GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → rootm0s → UUB

rootm0s / UUB

Licence: other
UIAccess UAC Bypass using token duplication and keyboard events

Programming Languages

python
139335 projects - #7 most used programming language

Labels

uacuac-bypassuacbypassuiaccess

Projects that are alternatives of or similar to UUB

Bypass-Uac
Small utility written in c++ to bypass windows UAC prompt
Stars: ✭ 27 (+22.73%)
Mutual labels:  uac, uac-bypass
QuickUACk
🐤 Some of my antiUAC Scripts for Rubbber Ducky 🐤
Stars: ✭ 22 (+0%)
Mutual labels:  uac, uac-bypass
SneakyEXE
Embedding a "UAC-Bypassing" function into your custom payload
Stars: ✭ 95 (+331.82%)
Mutual labels:  uac, uac-bypass
Privilege Escalation
UAC Bypass for windows
Stars: ✭ 33 (+50%)
Mutual labels:  uac, uac-bypass
dccwUACBypass
PowerShell script to bypass UAC using DCCW
Stars: ✭ 17 (-22.73%)
Mutual labels:  uac, uac-bypass
ToRat client
This is the ToRat client, a part of the ToRat Project.
Stars: ✭ 29 (+31.82%)
Mutual labels:  uac-bypass, uacbypass
Uacme
Defeating Windows User Account Control
Stars: ✭ 3,868 (+17481.82%)
Mutual labels:  uac, uac-bypass
usb stack
Tiny and portable USB device/host stack for embedded system with USB IP
Stars: ✭ 175 (+695.45%)
Mutual labels:  uac
go-escalate
The goal is to provide an easy to use API to escalate privileges on Linux, Windows and Mac OS
Stars: ✭ 23 (+4.55%)
Mutual labels:  uac-bypass
Manifesto
Search for information from manifests
Stars: ✭ 33 (+50%)
Mutual labels:  uac-bypass
wsudo
Proof of concept sudo for Windows
Stars: ✭ 71 (+222.73%)
Mutual labels:  uac-bypass
dummyDLL
Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed.
Stars: ✭ 35 (+59.09%)
Mutual labels:  uacbypass
UACWhitelistTool
📃 UAC 白名单小工具!
Stars: ✭ 252 (+1045.45%)
Mutual labels:  uac
slui-file-handler-hijack-privilege-escalation
Slui File Handler Hijack UAC Bypass Local Privilege Escalation
Stars: ✭ 81 (+268.18%)
Mutual labels:  uac-bypass
Awesome Red Teaming
List of Awesome Red Teaming Resources
Stars: ✭ 4,223 (+19095.45%)
Mutual labels:  uac

UIAccess UAC bypass

alt text

In these examples, we start a host process (msra.exe) that we steal the UIAccess token from. We downgrade the token IL from Medium+ to Medium. We use the token to spawn a new process (uihack.exe) with the UIAccess flag, we can now send keyboard events to the elevated processes.

Not designed to be stealthy, but it's for sure possible! This is a demo in Python 2, just to display how it works.

You need to build the uihack python file to an executable, make sure it stays in dist folder. Once you created the uihack executable, you can launch uub.py from a non-elevated command prompt.

Demo:

Msconfig demo video

Here's a few methods, showing how hijacking UIAccess tokens can be used to bypass UAC.

Rstrui method:

This executable is running elevated by default. Since rstrui executable is vulnerable to class hijacking, we use that to spawn our executable which is defined inside uihack file. In order to trigger the hijack, we need to send keyboard events to the window. Upon success, a elevated console window or custom executable should appear. Read more here https://rootm0s.github.io/researching-rstrui-process

Taskmgr method:

This executable is running elevated by default, we send keyboard events to the window in order to launch an elevated console using the "Run new task" feature in Task Manager. Upon success, a elevated console window should appear.

Msconfig method:

This executable is running elevated by default, we send keyboard events to the window in order to navigate through the list of available tools until we reach Command Prompt. Upon success, a elevated console window should appear.

Known issues:

  • If the system language is not English, we cannot detect the window since we use FindWindowA API call.
  • If the window doesn't appear within 5 seconds, we won't be able to detect the window since it's not visible/created yet. Increasing the sleep-time could probably solve this problem.

Build with py2exe:

In order for a successful build, install the py2exe (http://www.py2exe.org) module and use the provided build.py script to compile all the scripts in to a portable executable. This only seems to work on Python 2, not on Python 3.

python build.py uihack.py

Creds to:

More UAC bypasses:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].