Skip to content
/ Priv-Escalation-Exploit Public

PoC demonstrating a chained UAC bypass and token duplication to illustrate escalation from USER to NT AUTHORITY without inital Admin level.

License

MIT license
2 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

28Zaaky/Priv-Escalation-Exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.gitignore
.gitignore
 
 
Capture d'écran 2025-11-03 162307.png
Capture d'écran 2025-11-03 162307.png
 
 
LICENSE
LICENSE
 
 
PrivEsc01.c
PrivEsc01.c
 
 
README.md
README.md
 
 

Repository files navigation

Windows Privilege Escalation Exploit PoC — UAC Bypass x Token Duplication

PoC screenshot

Educational Use Only
This repository contains a proof-of-concept that chains two Windows privilege escalation techniques for research and defensive learning purposes:

  1. A UAC (User Account Control) bypass to obtain an elevated Administrator process.
  2. Token duplication to attempt launching a SYSTEM-level process.

Running or modifying this code on machines you do not own or without explicit written authorization is illegal and unethical.
This project is for research, learning, and defense development only.

Overview

This proof-of-concept (PoC) demonstrates, conceptually and through code, how two privilege escalation techniques can be combined:

  1. User → Administrator: Attempts a UAC bypass to relaunch itself with elevated privileges.
  2. Administrator → SYSTEM: From that elevated context, duplicates a SYSTEM token (from a high-privilege process) to spawn a new shell running as SYSTEM.

The PoC is designed to illustrate Windows token mechanics, UAC internals, and process security, not to serve as an operational exploit.

How to use it

gcc -o PrivEsc.exe .\PrivEsc01.c -ladvapi32 -lshell32 -luser32

Execution Flow

1. Normal User Path

  • The program starts and checks if the current process is a member of the Administrators group (IsAdmin()).
  • If not elevated, it triggers the UAC bypass routine (UACBypassWin10 or UACBypassAlternative).
  • These functions temporarily modify registry keys to define a custom command handler for trusted auto-elevating executables (e.g., fodhelper.exe or computerdefaults.exe).
  • The trusted helper then launches the PoC binary with --admin, simulating elevation.

2. Elevated / Admin Path

  • When launched with the --admin argument, the PoC assumes it’s elevated.
  • It enables critical privileges on its token using EnableAllPrivileges (e.g., SE_DEBUG_NAME, SE_IMPERSONATE_NAME).
  • The program locates a SYSTEM-level process (commonly winlogon.exe) via GetWinlogonPid.
  • Then, it uses TokenStealing to:
    1. Open the process and retrieve its access token.
    2. Call DuplicateTokenEx to create a primary token.
    3. Invoke CreateProcessAsUserA to spawn a new process (e.g., cmd.exe) under that duplicated SYSTEM token.

Key Concepts Explained

Concept Description
Access Token A data structure describing a process’s identity and privileges. Duplicating a token allows creating a process that inherits another identity.
Privileges Special rights (e.g., SE_DEBUG_NAME) that control sensitive actions such as opening system processes or creating impersonation tokens.
UAC (User Account Control) A Windows mechanism that mediates privilege elevation. Some trusted system binaries auto-elevate, forming potential abuse vectors.
DuplicateTokenEx / CreateProcessAsUserA Windows APIs for creating a process using an existing token. Essential for privilege-transfer or impersonation techniques.

Function Map (Code Architecture)

Function Purpose
main Entry point. Decides execution path based on privileges and arguments.
IsAdmin Uses AllocateAndInitializeSid + CheckTokenMembership to verify admin status.
UACBypassWin10 / UACBypassAlternative Two variants that attempt UAC bypass using different trusted helpers (registry COM handler method).
EnableAllPrivileges Enables required privileges (debug, impersonate, assign token, increase quota).
GetWinlogonPid Enumerates running processes to find a SYSTEM-level target (e.g., winlogon.exe).
TokenStealing Duplicates a privileged token and spawns a new process with it using CreateProcessAsUserA.

Code Quality & Safety Observations

This PoC prioritizes educational value over robustness. Common issues include:

  • ⚠️ Lack of error handling: API calls are not consistently checked; missing logging and GetLastError() checks.
  • ⚠️ Unsafe string handling: Uses unbounded strcat; should use safer alternatives like StringCchCat or snprintf_s.
  • ⚠️ Uninitialized structures: Windows structures (STARTUPINFO, etc.) are not zeroed before use.
  • ⚠️ Incomplete cleanup: Handles and resources are not always released on error.
  • ⚠️ Fragility: Techniques depend on specific Windows versions; modern systems and EDR tools will likely block them.

Legal & Ethical Disclaimer

This project is a laboratory Proof of Concept, not an exploit tool.
Use it exclusively in isolated test environments and with explicit authorization.

Unauthorized execution, modification, or distribution of this code in any operational context may violate applicable law.

Author Information

Contact: 28zaakypro@proton.me

License & Usage

This PoC is distributed for research and educational purposes only.
No warranty is provided. The author disclaims any responsibility for misuse.

About

PoC demonstrating a chained UAC bypass and token duplication to illustrate escalation from USER to NT AUTHORITY without inital Admin level.

Topics

exploit rootkit malware privilege-escalation uac-bypass token-stealing

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages