UACME: UAC bypass via "ms-windows-store://" handler hijack & WSReset.exe trigger

Hello,

I have method https://github.com/AzAgarampur/byeintegrity7-uac/ that is pretty simple and would be nice if it is included. Title of this issue says it all, and it should work from Windows 8 and above. It uses classic UserAssocSet signatures as always, so I’ve only included latest W10 & 8 signatures in them, just like before.

Thanks.

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 54 (30 by maintainers)

Commits related to this issue

v 3.5.5 Test version, UserAssocSet signature lookup reworked. Test of possible new WsReset method #97 — committed to hfiref0x/UACME by hfiref0x 3 years ago
v 3.5.5 Further work on #97 — committed to hfiref0x/UACME by hfiref0x 3 years ago
v 3.5.5 Detect AppXSvc for method 68 (as part of #97) — committed to hfiref0x/UACME by hfiref0x 3 years ago
v 3.5.5 Restart AppXSvc if stopped #97 — committed to hfiref0x/UACME by hfiref0x 3 years ago
v 3.5.5 Workaround for OpenWith as part of #97 — committed to hfiref0x/UACME by hfiref0x 3 years ago
v 3.5.5 Finalization for #97 and readme update. — committed to hfiref0x/UACME by hfiref0x 3 years ago
v 3.5.5 Method 68 added -> see #97 for more info; Readme updated. — committed to hfiref0x/UACME by hfiref0x 3 years ago

Most upvoted comments

Complete.

hfiref0x on Mar 15, 2021

I’ve finished testing this method implementation. It works fine on 17763(+LTSC)/18362/18363/19041/19042/19043 and insider preview 213xx builds.

3.5.5 version of uacme will be released tomorrow. Thanks for sharing.

hfiref0x on Mar 14, 2021

Also there is 3rd way which I think is good:

1. Enumerate `HKEY_CURRENT_USER\SOFTWARE\RegisteredApplications`

2. Find value which data string contains `"WindowsStore"`

3. Open key `HKCU` + found data string + `\URLAssociations`

4. Enumerate values of this key until `ms-windows-store` name is found

5. Data of this key contains the correct `AppX...` name.

This one looks promising. Will try that method.

hfiref0x on Mar 12, 2021

Ok I think I found a solution - create an empty REG_SZ named NoOpenWith under HKEY_CURRENT_USER\SOFTWARE\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2.

AzAgarampur on Mar 11, 2021

I’ll make standalone test application for this method and post it here.

hfiref0x on Mar 11, 2021

How did you figure that out?

Well this service is responsible for handling all these fancy new appx crap. By default it is turned off on LTSC. Btw probably no elevation required to launch it.

hfiref0x on Mar 6, 2021

Probably there is a better solution.

Having this AppXSvc running on LTSC 1809 version triggers exploit ms-windows-store through UserAssocSet exploit and does this immediately.

Edit:

HKEY_CURRENT_USER\SOFTWARE\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command

Will check this later on 19042.

hfiref0x on Mar 6, 2021

I’ve noticed that sometimes it succeeds but cmd.exe is hidden and invisible. I think it’s because cmd inherits wsreset.exe’s console, but it exits really fast and cmd is left without a console. Might wanna change default program to cmd.exe /C start cmd.exe to really open it in a new console.

That’s already in uacme. There was another method for wsreset before and this behavior is known since then.

I will try to detect Ms Store state however I can’t use most of this fancy API because it brings a lot of unneeded dependencies.

As of “OpenWith” issue it need more tests as it always spawns for me at first run of exploit.

hfiref0x on Mar 6, 2021

I will look into this issue and post results here as usual. And there will be uacme update because of new shell32 versions.

hfiref0x on Mar 3, 2021

IMO it only worth if you are using this UserAssocSet somewhere in everyday use program, besides it still will have a switch as this interface has at least two variants with different IID. I will just remake existing signature lookup routines.

hfiref0x on Mar 2, 2021

Thanks. I’ll look on it and later integrate this if everything goes well. No date yet.

hfiref0x on Mar 1, 2021