kudaes / elevator Goto Github PK
View Code? Open in Web Editor NEWUAC bypass by abusing RPC and debug objects.
License: MIT License
UAC bypass by abusing RPC and debug objects.
License: MIT License
No offense , can upload in Releases the ready exe with any key you want .
Elevator.cargo\configis deprecated in favor of
config.tomlnote: if you need to support cargo 1.38 or earlier, you can symlink
configto
config.toml`
thank you
Not sure this is an issue, but when I tested this on a very hardened system, I get an "RPR call to RAiLaunchAdminProcess failed" message. Any suggestions?
I get the following error when running elevator.exe --new-console C:\windows\System32\cmd.exe
[+] Unelevatad notepad.exe process created.
[+] Reference to debug object retrieved.
[+] Debug object successfully detached.
[+] Elevated taskmgr.exe process created.
[+] Initial process creation debug event obtained.
[+] Full access handle obtained.
[x] The new process could not be spawned.
hi,
thx a lot for your time and this dev, i am struggling compiling facing this isse, any tip for solve it? thxx a lot
PS C:\Users\nocomp\tools\Elevator\Elevator> set LITCRYPT_ENCRYPT_KEY="fondue"
PS C:\Users\nocomp\tools\Elevator\Elevator> cargo build --release
Compiling dinvoke v0.1.0 (C:\Users\nocomp\tools\Elevator\Elevator\dinvoke)
error: proc macro panicked
--> dinvoke\src\lib.rs:3:1
|
3 | use_litcrypt!();
| ^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:519:24
|
519 | return Err(lc!("[x] Failed to call module's entry point (DllMain -> DLL_PROCESS_ATTACH)."));
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:597:60
|
597 | let module_base_address = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:598:46
|
598 | dynamic_invoke!(module_base_address,&lc!("LdrGetProcedureAddress"),func_ptr,ret,hmodule,fun_name,ordinal,return_address);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:624:60
|
624 | let module_base_address = get_module_base_address(&lc!("kernel32.dll"));
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:625:46
|
625 | dynamic_invoke!(module_base_address,&lc!("SetUnhandledExceptionFilter"),func_ptr,ret,address);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:653:60
|
653 | let module_base_address = get_module_base_address(&lc!("kernel32.dll"));
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:654:46
|
654 | dynamic_invoke!(module_base_address,&lc!("LoadLibraryA"),func_ptr,ret,function_name);
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:687:60
|
687 | let module_base_address = get_module_base_address(&lc!("kernel32.dll"));
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:688:46
|
688 | dynamic_invoke!(module_base_address,&lc!("OpenProcess"),func_ptr,ret,desired_access,inherit_handle,process_id);
| ^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:723:46
|
723 | let ntdll = get_module_base_address(&lc!("kernel32.dll"));
| ^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:724:32
|
724 | dynamic_invoke!(ntdll,&lc!("CloseHandle"),func_ptr,ret,handle);
| ^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:752:46
|
752 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:756:53
|
756 | let addr = get_function_address(ntdll, &lc!("NtWriteVirtualMemory")) as usize;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:770:32
|
770 | dynamic_invoke!(ntdll,&lc!("NtWriteVirtualMemory"),func_ptr,ret,handle,base_address,buffer,size,bytes_written);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:789:46
|
789 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:793:53
|
793 | let addr = get_function_address(ntdll, &lc!("NtAllocateVirtualMemory")) as usize;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:803:32
|
803 | dynamic_invoke!(ntdll,&lc!("NtAllocateVirtualMemory"),func_ptr,ret,handle,base_address,zero_bits,size,allocation_type,protection);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:821:46
|
821 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:825:53
|
825 | let addr = get_function_address(ntdll, &lc!("NtProtectVirtualMemory")) as usize;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:839:32
|
839 | dynamic_invoke!(ntdll,&lc!("NtProtectVirtualMemory"),func_ptr,ret,handle,base_address,size,new_protection,old_protection);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:857:46
|
857 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:861:53
|
861 | let addr = get_function_address(ntdll, &lc!("NtOpenProcess")) as usize;
| ^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:877:32
|
877 | dynamic_invoke!(ntdll,&lc!("NtOpenProcess"),func_ptr,ret,handle,access,attributes,client_id);
| ^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:896:46
|
896 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:897:32
|
897 | ... dynamic_invoke!(ntdll,&lc!("NtQueryInformationProcess"),func_ptr,ret,handle,process_information_class,process_information,length,re...
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:915:46
|
915 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:916:32
|
916 | dynamic_invoke!(ntdll,&lc!("RtlAdjustPrivilege"),func_ptr,ret,privilege,enable,current_thread,enabled);
| ^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:934:46
|
934 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:935:32
|
935 | dynamic_invoke!(ntdll,&lc!("RtlInitUnicodeString"),func_ptr,_ret,destination_string, source_string);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:948:46
|
948 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:949:32
|
949 | dynamic_invoke!(ntdll,&lc!("RtlZeroMemory"),func_ptr,_ret,address,length);
| ^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:963:46
|
963 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:964:32
|
964 | dynamic_invoke!(ntdll,&lc!("NtOpenFile"),func_ptr,ret,file_handle,desired_access,object_attributes,io,share_access,options);
| ^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:982:46
|
982 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:983:32
|
983 | ... dynamic_invoke!(ntdll,&lc!("NtDuplicateObject"),func_ptr,ret,source_phandle,source_handle,target_phandle,target_handle,desired_acce...
