From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- docs/Privesc/Invoke-WScriptUACBypass.md | 85 +++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100755 docs/Privesc/Invoke-WScriptUACBypass.md (limited to 'docs/Privesc/Invoke-WScriptUACBypass.md') diff --git a/docs/Privesc/Invoke-WScriptUACBypass.md b/docs/Privesc/Invoke-WScriptUACBypass.md new file mode 100755 index 0000000..f9eeb8d --- /dev/null +++ b/docs/Privesc/Invoke-WScriptUACBypass.md @@ -0,0 +1,85 @@ +# Invoke-WScriptUACBypass + +## SYNOPSIS +Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. + +Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Invoke-WScriptUACBypass [-Command] [-WindowStyle ] +``` + +## DESCRIPTION +Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute +VBScript using the wscript executable with the new manifest. +The VBScript executed by +C:\Windows\wscript.exe will run elevated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +" +``` + +Launches the specified PowerShell encoded command in high-integrity. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible' +``` + +Spawns a high integrity cmd.exe. + +## PARAMETERS + +### -Command +The shell command you want wscript.exe to run elevated. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CMD + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -WindowStyle +Whether to display or hide the window for the executed '-Command X'. +Accepted values are 'Hidden' and 'Normal'/'Visible. +Default is 'Hidden'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Hidden +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html +https://github.com/Vozzie/uacscript +https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html +https://github.com/Vozzie/uacscript +https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1) + -- cgit v1.2.3