12th June 2009: Binaries and Source Code Released
Sod it:
- Win7ElevateV2.zip (32-bit and 64-bit binaries; use the version for your OS.)
- Win7ElevateV2_Source.zip (C++ source code, and detailed guide to how it works.)
As well as the C++ code, the source archive contains a text file describing both parts of the method I'm using in detail, including information about the CRYPTBASE.DLL thing which I've not published before (mainly because it isn't that interesting, TBH; it's just the final link in the chain).
Having released the binaries, MS can probably block them via Windows Defender or plug the CRYPTBASE.DLL hole, and that might cause people to say "they've fixed it, stop complaining," but unless they fix the underlying code-injection / COM elevation problem the file copy stuff will still work. Fixing only the CRYPTBASE.DLL part, or blocking the particular EXE or DLL, will just mean I or someone else has to find another slightly different way to take advantage of the file copy part which MS seem unwilling/unable to fix (or even admit is a problem at all). Finding the CRYPTBASE.DLL method took all of about 10 minutes so I'd be surprised if finding a replacement will be hard.
Source: Windows 7 UAC whitelist
Video: Video demonstration source
No comments:
Post a Comment