search

Bypass-UAC

Bypass-UAC provides a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls.

Bypass-UAC provides a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls. This is not a new technique, traditionally, this is accomplished by injecting a DLL into "explorer.exe". This is not desirable because injecting into explorer may trigger security alerts and working with unmanaged DLL's makes for an inflexible work-flow.

Link: https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UACarrow-up-right

hashtag
Usage

Bypass-UAC is self-contained and does not have any dependencies, bar a requirement that the target have PowerShell v2.

Methods: 

* UacMethodSysprep: Original technique by Leo Davidson (sysprep -> cryptbase.dll) 
  * Targets: x32/x64 Windows 7 & 8 
* ucmDismMethod: Hybrid method (PkgMgr -> DISM -> dismcore.dll) 
  * Targets: x64 Win7+ (currently unpatched) 
* UacMethodMMC2: Hybrid method (mmc -> rsop.msc -> wbemcomn.dll) 
  * Targets: x64 Win7+ (currently unpatched) 
* UacMethodTcmsetup: Hybrid method (tcmsetup -> tcmsetup.exe.local -> comctl32.dll) 
  * Targets: x32/x64 Win7+ (UAC "0day" ¯\_(ツ)_/¯) 
* UacMethodNetOle32: Hybrid method (mmc some.msc -> Microsoft.NET\Framework[64]\..\ole32.dll) 
  * Targets: x32/x64 Win7+ (UAC "0day" ¯\_(ツ)_/¯)

Run:

Import-Module Bypass-UAC.ps1
or 
. .\Bypass-UAC.ps1
Bypass-UAC -Method UacMethodSysprep

Win10 Example

UacMethodTcmsetup

PreviousUACMENextMSBuildAPICaller

Last updated