HowtoBypassUACUsingDLLHijacking
HowtoBypassUACUsingDLLHijacking
ThistutorialwaswrittenwithWindows7inmind,buttheprincipleappliestoallversionsstartingfrom
7.
UserAccountControl(UAC)
ProcessesinWindowsrunatdifferentlevelsofintegrity,representingthedifferentamountsof"trust"
theyhavetointeractwiththecomputer.Thelevelsareasfollows:
1.SystemSystemlevelofintegrity
2.AdministratorHighlevel
3.AuthenticatedUserMediumlevel
4.EveryoneLowlevel
5.AnonymousUntrusted
IfUserAccountControlisenabled,programsrunatmedium(Orlower)integrity,eveniftheuser
startingthemhasAdministratorrights.Thislimitsdamagemalwarecandotothecomputer,asitcan
onlyinteractwithuserfiles.Whenaprogramneedstorunonahigherintegritylevel,ithastoprompt
theusertogiveitadminrights.
UAChas4differentlevels:
Alwaysnotify:Userisnotifiedanytimeanythingneedselevatedprivileges.
Notifymeonlywhenprogramstrytomakechangestomycomputer:Userispromptedwhena
programneedselevatedprivileges
Notifymeonlywhenprogramstrytomakechangestomycomputer(Don'tdimthedesktop):
Doesn'tdimthedesktopwhenshowingaprompt.Lesssecurethanabovelevel.
http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/
1/5
03/04/2016
HowtoBypassUACUsingDLLHijacking
Nevernotify:Userisnevernotifiedaboutchangestothecomputer.
Ifauserisanadministrator,theycanpress"Yes"togivetheaskingprocesshigherintegrity,or,if
theyarenotanadmin,theyhavetotypeintheadministratorpassword.
Ourgoalhereistogetaprocesstostartwithhighintegritywithoutinteractingwiththeuser.This
techniquewillworkonlyiftheyareanadministrator,andUACisnotat"Alwaysnotify"level.
DLLHijacking
DLLhijackingisatechniqueusedtoforceprogramstoloadmaliciousDLLs.Aprogramnormally
shouldsearchforDLLslikethis:
0.1IfDLLisalreadyloaded,useit.
0.2IfDLLisonthelistofknownDLLs,storedinregistry,loaditfromthepathonthelist.
1.Hardcodedpath
2.Systemdirectory
3.16bitsystemdirectory
4.Windowsdirectory
5.Currentdirectory
6.PATHenvironmentvariable
However,someprogramslookintothecurrentdirectoryfirst,allowingustohijackthesearchand
makeitloadourDLL.
AutoElevation
Foraprogramtobeabletoelevatewithoutuserconsentithasto:
BesignedwithacertificatefromMicrosoft.
Beinasecuredirectory.
http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/
2/5
03/04/2016
HowtoBypassUACUsingDLLHijacking
Havethe"AutoElevate"propertyinit'smanifest.
Aprogramwhichmeetsthoseconditionscanelevatewithoutapromptonthedefaultsettings.
BypassingUAC
Torecap,thesearetheconditionsthatallowbypassingUAC:
ExecutablemustbevulnerabletoDLLhijacking.
Executablemusthavetheabilitytoautoelevate.
Wehavetoberunningamediumintegrityprocess.
Usermustbeintheadministratorsgroup.
UACsettingsmustbeleftondefaultvalues,orlower.
Ifallofthesearefulfilled,theprocessofbypassingUACisasfollows:
1.CopyourmaliciousDLLtoavulnerableprogram'sdirectory.
2.Executetheprogram,soitloadsourmaliciousDLL.
Thefirststepmightseemimpossible,seeingasweneedtohaveadminprivilegestocopyfilesto
protectedlocations,suchasC:\Windows\System32.Butquiteconveniently,wecanusetheWindows
UpdateStandaloneInstaller(wusa.exe)tounpackcabinetfilesintosecuredirectories.Thatis
possiblebecausewusacanelevatetoadministratorwithoutpromptingtheuser.
TheprogramwewillbeexploitingiscalledMcx2Prov.exe.ItislocatedinC:\Windows\ehome,andthe
maliciouslibraryneedstobecalledcryptbase.dll.
StepstoBypassUAC:
1.CreateourmaliciousDLL.Wecanwriteoneourselves,orusemsfvenom.TheDLLIamgoingto
loadwillopenCommandPrompt.(MakesuretheDLLhasthecorrectbitness,andusex64
versionsofpayloadsifneeded.Usethecommand"systeminfo"toseesystembitness.)
Syntax:msfvenomp<payload>fdllocryptbase.dll<payloadoptions>
1.TurnourDLLintoacabinetfile.Thereisatoolonwindowscalledmakecabwhichwillcreatethe
fileforus.
Syntax:makecab<inputfile><outputfile>
http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/
3/5
03/04/2016
HowtoBypassUACUsingDLLHijacking
1.Unpackthecabinetusingwusa:
Syntax:wusa<inputfile>/extract:C:\Windows\ehome\
Becarefultousetheabsolutepathtothecabinetfile.Youwon'tgetanerrorifextractingfails,so
doublecheckeverythingworkedcorrectly.
1.RunMcx2Prov.exe:
Pwned!Thereisanotherwaytocopyfiles,usingcodeinjection,andvulnerableexecutablesvaryby
http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/
4/5
03/04/2016
HowtoBypassUACUsingDLLHijacking
Windowsversion.Nevertheless,thisexploitisquitereliableandeasytoexecute.
AdditionalInfo:
Hereareexploitableprogramsavailable:
OnWindows7:
C:\windows\ehome\Mcx2Prov.exe
CRYPTBASE.dll
http://nullbyte.wonderhowto.com/howto/bypassuacusingdllhijacking0168600/
5/5