|
|
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <stdio.h>
#include <stdlib.h>
#include <aclapi.h>
#include <dsgetdc.h>
#include <objbase.h>
#include <iads.h>
#include <lm.h>
#include <winldap.h>
#include <dsgetdc.h>
#include <shlobj.h>
#include <dsclient.h>
#include <ntdsapi.h>
#include <winbase.h>
#include <ntsam.h>
#include <ntlsa.h>
#include <sddl.h>
#include <seopaque.h>
#include <sertlp.h>
#include "authz.h"
#define FirstAce(Acl) ((PVOID)((PUCHAR)(Acl) + sizeof(ACL)))
#define NextAce(Ace) ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize))
#define MY_MAX 1024
CHAR Buffer[MY_MAX];CHAR TypeListBuffer[MY_MAX];
GUID Guid0 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x00}};GUID Guid1 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x01}};GUID Guid2 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x02}};GUID Guid3 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x03}};GUID Guid4 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x04}};GUID Guid5 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x05}};GUID Guid6 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x06}};GUID Guid7 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x07}};GUID Guid8 = {0x6da8a4ff, 0xe52, 0x11d0, {0xa2, 0x86, 0x00, 0xaa, 0x00, 0x30, 0x49, 0x08}};
ULONG WORLD_SID[] = {0x101, 0x1000000, 0};
// S-1-5-21-397955417-626881126-188441444-2791022
ULONG KEDAR_SID[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x002a966e};
// S-1-5-21-397955417-626881126-188441444-2204519
ULONG RAHUL_SID[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x0021a367};
// S-1-5-21-397955417-626881126-188441444-2101332
ULONG ROBER_SID[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x00201054};
ULONG LOCAL_RAJ_SID[] = {0x00000501, 0x05000000, 21, 1085031214, 57989841, 725345543, 1002};BOOL GlobalTruthValue = FALSE;
BOOLMyAccessCheck( IN AUTHZ_CLIENT_CONTEXT_HANDLE pAuthzClientContext, IN PACE_HEADER pAce, IN PVOID pArgs OPTIONAL, IN OUT PBOOL pbAceApplicable ){ *pbAceApplicable = GlobalTruthValue;
return TRUE;}
BOOLMyComputeDynamicGroups( IN AUTHZ_CLIENT_CONTEXT_HANDLE pAuthzClientContext, IN PVOID Args, OUT PSID_AND_ATTRIBUTES *pSidAttrArray, OUT PDWORD pSidCount, OUT PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray, OUT PDWORD pRestrictedSidCount ){ ULONG Length = 0;
*pSidCount = 2; *pRestrictedSidCount = 0;
*pRestrictedSidAttrArray = 0;
Length = RtlLengthSid((PSID) KEDAR_SID); Length += RtlLengthSid((PSID) RAHUL_SID);
if (!(*pSidAttrArray = malloc(sizeof(SID_AND_ATTRIBUTES) * 2 + Length))) { SetLastError(ERROR_NOT_ENOUGH_MEMORY); return FALSE; }
(*pSidAttrArray)[0].Attributes = SE_GROUP_ENABLED; (*pSidAttrArray)[0].Sid = ((PUCHAR) (*pSidAttrArray)) + 2 * sizeof(SID_AND_ATTRIBUTES); RtlCopySid(Length/2, (*pSidAttrArray)[0].Sid, (PSID) KEDAR_SID);
(*pSidAttrArray)[1].Attributes = SE_GROUP_USE_FOR_DENY_ONLY; (*pSidAttrArray)[1].Sid = ((PUCHAR) (*pSidAttrArray)) + 2 * sizeof(SID_AND_ATTRIBUTES) + Length/2; RtlCopySid(Length/2, (*pSidAttrArray)[1].Sid, (PSID) RAHUL_SID);
