UAC Bypassing Utility
This is a project used in my R.A.T Client to bypass the UAC. It bypasses the UAC using a fake dismCore.dll that gets loaded by an auto elevating application. Then the dll starts my client and the client gets elevated too.
Disclaimer
This application is for educational purposes only.
Using this tool without understanding how it's working can lead to negative consequences.
I'm not responsible for the consequences of using this tool.
Only run it on a computer you have permission to!
How it works
Using an elevated COM object vulerability we're able to copy files to protected locations like System32
. pkgmgr.exe
an auto elevating process calls dism.exe
, which has a DLL hijacking vulnerability. So dism.exe
calls our rogue dll which loads the given application. How does our dll know the location of our application? I solved it this way: Before executing the bypass a file containing the path to execute will be dropped to the Temp
folder. This way the DLL can read out the path of the file, and execute it. Because of the way windows is designed an elevated application by default executes another application elevated too! So now we bypassed the UAC.
What's dll hijacking
DLL hijacking is a vulnerability where we can trick an application to load our rogue DLL instead of the original one. The vulnerability exists, because the applications specify a relative
path to load the DLL. The order of the checked directories for the DLL can be located in the PATH environment variable. The system basically finds our rogue dll in System32 before it checks the working directory of the launching application dism.exe
Technology Stack
Most of the code is c/c++. The launcher, which executes the bypass procedure is writtern in c#.
The code was developed in Visual Studio 2017, the c# project is built with .NET 4.5.2. The architecture of the programs are really important, on a 32 bit machine only the x86 version of the toolkit will work. This is why I needed a custom launcher.
Future of this project
- Add support to launch any application after the bypass. Currently hard coded to launch my client
- I would appreciate if someone could test this on more systems. It's currently working on Win7 x64 without AV
- Drop back original DLL after bypass
How to contribute
Fork the project, make changes and issue a pull request. This is your part, then I will merge/edit the pull request. I will try to respond as fast as i can.
Summary
Got intrested? You can check out the project on github!
Thank you for checking out the project!
Posted on Utopian.io - Rewarding Open Source Contributors