## https://sploitus.com/exploit?id=E19F34BB-E3CF-5D86-BAF9-036E27042642
# ๐ก๏ธ UACExploit - Windows UAC Bypass (Hidden)
This tool is a Proof of Concept (PoC) demonstrating how to bypass **User Account Control (UAC)** on Windows systems. The exploit works by manipulating Windows Registry keys to execute a command with elevated privileges without triggering any UAC prompt or notification to the user.
### โ๏ธ How the Exploit Works (Code Breakdown)
The code leverages a specific UAC bypass technique. Here are the critical parts of the mechanism:
1. **Privilege Check**:
* The code first checks if the current process is already running with **Administrator** privileges.
* If it's running as a standard user, it initiates the bypass. If it's already elevated, it cleans up the registry changes it made and kills itself to avoid errors.
2. **Registry Manipulation (The Core)**:
* The exploit creates a series of registry keys under `HKEY_CURRENT_USER\Software\Classes\`.
* **The Critical Path**: It targets `ms-settings\shell\open\command`. This path is associated with the `ms-settings` protocol, which Windows auto-elevates.
* **The Payload**: It sets the default value of the `command` key to the path of the executable you want to run with admin privileges (`System.Reflection.Assembly.GetExecutingAssembly().Location`).
* **The Trigger**: It adds a `DelegateExecute` value (set to `0`). This tells Windows to execute the command without any further checks, exploiting the trusted auto-elevated protocol.
3. **Executing the Bypass**:
* The code then silently starts `cmd.exe` with the argument `/c start computerdefaults.exe`.
* Starting `computerdefaults.exe` (which uses the `ms-settings` protocol) forces Windows to look at the hijacked registry key and execute the malicious payload instead, but this time with **high integrity (admin) privileges**.
4. **Cleanup**:
* Once the payload is running with admin rights, the new process cleans up the registry by removing the hijacked command, leaving little to no trace.
### โ ๏ธ Critical Code Elements
When reviewing or modifying this code, pay close attention to these lines:
* **`WindowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator)`**: This line is the checkpoint that decides whether to run the exploit or the cleaned-up elevated code.
* **`Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command")`**: This is where the registry hijack happens. The entire exploit relies on this path.
* **`registryKey.SetValue("DelegateExecute", 0, RegistryValueKind.DWord)`**: This `DelegateExecute` value is the magic key that tricks the Windows auto-elevation mechanism.
* **`Process.Start("cmd.exe", "/c start computerdefaults.exe")`**: This is the trigger. It launches a trusted Windows process that uses the hijacked protocol.
### โ ๏ธ Risk & Impact
* **Privilege Escalation**: An attacker with limited user access can gain **full administrative control** over the machine.
* **Silent Execution**: The bypass is designed to be hidden (`WindowStyle.Hidden`, `CreateNoWindow = true`), allowing malware to install itself or perform malicious actions without any user interface or warning.
* **Persistence**: Once admin rights are gained, an attacker can install persistent malware, disable security software, or move laterally across a network.
### ๐ ๏ธ Usage
1. Compile the code into an executable (e.g., `exploit.exe`).
2. Run the executable from a non-administrator command prompt or directly.
3. The executable will automatically elevate its privileges and restart itself with full admin rights.
---
**Exploited By : A8FitHaCkEr**
**Powered By : KTEBH WARRIORS 1337**