// wprintf(L"Returning two groups in COMPUTE_DYNAMIC\n");
return TRUE;}
VOIDMyFreeDynamicGroups ( IN PSID_AND_ATTRIBUTES pSidAttrArray )
{ if (pSidAttrArray) free(pSidAttrArray);}
ULONG Special[] = {0x101, 0x2000000, 2};
#if 1
void _cdecl wmain( int argc, WCHAR * argv[] ){ NTSTATUS Status = STATUS_SUCCESS;
BOOL b = TRUE; AUTHZ_RESOURCE_MANAGER_HANDLE RM = NULL; HANDLE hToken = NULL; LUID luid = {0xdead,0xbeef}; AUTHZ_CLIENT_CONTEXT_HANDLE CC = NULL; AUTHZ_ACCESS_REQUEST Request; PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY) Buffer; PSECURITY_DESCRIPTOR pSD = NULL; DWORD dwErr; ULONG i = 0; PACE_HEADER Ace = NULL; DWORD AceCount = 0; LUID MySeLuid = {0, SE_SECURITY_PRIVILEGE}; LUID MyOwLuid = {0, SE_TAKE_OWNERSHIP_PRIVILEGE}; DWORD Len = 0; SID_AND_ATTRIBUTES SidAttr[10]; AUTHZ_AUDIT_INFO_HANDLE AuditInfo; PAUTHZ_AUDIT_INFO_HANDLE pAuditInfo = NULL;
CHAR TokenBuff[100]; PTOKEN_PRIVILEGES TokenPriv = (PTOKEN_PRIVILEGES) TokenBuff;
AUTHZ_HANDLE AuthHandle = 0; AUTHZ_HANDLE AuthHandlePS = 0; PACL pAcl = NULL;
/*
PWCHAR StringSD = L"O:BAG:DUD:(D;;0xFFFFFF;;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-20) (A;;0xFFFFFF;;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-21) (D;;0x60000;;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-201) (OA;;0x1;00000000-0000-0000-00000000;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-201) S:(AU;IDSA;SD;;;DU)";
PWCHAR StringSD = L"O:BAG:DUD:(D;;0xFFFFFF;;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-20) (A;;0xFFFFFF;;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-25) (D;;0x60000;;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-201) (A;;0x1;;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-201) (OA;;0x2;00000000-0000-0000-00000001;;s-0x1-000000000005-15-65d637a8-5274c742-3f32a78a-201) (OD;;0x2;00000000-0000-0000-00000004;;s-0x1-000000000001-0) (OA;;0x4;00000000-0000-0000-00000002;;s-0x1-000000000005-20-220) (OA;;0x4;00000000-0000-0000-00000006;;s-0x1-000000000005-20-220) (OD;;0xC;00000000-0000-0000-00000000;;s-0x1-000000000005-20-221) (OA;;0x18;00000000-0000-0000-00000004;;s-0x1-000000000005-5-0-ae35) (OA;;0x38;00000000-0000-0000-00000001;;s-0x1-000000000002-0) (OA;;0xF90000;00000000-0000-0000-00000000;;s-0x1-000000000005-4) (OA;;0x1000000;00000000-0000-0000-00000004;;s-0x1-000000000005-b) S:(AU;IDSA;SD;;;DU)";
*/
PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;s-1-2-2)(A;;0x1;;;BA)(OA;;0x2;6da8a4ff-0e52-11d0-a286-00aa00304900;;BA)(OA;;0x4;6da8a4ff-0e52-11d0-a286-00aa00304901;;BA)(OA;;0x8;6da8a4ff-0e52-11d0-a286-00aa00304903;;AU)(OA;;0x10;6da8a4ff-0e52-11d0-a286-00aa00304904;;BU)(OA;;0x20;6da8a4ff-0e52-11d0-a286-00aa00304905;;AU)(A;;0x40;;;PS)S:(AU;IDSAFA;0xFFFFFF;;;WD)"; // PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;SY)(A;;0x1;;;BA)S:(AU;IDSA;SD;;;DU)";
// PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;SY)(A;;0x1;;;PS)S:(AU;IDSA;SD;;;DU)";
TokenPriv->PrivilegeCount = 2; TokenPriv->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; TokenPriv->Privileges[0].Luid = MySeLuid;
