New techinque via IElevatedFactoryServer::ServerCreateElevatedObject(CLSID_TaskScheduler)

hfiref0x / UACME

Defeating Windows User Account Control

BSD 2-Clause "Simplified" License

6.08k stars 1.3k forks source link

New techinque via IElevatedFactoryServer::ServerCreateElevatedObject(CLSID_TaskScheduler) #129

Closed zcgonvh closed 2 years ago

zcgonvh commented 2 years ago

I found a new techinque using Virtual Factory for MaintenanceUI COM object(A6BFEA43-501F-456F-A845-983D3AD7B8F0), it works on win81 to win10 21H2 latest my test, and can be GET SYSTEM DIRECTLY. POC was herehttps://github.com/zcgonvh/TaskSchedulerMisc/blob/master/schuac.cs. And I believe the shpafact!CElevatedFactoryServer is a new attack surface(~20 Elevated COM Proxy objects on win10 21H2 default).

hfiref0x commented 2 years ago

Thanks for your findings. I'll add this to the next version.