diff options
Diffstat (limited to 'docs/Privesc/Invoke-WScriptUACBypass.md')
| -rwxr-xr-x | docs/Privesc/Invoke-WScriptUACBypass.md | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/docs/Privesc/Invoke-WScriptUACBypass.md b/docs/Privesc/Invoke-WScriptUACBypass.md new file mode 100755 index 0000000..f9eeb8d --- /dev/null +++ b/docs/Privesc/Invoke-WScriptUACBypass.md @@ -0,0 +1,85 @@ +# Invoke-WScriptUACBypass
+
+## SYNOPSIS
+Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.
+
+Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-WScriptUACBypass [-Command] <String> [-WindowStyle <String>]
+```
+
+## DESCRIPTION
+Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute
+VBScript using the wscript executable with the new manifest.
+The VBScript executed by
+C:\Windows\wscript.exe will run elevated.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+"
+```
+
+Launches the specified PowerShell encoded command in high-integrity.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible'
+```
+
+Spawns a high integrity cmd.exe.
+
+## PARAMETERS
+
+### -Command
+The shell command you want wscript.exe to run elevated.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CMD
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -WindowStyle
+Whether to display or hide the window for the executed '-Command X'.
+Accepted values are 'Hidden' and 'Normal'/'Visible.
+Default is 'Hidden'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Hidden
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
+https://github.com/Vozzie/uacscript
+https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
+https://github.com/Vozzie/uacscript
+https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1)
+
|