5 Antworten in diesem Thema

[dos]

Moin toolbase

 

Ich suche irgendwelche zeilen Code oder einen Crypter der fix UAC aushebelt.

Es geht lediglich um 1ne .bat

 

 

[n1nja]

BAT-Datei einfach als Admin starten.

Ansonsten musst du dir per Batch die Rechte holen und die Datei mit den Benutzer, der Adminrechte hat, erneut starten.

 

Mit Batch kenne ich mich leider nicht so gut aus.

 

Noch ist es eine Frage, soll die UAC-Meldung bypassed werden? Dann wirds kompliziert - bis unmöglich.

[most_uniQue]

Hier haste was.

Another fresh and easy to use UAC bypass is using GWXUXWorker.exe from KB3035583 (Windows 10 upgrade program).

It has "autoElevate" ability and "requireAdministrator".
It remains in standalone directory %systemroot%\System32\GWX which makes it exploitation trivial.
It is signed with embedded Microsoft certificate, sha1/sha256 (ends July 2015).
There is a perfect dependency SLC.dll with one imported symbol - SLGetWindowsInformation.

Method 1.
Check if KB3035583 installed. If yes then copy your dll with help of wusa/IFileOperation to the %systemroot%\System32\GWX under name "SLC.dll" with SLGetWindowsInformation export. Run GWXUXWorker.exe -> silent autoelevate to full admin on default recommended UAC settings.

The disadvantage of this method is it short life time because Windows 10 planned on this summer and required KB3035583 preinstallation.

Method 2.
You can use copy of GWXUXWorker.exe with your autoelevator and just drop it to the windows directory together with hijacker dll.

The above MS fuckup mean they do not consider autoelevating malware as something important and give no additional attention to the risky autoelevated applications they blindly making up to date. However this reaction is a bit strange. Sometimes there is a feedback - sysprep for Windows 8.1/sdbinst for Win7-10/shcore for Win10.

Currently keeping UAC on middle level for malware is the same as just turn it off. There are few ways to globally fix malware autoelevations even without removing "autoelevate" option. Global point of them - do not allow write access from unauthorized code to the protected system directory such as Windows and it subdirectories.

1) First and most obvious - remove "autoElevate" from WUSA.exe. If you want to deliver update - then force user to agree and allow this.
2) Two backdoor interfaces IFileOperation/ISecurityEditor must be completely removed or reimplemented. They were made for lazy reasons and represents "security through obscurity" principle. They need to be reworked.
3) Every autoelevate application must have embedded manifest with dll redirection to the trusted location where all required files must exist. Additionally autoelevated code must NOT call LoadLibrary dynamically or should do a dll verification before attempt to load anything not in KnownDlls (hello backdoored cliconfg.exe). This can be done inside application or inside Windows loader internals.
4) Explorer.exe child processes must be untrusted and work in sandbox. There must be an exception for valid signed binaries or for executables that launched with user direct permission. This will help with autoelevation based on dll injection and globally with injector type malware.
5) Every autoelevated application must be verified with dll profiler to exclude delay load dll hijacking. Currently there is no such test - sysprep on Windows 10 build 10130 is AGAIN fucked up with newly added dbgcore.dll delay load dependency.
6) AppInfo "whitelisted" applications all must be hardcoded with full path symbolic links not only their names. There should be no situation when you can just copy autoelevated executable to different directory and exploit it there (hello bthudtask and H1N1 malware loader).
7) Replace this god damn ugly UAC shield with sieve which is more suitable for this system mechanism as it implemented starting from Windows 7 up to 10.

But I think painting shitty icons and fucking up with build numbers is more fun and profitable for the *new* Microsoft full of noobs.

Quelle:

Please Login HERE or Register HERE to see this link!

 

Greetz

[n1nja]

Hab hier auch zufällig noch was dazu gefunden.

Please Login HERE or Register HERE to see this link!

[dos]

@n1nja

Ja es ist in grunde ein Bypass was ich suche.

 

@most_uniQue

Danke Schaut wirklich sehr interessant aus, das problem ist das das nur bis zum sommer bzw. des Zertifikat in 2 Wochen abläuft und C oder C++ über die Nacht zu lernen und reversen ist nicht

Aber danke dir dennoch! Vielleicht kann jemand anderes noch schnell ein nutzen daraus ziehen.

 

@n1nja again ;D

2011 ist wsl auch out dated ?

Danke dir dennoch

[n1nja]

Ich hab das nicht getestet.

 

Ich arbeite derzeit an meiner Methode um das UAC zu bypassen.

Im Prinzip funktioniert es genauso.

 

Nur krieg es ab Win8 nicht zum laufen.

Wird also noch etwas dauern, bis es richtig funktioniert.