so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer


Elevator - UAC Bypass by abusing RPC and debug objects

Elevator allows to bypass the UAC and spawn an elevated process with full administrator privileges. This is done by abusing the behaviour of the RPC server that implements the UAC feature, as demonstrated by James Forshaw in his article Calling Local Windows RPC Servers from .NET. The tool does not require to drop an extra DLL or write to the Windows Registry (as is often the case with other UAC bypass techniques), and it has been successfully tested on Windows Server 2016, Windows Server 2019 and Windows 10 (it probably works on other versions of Windows).

The tool is composed of a C++ stub that connects the tool itself with the RPC server exposed by the service APPINFO, and the Rust project that contains the main logic that allows to abuse the bug and bypass the UAC. The C++ stub has been obtained from compiling the IDL file that RPC View created from the RPC interface with ID 201ef99a-7fa0-444c-9399-19ba84f12a1a. Elevator - UAC Bypass by abusing RPC and debug objects