TokenPriv->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED; TokenPriv->Privileges[1].Luid = MyOwLuid;
b = ConvertStringSecurityDescriptorToSecurityDescriptorW(StringSD, SDDL_REVISION_1, &pSD, NULL);
if (!b) { wprintf(L"SDDL failed with %d\n", GetLastError()); return; }
if (argc == 2) { wprintf(L"\n\n CALLBACK ACES!!!!\n\n");
pAcl = RtlpDaclAddrSecurityDescriptor((PISECURITY_DESCRIPTOR) pSD);
// pAcl = (PACL) (((SECURITY_DESCRIPTOR_RELATIVE *) pSD)->Dacl + (PUCHAR) pSD);
AceCount = pAcl->AceCount; for (i = 0, Ace = FirstAce(pAcl); i < AceCount; i++, Ace = NextAce(Ace)) { switch(Ace->AceType) { case ACCESS_ALLOWED_ACE_TYPE: Ace->AceType = ACCESS_ALLOWED_CALLBACK_ACE_TYPE; break; case ACCESS_ALLOWED_OBJECT_ACE_TYPE: Ace->AceType = ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE; break; } } }
b = AuthzInitializeResourceManager( MyAccessCheck, MyComputeDynamicGroups, MyFreeDynamicGroups, NULL, 0, // Flags
&RM );
if (!b) { wprintf(L"AuthzRMInitialize failed with %d\n", GetLastError()); return; } else { wprintf(L"AuthzRMInitialize succeeded\n"); }
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { wprintf(L"OpenProcessToken failed with %d\n", GetLastError()); return; } else { wprintf(L"OpenProcessToken succeeded\n"); }
wprintf(L"Calling initialize token\n");
b = AdjustTokenPrivileges( hToken, FALSE, TokenPriv, 100, NULL, NULL );
if (!b) { wprintf(L"Can not adjust privilege, %x\n", GetLastError()); // return;
}
if (!wcscmp(argv[2], L"User")) { b = AuthzInitializeContextFromSid( // (PSID) LOCAL_RAJ_SID,
(PSID) KEDAR_SID, NULL, RM, NULL, luid, 0, NULL, &CC ); } else { b = AuthzInitializeContextFromToken( hToken, RM, NULL, luid, 0, NULL, &CC ); }
if (!wcscmp(argv[3], L"Audit")) { pAuditInfo = &AuditInfo; }
pAuditInfo = &AuditInfo;
if (!b) { wprintf(L"AuthzInitializeContextFromToken failed with %d\n", GetLastError()); return; } else { wprintf(L"AuthzInitializeContextFromToken succeeded\n"); }
Request.DesiredAccess = MAXIMUM_ALLOWED; Request.DesiredAccess = wcstol(argv[1], NULL, 16); wprintf(L"Desired = %x\n", Request.DesiredAccess);
Request.ObjectTypeList = (POBJECT_TYPE_LIST) TypeListBuffer;
Request.ObjectTypeList[0].Level = 0; Request.ObjectTypeList[0].ObjectType = &Guid0; Request.ObjectTypeList[0].Sbz = 0;
Request.ObjectTypeList[1].Level = 1; Request.ObjectTypeList[1].ObjectType = &Guid1; Request.ObjectTypeList[1].Sbz = 0;
Request.ObjectTypeList[2].Level = 2; Request.ObjectTypeList[2].ObjectType = &Guid2; Request.ObjectTypeList[2].Sbz = 0;
Request.ObjectTypeList[3].Level = 2; Request.ObjectTypeList[3].ObjectType = &Guid3; Request.ObjectTypeList[3].Sbz = 0;
Request.ObjectTypeList[4].Level = 1; Request.ObjectTypeList[4].ObjectType = &Guid4; Request.ObjectTypeList[4].Sbz = 0;
Request.ObjectTypeList[5].Level = 2; Request.ObjectTypeList[5].ObjectType = &Guid5; Request.ObjectTypeList[5].Sbz = 0;
Request.ObjectTypeList[6].Level = 3; Request.ObjectTypeList[6].ObjectType = &Guid6; Request.ObjectTypeList[6].Sbz = 0;