| ^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:1002:46
|
1002 | let ntdll = get_module_base_address(&lc!("ntdll.dll"));
| ^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: proc macro panicked
--> dinvoke\src\lib.rs:1021:32
|
1021 | ... dynamic_invoke!(ntdll,&lc!("NtCreateThreadEx"),func_ptr,ret,thread,access,attributes,process,function,args,flags,zero,stack,reserve...
| ^^^^^^^^^^^^^^^^^^^^^^^
|
= help: message: LITCRYPT_ENCRYPT_KEY environment variable not set.
error: could not compile dinvoke
due to 38 previous errors
PS C:\Users\nocomp\tools\Elevator\Elevator>
Can you release a finished product? There is no compilation environment on this machine. Thank you!
When compiling I'm getting the following errors
C:\Desktop\Elevator-main\Elevator>cargo build --release
Compiling proc-macro2 v1.0.47
Compiling quote v1.0.21
Compiling unicode-ident v1.0.5
Compiling syn v1.0.105
Compiling windows_quote v0.19.0
Compiling windows_reader v0.19.0
Compiling memchr v2.5.0
Compiling cfg-if v1.0.0
Compiling cc v1.0.78
Compiling libc v0.2.138
Compiling windows_gen v0.19.0
Compiling const-sha1 v0.2.0
Compiling winapi v0.3.9
Compiling backtrace v0.3.67
Compiling gimli v0.27.0
Compiling adler v1.0.2
Compiling failure_derive v0.1.8
Compiling unicode-xid v0.2.4
Compiling synstructure v0.12.6
Compiling addr2line v0.19.0
Compiling miniz_oxide v0.6.2
Compiling object v0.30.0
Compiling windows_macros v0.19.0
Compiling windows v0.19.0
Compiling bindings v0.1.0 (C:\Desktop\Elevator-main\Elevator\bindings)
Compiling rustc-demangle v0.1.21
Compiling log v0.4.17
Compiling widestring v0.4.3
Compiling bitflags v1.3.2
Compiling failure v0.1.8
Compiling winproc v0.6.4
Compiling litcrypt v0.3.0
warning: unused return value of `Box::<T>::from_raw` that must be used
--> C:\Desktop\Elevator-main\Elevator\target\release\build\bindings-f9c61dc1923f2af4\out/windows.rs:253:33 |
253 | ... ::std::boxed::Box::from_raw(value.0);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: call `drop(from_raw(ptr))` if you intend to drop the `Box`
= note: `#[warn(unused_must_use)]` on by default
warning: unused return value of `Box::<T>::from_raw` that must be used
--> C:\Desktop\Elevator-main\Elevator\target\release\build\bindings-f9c61dc1923f2af4\out/windows.rs:310:33 |
310 | ... ::std::boxed::Box::from_raw(value.0);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: call `drop(from_raw(ptr))` if you intend to drop the `Box`
Compiling data v0.1.0 (C:\Desktop\Elevator-main\Elevator\data)
Compiling dinvoke v0.1.0 (C:\Desktop\Elevator-main\Elevator\dinvoke)
Compiling os_info v3.5.1
warning: unreachable pattern
--> dinvoke\src\lib.rs:155:21
|
155 | _ => (*(*exceptioninfo).context_record).Rip += 1
| ^
|
= note: `#[warn(unreachable_patterns)]` on by default
warning: `bindings` (lib) generated 2 warnings
Compiling static_vcruntime v2.0.0
Compiling hex v0.4.3
Compiling elevator v0.1.0 (C:\Desktop\Elevator-main\Elevator)
Compiling manualmap v0.1.0 (C:\Desktop\Elevator-main\Elevator\manualmap)
Compiling rpcclient v0.1.0 (C:\Desktop\Elevator-main\Elevator\rpcclient)
warning: `dinvoke` (lib) generated 1 warning
Finished release [optimized] target(s) in 39.58s
C:\Desktop\Elevator-main\Elevator>set LITCRYPT_ENCRYPT_KEY="key"
C:\Desktop\Elevator-main\Elevator>cargo build --release
warning: unused return value of `Box::<T>::from_raw` that must be used
--> C:\Desktop\Elevator-main\Elevator\target\release\build\bindings-f9c61dc1923f2af4\out/windows.rs:253:33 |
253 | ... ::std::boxed::Box::from_raw(value.0);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: call `drop(from_raw(ptr))` if you intend to drop the `Box`
= note: `#[warn(unused_must_use)]` on by default
warning: unused return value of `Box::<T>::from_raw` that must be used
--> C:\Desktop\Elevator-main\Elevator\target\release\build\bindings-f9c61dc1923f2af4\out/windows.rs:310:33 |
310 | ... ::std::boxed::Box::from_raw(value.0);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: call `drop(from_raw(ptr))` if you intend to drop the `Box`
warning: `bindings` (lib) generated 2 warnings
warning: unreachable pattern
--> dinvoke\src\lib.rs:155:21
|
155 | _ => (*(*exceptioninfo).context_record).Rip += 1
| ^
|
= note: `#[warn(unreachable_patterns)]` on by default
warning: `dinvoke` (lib) generated 1 warning
Finished release [optimized] target(s) in 0.22s
Despite being able to create the executable anyway
and when running that executable I get the error box
What can be the issue here?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.