compiling I'm getting the following errors

C:\Desktop\Elevator-main\Elevator>cargo build --release
   Compiling proc-macro2 v1.0.47
   Compiling quote v1.0.21
   Compiling unicode-ident v1.0.5
   Compiling syn v1.0.105
   Compiling windows_quote v0.19.0
   Compiling windows_reader v0.19.0
   Compiling memchr v2.5.0
   Compiling cfg-if v1.0.0
   Compiling cc v1.0.78
   Compiling libc v0.2.138
   Compiling windows_gen v0.19.0
   Compiling const-sha1 v0.2.0
   Compiling winapi v0.3.9
   Compiling backtrace v0.3.67
   Compiling gimli v0.27.0
   Compiling adler v1.0.2
   Compiling failure_derive v0.1.8
   Compiling unicode-xid v0.2.4
   Compiling synstructure v0.12.6
   Compiling addr2line v0.19.0
   Compiling miniz_oxide v0.6.2
   Compiling object v0.30.0
   Compiling windows_macros v0.19.0
   Compiling windows v0.19.0
   Compiling bindings v0.1.0 (C:\Desktop\Elevator-main\Elevator\bindings)
   Compiling rustc-demangle v0.1.21
   Compiling log v0.4.17
   Compiling widestring v0.4.3
   Compiling bitflags v1.3.2
   Compiling failure v0.1.8
   Compiling winproc v0.6.4
   Compiling litcrypt v0.3.0
warning: unused return value of `Box::<T>::from_raw` that must be used
   --> C:\Desktop\Elevator-main\Elevator\target\release\build\bindings-f9c61dc1923f2af4\out/windows.rs:253:33    |
253 | ...                   ::std::boxed::Box::from_raw(value.0);
    |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: call `drop(from_raw(ptr))` if you intend to drop the `Box`
    = note: `#[warn(unused_must_use)]` on by default

warning: unused return value of `Box::<T>::from_raw` that must be used
   --> C:\Desktop\Elevator-main\Elevator\target\release\build\bindings-f9c61dc1923f2af4\out/windows.rs:310:33    |
310 | ...                   ::std::boxed::Box::from_raw(value.0);
    |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: call `drop(from_raw(ptr))` if you intend to drop the `Box`

   Compiling data v0.1.0 (C:\Desktop\Elevator-main\Elevator\data)
   Compiling dinvoke v0.1.0 (C:\Desktop\Elevator-main\Elevator\dinvoke)
   Compiling os_info v3.5.1
warning: unreachable pattern
   --> dinvoke\src\lib.rs:155:21
    |
155 |                     _ => (*(*exceptioninfo).context_record).Rip += 1
    |                     ^
    |
    = note: `#[warn(unreachable_patterns)]` on by default

warning: `bindings` (lib) generated 2 warnings
   Compiling static_vcruntime v2.0.0
   Compiling hex v0.4.3
   Compiling elevator v0.1.0 (C:\Desktop\Elevator-main\Elevator)
   Compiling manualmap v0.1.0 (C:\Desktop\Elevator-main\Elevator\manualmap)
   Compiling rpcclient v0.1.0 (C:\Desktop\Elevator-main\Elevator\rpcclient)
warning: `dinvoke` (lib) generated 1 warning
    Finished release [optimized] target(s) in 39.58s

C:\Desktop\Elevator-main\Elevator>set LITCRYPT_ENCRYPT_KEY="key"

C:\Desktop\Elevator-main\Elevator>cargo build --release
warning: unused return value of `Box::<T>::from_raw` that must be used
   --> C:\Desktop\Elevator-main\Elevator\target\release\build\bindings-f9c61dc1923f2af4\out/windows.rs:253:33    |
253 | ...                   ::std::boxed::Box::from_raw(value.0);
    |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: call `drop(from_raw(ptr))` if you intend to drop the `Box`
    = note: `#[warn(unused_must_use)]` on by default

warning: unused return value of `Box::<T>::from_raw` that must be used
   --> C:\Desktop\Elevator-main\Elevator\target\release\build\bindings-f9c61dc1923f2af4\out/windows.rs:310:33    |
310 | ...                   ::std::boxed::Box::from_raw(value.0);
    |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: call `drop(from_raw(ptr))` if you intend to drop the `Box`

warning: `bindings` (lib) generated 2 warnings
warning: unreachable pattern
   --> dinvoke\src\lib.rs:155:21
    |
155 |                     _ => (*(*exceptioninfo).context_record).Rip += 1
    |                     ^
    |
    = note: `#[warn(unreachable_patterns)]` on by default

warning: `dinvoke` (lib) generated 1 warning
    Finished release [optimized] target(s) in 0.22s

Despite being able to create the executable anyway

and when running that executable I get the error box

Error Message Box

What can be the issue here?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.