itsMe Posted August 16, 2021 Share Posted August 16, 2021 This is the hidden content, please Sign In or Sign Up Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components. ByeIntegrity 8.0 The eighth Windows privilege escalation attack in the ByeIntegrity family. ByeIntegrity 8.0 is the most complex one I've created so far; however, because of its complexity, it's able to reveal and exploit hidden design and security flaws in the operating system. After all, it even works when UAC is set to its maximum security level — AlwaysNotify. Attack overview Just like every other ByeIntegrity attack, ByeIntegrity 8.0 needs to be run under an account with administrator privileges. ByeIntegrity 8.0 relies on the Task Scheduler to start the WDI ResolutionHost task. The task is started with an elevated token of the current user that the task scheduler creates. The task proceeds to read parameters from the WDI host and reads from the registry to figure out where to load the requested diagnostic module. These module paths are stored in the registry with the form %WinDir%\System32\.... ByeIntegrity 8.0 sets a custom WinDir environment variable to load its own payload module into the ResolutionHost task, which then launches any program inheriting the full administrative privileges. This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts