Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Privilege Escalation Library
SECRET//NOFORN
Stash Repository: Privilege Escalation
Interface Description:
The interfaces for the Privilege Escalation Library specifies the following functions be available:
Kernel Mode Privilege Escalation (IKernelPrivEsc):
virtual PrivEscErr elevatePrivs( DWORD dwPID ) = 0;
dwPID [in]: Specify the PIDProcess ID (process ID) of the process you wish to elevate.
Returns a PrivEscErr described in the Error Code Descriptions section.
User Mode Privilege Escalation (IUserPrivEsc):
virtual PrivEscErr elevatePrivs(WCHAR *wcPath, PVOID pvParams) = 0;
wcPath [in]: The path to the payload you wish to start as a privileged user (admin or system privileges). Depening on the module this could also be the command line that gets executed when starting an executable with privileges.
pvParams [in, opt]: A module specific structure that contains configuration options for the module. In some modules this argument can be left NULL. See module documentation for information regarding this argument.
Returns a PrivEscErr described in the Error Code Descriptions section.
Library Conventions: Describe any and all conventions submissions should adhere to for this library. Applying a naming convention can help with the organization of the library. Any organizational requirements or notes go here as well.
Naming convention of projects in the Privilege Escalation Library:
- Prefix PEPrivilege Escalation (Privilege Escalation)
- Exploit name/crypt
- _ architecture supported. x86, x64, x86&64
Example:
PEVanguard_x86&64
PE = Privilege Escalation
Vanguard = Exploit name
_x86&64 = This library supports both x86 and x64 processors.
Privilege Escalation Member List:
Vanguard Kernel Exploit (PEKVanguard_x86x64)
INF File Install UACUser Account Control Bypass (PEUSandWorm_x86x64)
Error Code Descriptions:
Return Code Type For Privilege Escalation Library: enum PrivEscErr: int.
Error codes >= 0 are successful. The return codes will work with the SUCCESS() and FAILED() macro
enum PrivEscErr : int
{
// Success:
ePE_ERROR_SUCCESS = 0,
// Errors:
ePE_ERROR_GENERIC = -1,
ePE_INVALID_ARGUMENTS = -2, //Invalid arguments were passed to the function
ePE_SW_FAILED_INF_GEN = -20 //Failed to generate the inf file
};
Code Sample Using The Library Interfaces:
//IKernelPrivEsc Example
IKernelPrivEsc *pPrivEsc = new PEKVanguard_x86x64();
//Elevate
PrivEscErr pErr = pPrivEsc->elevatePrivs(GetCurrentProcessId());
//Cleanup
delete pPrivEsc;
/*===========================================================================================*/
//IUserPrivEsc Example
IUserPrivEsc *pPrivEsc = new PEUSandWorm_x86x64();
//Initialize structure
SANDWORM sw;
sw.wcInfTarget = wcInf;
sw.etEntryType = etRunOnce;
sw.wcSectionName = L"Section";
//Write Payload
//Escalate Privileges
PrivEscErr pErr = pPrivEsc->elevatePrivs(wcPayload, &sw);
//Cleanup
delete pPrivEsc;
SECRET//NOFORN