Add COM class ID hijack method for bypassing UAC #8789
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a module for bypassing UAC on Windows 7 through 10 utilising the COM hijacking method that @enigma0x3 discovered and used for persistence. The module was inspired by the content that was produced by @FuzzySecurity and his work for Defcon 25 that abused this work to bypass UAC.
The bypass works on all levels except for
Always Notify
(I've got something else coming for that soon based on work from @tyranid and @FuzzySecurity).Pictures speak a thousand words:
The module has to drop a DLL on disk. Obviously with default MSF payloads, AV will probably fire. Some other things to note:
740
error when invoking the binaries directly, we're usingcmd.exe
to launch them. This will be a problem ifcmd.exe
is blocked, and so we might have to come up with another method for managing that.Verification
getsystem
works on the new session).Thanks to everyone mentioned for their prior work!