Skip to content

Latest commit

 

History

History
40 lines (37 loc) · 2.08 KB

README.md

File metadata and controls

40 lines (37 loc) · 2.08 KB

Bypass UAC

This project can bypass UAC on an administrator account with default UAC settings
The project contains snippets from the UacMe project by hfiref0x, but formatted to work with the c# R.A.T Client

Disclaimer

This application is for educational purposes only.
Using this tool without understanding how it's working can lead to negative consequences
I'm not responsible for the consequences of using this tool!
Only run it on a computer you have permission to!

How it works

The bypass has 2 main parts

  1. Copy a fake dll to System32
    This can be done with IFileOperation
  2. Execute the fake dll with Admin privs
    pkgmgr.exe with the /n: options calls Dism.exe which has dll hijacking vuln
    pkgmgr is an autoelevating .exe, it requires no uac prompt or admin privs, but runs on High IL
    The executing is done by running: pkgmgr.exe /quiet /n:unattend.xml
    After this the High IL Dll executes the R.A.T client with admin privs
    testDll: the fake DismCore.dll which will be copied to System32
    testAnything: a launcher, which executes the dll
    copyFile: copies a file to the destination, without the uac prompt

System requirements

On 32 bit (x86) Machine

x86 Release build of testDll
x86 Release build of testAnything
x86 Release build of copyFile

On 64 bit (x64) Machine

x64 Release build of testDll
x64 Release build of testAnything
x64 Release build of copyFile

The tool was tested on a Windows7 x64 bit machine
The source code in this form only works with the c# R.A.T client, but you can modify it for your own project

More Information

You can read information related to contribution here
You can read the Code of Conduct here
You can view the project's licence here
Happy Coding

-Advanced Hacking 101