Bypass-UAC provides a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls.
Bypass-UAC provides a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls. This is not a new technique, traditionally, this is accomplished by injecting a DLL into "explorer.exe". This is not desirable because injecting into explorer may trigger security alerts and working with unmanaged DLL's makes for an inflexible work-flow.
Link: https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC
Bypass-UAC is self-contained and does not have any dependencies, bar a requirement that the target have PowerShell v2.
Methods:
* UacMethodSysprep: Original technique by Leo Davidson (sysprep -> cryptbase.dll)
* Targets: x32/x64 Windows 7 & 8
* ucmDismMethod: Hybrid method (PkgMgr -> DISM -> dismcore.dll)
* Targets: x64 Win7+ (currently unpatched)
* UacMethodMMC2: Hybrid method (mmc -> rsop.msc -> wbemcomn.dll)
* Targets: x64 Win7+ (currently unpatched)
* UacMethodTcmsetup: Hybrid method (tcmsetup -> tcmsetup.exe.local -> comctl32.dll)
* Targets: x32/x64 Win7+ (UAC "0day" ¯\\_(ツ)_/¯)
* UacMethodNetOle32: Hybrid method (mmc some.msc -> Microsoft.NET\\Framework[64]\\..\\ole32.dll)
* Targets: x32/x64 Win7+ (UAC "0day" ¯\\_(ツ)_/¯)
Run:
Import-Module Bypass-UAC.ps1
or
. .\\Bypass-UAC.ps1
Bypass-UAC -Method UacMethodSysprep
Win10 Example
UacMethodTcmsetup