Share
## https://sploitus.com/exploit?id=E19F34BB-E3CF-5D86-BAF9-036E27042642
# ๐Ÿ›ก๏ธ UACExploit - Windows UAC Bypass (Hidden)


This tool is a Proof of Concept (PoC) demonstrating how to bypass **User Account Control (UAC)** on Windows systems. The exploit works by manipulating Windows Registry keys to execute a command with elevated privileges without triggering any UAC prompt or notification to the user.

### โš™๏ธ How the Exploit Works (Code Breakdown)

The code leverages a specific UAC bypass technique. Here are the critical parts of the mechanism:

1.  **Privilege Check**:
    *   The code first checks if the current process is already running with **Administrator** privileges.
    *   If it's running as a standard user, it initiates the bypass. If it's already elevated, it cleans up the registry changes it made and kills itself to avoid errors.

2.  **Registry Manipulation (The Core)**:
    *   The exploit creates a series of registry keys under `HKEY_CURRENT_USER\Software\Classes\`.
    *   **The Critical Path**: It targets `ms-settings\shell\open\command`. This path is associated with the `ms-settings` protocol, which Windows auto-elevates.
    *   **The Payload**: It sets the default value of the `command` key to the path of the executable you want to run with admin privileges (`System.Reflection.Assembly.GetExecutingAssembly().Location`).
    *   **The Trigger**: It adds a `DelegateExecute` value (set to `0`). This tells Windows to execute the command without any further checks, exploiting the trusted auto-elevated protocol.

3.  **Executing the Bypass**:
    *   The code then silently starts `cmd.exe` with the argument `/c start computerdefaults.exe`.
    *   Starting `computerdefaults.exe` (which uses the `ms-settings` protocol) forces Windows to look at the hijacked registry key and execute the malicious payload instead, but this time with **high integrity (admin) privileges**.

4.  **Cleanup**:
    *   Once the payload is running with admin rights, the new process cleans up the registry by removing the hijacked command, leaving little to no trace.

### โš ๏ธ Critical Code Elements

When reviewing or modifying this code, pay close attention to these lines:

*   **`WindowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator)`**: This line is the checkpoint that decides whether to run the exploit or the cleaned-up elevated code.
*   **`Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command")`**: This is where the registry hijack happens. The entire exploit relies on this path.
*   **`registryKey.SetValue("DelegateExecute", 0, RegistryValueKind.DWord)`**: This `DelegateExecute` value is the magic key that tricks the Windows auto-elevation mechanism.
*   **`Process.Start("cmd.exe", "/c start computerdefaults.exe")`**: This is the trigger. It launches a trusted Windows process that uses the hijacked protocol.

### โ˜ ๏ธ Risk & Impact

*   **Privilege Escalation**: An attacker with limited user access can gain **full administrative control** over the machine.
*   **Silent Execution**: The bypass is designed to be hidden (`WindowStyle.Hidden`, `CreateNoWindow = true`), allowing malware to install itself or perform malicious actions without any user interface or warning.
*   **Persistence**: Once admin rights are gained, an attacker can install persistent malware, disable security software, or move laterally across a network.

### ๐Ÿ› ๏ธ Usage

1.  Compile the code into an executable (e.g., `exploit.exe`).
2.  Run the executable from a non-administrator command prompt or directly.
3.  The executable will automatically elevate its privileges and restart itself with full admin rights.

---

**Exploited By : A8FitHaCkEr**  
**Powered By : KTEBH WARRIORS 1337**