Request.ObjectTypeList[7].Level = 2; Request.ObjectTypeList[7].ObjectType = &Guid7; Request.ObjectTypeList[7].Sbz = 0;
Request.ObjectTypeListLength = 8; Request.OptionalArguments = NULL;
Request.PrincipalSelfSid = NULL;
pReply->ResultListLength = 8; pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY)); pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
b = AuthzAccessCheck( CC, &Request, pAuditInfo, pSD, NULL, 0, pReply, &AuthHandle );
if (!b) { wprintf(L"AccessCheck no SELF failed\n"); return; } else { wprintf(L"\nAccessCheck no SELF succeeded\n\n");
for (i = 0; i < pReply->ResultListLength; i++) { wprintf(L"i = %d, AccessMask = %x, Error = %d\n", i, pReply->GrantedAccessMask[i], pReply->Error[i]); } }
Request.PrincipalSelfSid = (PSID) RAHUL_SID;
GlobalTruthValue = TRUE;
SidAttr[0].Attributes = SE_GROUP_ENABLED; SidAttr[0].Sid = (PSID) Special;//
// b = AuthzAddSidsToContext(
// CC,
// SidAttr,
// 1,
// NULL,
// 0
// );
//
// if (!b)
// {
// wprintf(L"AuthzNormalGroups failed with %d\n", GetLastError());
// return;
// }
//
b = AuthzAccessCheck( CC, &Request, pAuditInfo, pSD, NULL, 0, pReply, &AuthHandlePS );
if (!b) { wprintf(L"AccessCheck SELF = ROBER failed\n"); return; } else { wprintf(L"\nAccessCheck SELF + ROBER succeeded\n\n");
for (i = 0; i < pReply->ResultListLength; i++) { wprintf(L"i = %d, AccessMask = %x, Error = %d\n", i, pReply->GrantedAccessMask[i], pReply->Error[i]); } }
Request.PrincipalSelfSid = NULL;
GlobalTruthValue = FALSE;
if (AuthHandlePS) { b = AuthzCachedAccessCheck( AuthHandlePS, &Request, pAuditInfo, pReply );
if (!b) { wprintf(L"CachedAccessCheck failed\n"); return; } else { wprintf(L"\nCachedAccessCheck succeeded\n\n");
for (i = 0; i < pReply->ResultListLength; i++) { wprintf(L"i = %d, AccessMask = %x, Error = %d\n", i, pReply->GrantedAccessMask[i], pReply->Error[i]); } } AuthzFreeHandle(AuthHandlePS); } else { wprintf(L"No CachedAccessCheck done since NULL = AuthHandlePS\n"); }
if (AuthHandle) { Request.PrincipalSelfSid = (PSID) RAHUL_SID;
GlobalTruthValue = TRUE; b = AuthzCachedAccessCheck( AuthHandle, &Request, pAuditInfo, pReply );
if (!b) { wprintf(L"CachedAccessCheck failed\n"); return; } else { wprintf(L"\nCachedAccessCheck succeeded\n\n");
for (i = 0; i < pReply->ResultListLength; i++) { wprintf(L"i = %d, AccessMask = %x, Error = %d\n", i, pReply->GrantedAccessMask[i], pReply->Error[i]); } }
AuthzFreeHandle(AuthHandle); } else { wprintf(L"No CachedAccessCheck done since NULL = AuthHandle\n"); }
AuthzFreeContext(CC);
return;}
#else
void _cdecl wmain( int argc, WCHAR * argv[] ){ NTSTATUS Status = STATUS_SUCCESS; ULONG i = 0, j = 0;
BOOL b = TRUE; AUTHZ_RESOURCE_MANAGER RM = NULL; HANDLE hToken = NULL; LUID luid = {0xdead,0xbeef}; AUTHZ_CLIENT_CONTEXT_HANDLE CC = NULL; AUTHZ_ACCESS_REQUEST Request; PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY) Buffer; PSECURITY_DESCRIPTOR pSD = NULL; DWORD dwErr; PACE_HEADER Ace = NULL; DWORD AceCount = 0; LUID MySeLuid = {0, SE_SECURITY_PRIVILEGE}; LUID MyOwLuid = {0, SE_TAKE_OWNERSHIP_PRIVILEGE}; DWORD Len = 0; SID_AND_ATTRIBUTES SidAttr[10]; AUTHZ_AUDIT_INFO AuditInfo; PAUTHZ_AUDIT_INFO pAuditInfo = NULL;
