https://github.com/advancedhacker101/bypass-uac

Small utility written in c++ to bypass windows UAC prompt
https://github.com/advancedhacker101/bypass-uac

c-plus-plus c-sharp uac uac-bypass windows-7

Last synced: 4 months ago
JSON representation

Small utility written in c++ to bypass windows UAC prompt

• Host: GitHub
• URL: https://github.com/advancedhacker101/bypass-uac
• Owner: AdvancedHacker101
• License: mit
• Created: 2017-06-23T13:54:07.000Z (almost 8 years ago)
• Default Branch: master
• Last Pushed: 2018-08-04T18:33:14.000Z (almost 7 years ago)
• Last Synced: 2024-09-28T22:41:01.587Z (8 months ago)
• Topics: c-plus-plus, c-sharp, uac, uac-bypass, windows-7
• Language: C
• Homepage:
• Size: 85.9 KB
• Stars: 38
• Watchers: 4
• Forks: 25
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

        
# Bypass UAC

This project can bypass UAC on an administrator account with default UAC settings  

The project contains snippets from the UacMe project by hfiref0x, but formatted to work with the [c# R.A.T Client](https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client)  

## Disclaimer

This application is for educational purposes only.  

Using this tool without understanding how it's working can lead to negative consequences  

I'm not responsible for the consequences of using this tool!  

Only run it on a computer you have permission to!

## How it works

The bypass has 2 main parts  

1. Copy a fake dll to System32  

This can be done with IFileOperation  

2. Execute the fake dll with Admin privs  

pkgmgr.exe with the `/n:` options calls Dism.exe which has dll hijacking vuln  

pkgmgr is an autoelevating .exe, it requires no uac prompt or admin privs, but runs on High IL  

The executing is done by running: `pkgmgr.exe /quiet /n:unattend.xml`  

After this the High IL Dll executes the R.A.T client with admin privs  

**testDll**: the fake DismCore.dll which will be copied to System32  

**testAnything**: a launcher, which executes the dll  

**copyFile**: copies a file to the destination, without the uac prompt  

## System requirements  

### On 32 bit (x86) Machine

**x86 Release** build of testDll  

**x86 Release** build of testAnything  

**x86 Release** build of copyFile  

### On 64 bit (x64) Machine  

**x64 Release** build of testDll  

**x64 Release** build of testAnything  

**x64 Release** build of copyFile  

The tool was tested on a Windows7 x64 bit machine  

The source code in this form only works with the c# R.A.T client, but you can modify it for your own project  

## More Information  

You can read information related to contribution [here](https://github.com/AdvancedHacker101/Bypass-Uac/blob/master/CONTRIBUTING.md)  

You can read the Code of Conduct [here](https://github.com/AdvancedHacker101/Bypass-Uac/blob/master/CODE_OF_CONDUCT.md)  

You can view the project's licence [here](https://github.com/AdvancedHacker101/Bypass-Uac/blob/master/LICENSE)  

*Happy Coding*

**-Advanced Hacking 101**