UAC Bypassing Utility

This is a project used in my R.A.T Client to bypass the UAC. It bypasses the UAC using a fake dismCore.dll that gets loaded by an auto elevating application. Then the dll starts my client and the client gets elevated too.

Disclaimer

This application is for educational purposes only.
Using this tool without understanding how it's working can lead to negative consequences.
I'm not responsible for the consequences of using this tool.
Only run it on a computer you have permission to!

How it works

Using an elevated COM object vulerability we're able to copy files to protected locations like System32. pkgmgr.exe an auto elevating process calls dism.exe, which has a DLL hijacking vulnerability. So dism.exe calls our rogue dll which loads the given application. How does our dll know the location of our application? I solved it this way: Before executing the bypass a file containing the path to execute will be dropped to the Temp folder. This way the DLL can read out the path of the file, and execute it. Because of the way windows is designed an elevated application by default executes another application elevated too! So now we bypassed the UAC.

What's dll hijacking

DLL hijacking is a vulnerability where we can trick an application to load our rogue DLL instead of the original one. The vulnerability exists, because the applications specify a relative path to load the DLL. The order of the checked directories for the DLL can be located in the PATH environment variable. The system basically finds our rogue dll in System32 before it checks the working directory of the launching application dism.exe

Technology Stack

Most of the code is c/c++. The launcher, which executes the bypass procedure is writtern in c#.
The code was developed in Visual Studio 2017, the c# project is built with .NET 4.5.2. The architecture of the programs are really important, on a 32 bit machine only the x86 version of the toolkit will work. This is why I needed a custom launcher.

Future of this project

• Add support to launch any application after the bypass. Currently hard coded to launch my client
• I would appreciate if someone could test this on more systems. It's currently working on Win7 x64 without AV
• Drop back original DLL after bypass

How to contribute

Fork the project, make changes and issue a pull request. This is your part, then I will merge/edit the pull request. I will try to respond as fast as i can.

Summary

Got intrested? You can check out the project on github!
Thank you for checking out the project!