Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UAC Bypass via IDiagnosticProfile COM Interface #130

Closed
Ruuucker opened this issue Jul 3, 2022 · 9 comments
Closed

UAC Bypass via IDiagnosticProfile COM Interface #130

Ruuucker opened this issue Jul 3, 2022 · 9 comments
Assignees
@hfiref0x
Labels
enhancement

Comments

@Ruuucker
Copy link

Ruuucker commented Jul 3, 2022

Hi, I come across this: https://github.com/Wh04m1001/IDiagnosticProfileUAC
Seems like a new method to move arbitrary file as Administrator via SaveDirectoryAsCab method of IDiagnosticProfile. Which is interesting bc majority of UAC bypasses uses IFileOperation\ISecurityEditor.
The second part is also new, it uses wow64log.dll and Edge. Take a look.
@hfiref0x
Copy link
Owner

hfiref0x commented Jul 4, 2022

Hello,

what is the availability of this IDiagnosticProfile COM interface?

@Ruuucker
Copy link
Author

Ruuucker commented Jul 4, 2022

It presents starting from Windows 7 and the latest version I got is Win10 build 19041 which is also having it.

@hfiref0x
Copy link
Owner

hfiref0x commented Jul 4, 2022
edited
Loading

Do you have proper definition of IDiagnosticProfile interface for all versions starting from win7 up to win11? Does it changes between versions?

I did checked it against 7601 and 17763 and they are seems the same.

@Ruuucker
Copy link
Author

Ruuucker commented Jul 4, 2022

Sorry, I dont have definitions nor knowledge/experience in that thing, but I will try to dig in a bit.

@hfiref0x
Copy link
Owner

hfiref0x commented Jul 4, 2022

I will add this method in the next version, but this could take some time as I don't have any free time for this now. Thanks for your contribution.

You can check the interface layout using IDA, this interface is in diagcpl dll I believe.

@Ruuucker
Copy link
Author

Ruuucker commented Jul 4, 2022

Thanks for the hint, I will try it.

hfiref0x added a commit that referenced this issue Jul 7, 2022
@hfiref0x
v 3.6.2
f1c42ac 
Initial method #130 implementation. Currently tested only on 21H2 (19044).
@hfiref0x
Copy link
Owner

hfiref0x commented Jul 7, 2022

This is method 75. It is not a final version and mainly untested. You need properly compiled dlls for akagi to be able to test this method, follow instruction in readme.md, without properly integrated dll this method won't work.

hfiref0x added a commit that referenced this issue Jul 8, 2022
@hfiref0x
v 3.6.2
1807d66 
More #130 implementations and 3.6.1 regression fix
hfiref0x added a commit that referenced this issue Jul 9, 2022
@hfiref0x
v 3.6.2
b0855e2 
Method 75 added, see #130 for more info;
Fix Win7 regression added in 3.6.1;
Readme updated.
@hfiref0x
Copy link
Owner

hfiref0x commented Jul 9, 2022

Implemented in b0855e2

@hfiref0x hfiref0x closed this as completed Jul 9, 2022
@hfiref0x hfiref0x self-assigned this Jul 9, 2022
@sly9it
Copy link

sly9it commented Jul 14, 2022

It presents starting from Windows 7 and the latest version I got is Win10 build 19041 which is also having it.

How did you get this compiled in windows 10

Repository owner locked as resolved and limited conversation to collaborators Jul 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hfiref0x hfiref0x

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hfiref0x @Ruuucker @sly9it