Description changed
gushmazuko
GitHub
parent
1e439b623b
commit
bd672ae148
|
|
@ -29,16 +29,18 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Name' => 'Windows UAC Protection Bypass (Via Slui File Handler Hijack)',
|
||||
'Description' => %q{
|
||||
This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under
|
||||
the Current User hive, and inserting a custom command that will get invoked when any binary (.exe)
|
||||
application is launched. But slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking.
|
||||
When we run slui.exe with changed Registry key (HKCU:\Software\Classes\exefile\shell\open\command),
|
||||
it will run our custom command as Admin instead of slui.exe.
|
||||
the Current User hive, and inserting a custom command that will get invoked when any binary
|
||||
(.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable
|
||||
to file handler hijacking. When we run slui.exe with changed Registry key
|
||||
(HKCU:\Software\Classes\exefile\shell\open\command), it will run our custom command as Admin
|
||||
instead of slui.exe.
|
||||
|
||||
The module modifies the registry in order for this exploit to work. The modification is reverted
|
||||
once the exploitation attempt has finished.
|
||||
The module modifies the registry in order for this exploit to work. The modification is
|
||||
reverted once the exploitation attempt has finished.
|
||||
|
||||
The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom
|
||||
your DLL should call ExitProcess() after starting the payload in a different process.
|
||||
The module does not require the architecture of the payload to match the OS. If
|
||||
specifying EXE::Custom your DLL should call ExitProcess() after starting the
|
||||
payload in a different process.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
|
|
|
|||
Loading…
Reference in New Issue