CHAR TokenBuff[100]; PTOKEN_PRIVILEGES TokenPriv = (PTOKEN_PRIVILEGES) TokenBuff;
AUTHZ_HANDLE AuthHandle = 0; AUTHZ_HANDLE AuthHandlePS = 0; PACL pAcl = NULL;
PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;s-1-2-2)(A;;0x1;;;BA)(OA;;0x2;6da8a4ff-0e52-11d0-a286-00aa00304900;;BA)(OA;;0x4;6da8a4ff-0e52-11d0-a286-00aa00304901;;BA)(OA;;0x8;6da8a4ff-0e52-11d0-a286-00aa00304903;;AU)(OA;;0x10;6da8a4ff-0e52-11d0-a286-00aa00304904;;BU)(OA;;0x20;6da8a4ff-0e52-11d0-a286-00aa00304905;;AU)(A;;0x40;;;PS)S:(AU;IDSAFA;0xFFFFFF;;;WD)";
b = ConvertStringSecurityDescriptorToSecurityDescriptorW(StringSD, SDDL_REVISION_1, &pSD, NULL);
if (!b) { wprintf(L"SDDL failed with %d\n", GetLastError()); return; }
b = AuthzRMInitialize( MyAccessCheck, MyComputeDynamicGroups, MyFreeDynamicGroups, NULL, 0, &RM );
if (!b) { wprintf(L"AuthzRMInitialize failed with %d\n", GetLastError()); return; } else { wprintf(L"AuthzRMInitialize succeeded\n"); }
Request.DesiredAccess = 0x101; wprintf(L"Desired = %x\n", Request.DesiredAccess);
Request.ObjectTypeList = (POBJECT_TYPE_LIST) TypeListBuffer;
Request.ObjectTypeList[0].Level = 0; Request.ObjectTypeList[0].ObjectType = &Guid0; Request.ObjectTypeList[0].Sbz = 0;
Request.ObjectTypeList[1].Level = 1; Request.ObjectTypeList[1].ObjectType = &Guid1; Request.ObjectTypeList[1].Sbz = 0;
Request.ObjectTypeList[2].Level = 2; Request.ObjectTypeList[2].ObjectType = &Guid2; Request.ObjectTypeList[2].Sbz = 0;
Request.ObjectTypeList[3].Level = 2; Request.ObjectTypeList[3].ObjectType = &Guid3; Request.ObjectTypeList[3].Sbz = 0;
Request.ObjectTypeList[4].Level = 1; Request.ObjectTypeList[4].ObjectType = &Guid4; Request.ObjectTypeList[4].Sbz = 0;
Request.ObjectTypeList[5].Level = 2; Request.ObjectTypeList[5].ObjectType = &Guid5; Request.ObjectTypeList[5].Sbz = 0;
Request.ObjectTypeList[6].Level = 2; Request.ObjectTypeList[6].ObjectType = &Guid6; Request.ObjectTypeList[6].Sbz = 0;
Request.ObjectTypeListLength = 7; Request.OptionalArguments = NULL;
Request.PrincipalSelfSid = NULL;
pReply->ResultListLength = 7; pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY)); pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { // wprintf(L"OpenProcessToken failed with %d\n", GetLastError());
return; } else { // wprintf(L"OpenProcessToken succeeded\n");
}
// wprintf(L"Calling initialize token\n");
b = AuthzInitializeContextFromToken( hToken, RM, NULL, luid, 0, NULL, &CC );
if (!b) { // wprintf(L"AuthzInitializeContextFromToken failed\n");
return; }
for (i = 0; i < 100000; i++) { DWORD StartTime, EndTime;
StartTime = GetCurrentTime();
for (j = 0; j < 50000; j++) { b = AuthzAccessCheck( CC, &Request, pAuditInfo, pSD, NULL, 0, pReply, 0 );
if (!b) { // wprintf(L"AccessCheck no SELF failed\n");
return; }
}
EndTime = GetCurrentTime(); wprintf(L"Time taken %d\n", EndTime - StartTime); }
AuthzFreeContext(CC); CloseHandle(hToken);}#endif
|
