Hey all,
We all know that UAC is not a security boundary. That being said, it can be super annoying, and sometimes difficult, when you just want to spawn a window-less high integrity session so you can continue with funtimes.
Recently I came across the technique described on Tyranid’s Lair to bypass UAC, but I could only find Powershell implementations like UAC-TokenMagic and Invoke-TokenDuplication. So to take a different route, I put together a reflective DLL that uses this technique and an Aggressor script to make everything easy.
The DLL creates a duplicate token for wusa.exe, crafts a new restricted token, spawns an elevated hidden instance of cmd.exe, and proceeds to inject shellcode into cmd.exe via RTLCreateUserThread. I’ve tested it on Windows 7, 10, 2008, and 2012 on both x64 and x86 architectures.
https://github.com/ThunderGunExpress/UAC-TokenDuplication
ijustwannaredteam 
hello, that I try, there is this error that I can not explain
> elevate uac-tokendupe
[*] Task Beacon to run windows/beacon_smb/bind_pipe (127.0.0.1:4343) via UAC Token Duplication
[-] Could not find reflective loader in UAC-TokenDuplication-x64.dll
LikeLike
Hey Isaac, the aggressor script cannot find the x64 DLL. IIRC, the script looks for the DLLs in a subdirectory named “dll” relative to TokenDuplication.cna. Do you have the DLL in the same directory by chance?
LikeLike
Hey Cplsec , no i am not file x64 DLL, can you send me the download link of the dll file
LikeLike
Unfortunately I didn’t include compiled versions of the DLLs. I can think of two options: grab an IDE like Visual Studio and compile the source provided on my github or use a similar powershell module that I linked on my post. Sorry dude.
LikeLike
awesome! working like a charm. thanks
LikeLike