Attackers hope getting administrator privileges always. If they had get it, they can do anything. Therefore, they try to get administrator privileges in various ways, such as account stealing, privilege escalation, UAC bypass. I have found one way to escalate privileges to administrator without using vulnerability. I hope you to see the demo, understand the mechanism, and prepare against the attacks.

1. How to escalate privileges to
administrator in latest Windows.
BSides Las Vegas 2017
July 25, 2017
Soya Aoyama

2. Who I am
• Soya Aoyama
• Fujitsu System Integration Laboratories Limited
• First Presentation : AVTOKYO 2016
2

3. Do you want administrator privileges?
• Steal administrator accounts
• Mimikatz, PwDump, CacheDump, …
• Attack system vulnerabilities
• CVE-2017-0156, 0158, 0165, 0166, 0189, 0211, …
• Use Windows 10 weakness
• UAC bypass, IFileOperation , …
3

4. A year ago…
4
• I submitted to Microsoft's bounty program.
I decided to make it in public.

5. I found…
5
• CompMgmtLauncher loads a third party DLL
• Requirement : Registered in the following registry
HKEY_LOCAL_MACHINE
SOFTWARE
Classes
*
shellex
ContextMenuHandlers
CompMgmtLauncher.exe
System Process
xxx.dll
Third Party Program
CompMgmtLauncher.exe
System File
2.Escalate to Administrator 3.Load
1.Launch
problem

6. Source Code 1
6
US UnregisterServer;
void MaliciousProcess(WCHAR* dll) {
WCHAR exe[MAX_PATH + 1] = { 0 };
WCHAR buf[MAX_PATH + 1] = { 0 };
GetModuleFileName(NULL, exe, MAX_PATH);
wsprintf(buf, L"cmd.exe /k echo %s&echo %s", exe, dll);
PROCESS_INFORMATION pi = { 0 };
STARTUPINFO si = { 0 };
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
CreateProcess(NULL, buf, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call,

7. Demo Video 1
7

8. During the demonstration…
8
• You need administrator privileges to access the file.
I found a means to solve this issue.

9. OneDrive helps to solve the problem
9
• Explorer loads a OneDrive DLL
• The OneDrive program is located in the following
• You can use IFileOperation API in Explorer
%UserProfile%
¥AppData
¥Local
¥Microsoft
¥OneDrive
Explorer.exe
System Process
FileSyncShell64.dll
OneDrive Program
Explorer.exe
System File
2.Load1.System Start
problem
You can access to administrator’s owned files.

10. Source Code 1
10
}
void MaliciousProcess(HMODULE hModule, WCHAR* dll)
{
if (SECURITY_MANDATORY_HIGH_RID > GetIntegrityLevel(hModule)) {
ReplaceDll(dll);
ShellExecute(NULL, NULL, L"CompMgmtLauncher", NULL, NULL,
SW_SHOWNORMAL);
} else {
WCHAR exe[MAX_PATH + 1] = { 0 };
WCHAR buf[MAX_PATH + 1] = { 0 };
GetModuleFileName(NULL, exe, MAX_PATH);
wsprintf(buf, L"cmd.exe /k echo %s&echo %s", exe, dll);
PROCESS_INFORMATION pi = { 0 };
STARTUPINFO si = { 0 };

11. Demo Video 2
11

12. Conclusion
12
Explorer.exe
FileSyncShell64.dll
CompMgmtLauncher.exe
ShellExtensionX64.dll
Memory
OneDrive
FileSyncShell64.dll
WinMerge
ShellExtensionX64.dll
Malicious Program
BSidesLV.dll
Directory
BSidesLV.bat
CompMgmtLauncher.exe
1.Click batch file
2.Replace
3.Start System
4.Load
5.Replace
6.Start
7.Load
even if individual weakness are small,
but it will be very dangerous depending on the combination.
Administrator

13. Bad news
13
• This fixed in Build 15063.(Creators Update)
• CompMgmtLauncher still loads a third party dll.
• CompMgmtLauncher does not escalate to administrator privileges.
Microsoft does not want to pay me the reward.

14. Thank you
14
https://www.facebook.com/soya.aoyama.3
@SoyaAoyama
https://www.slideshare.net/SoyaAoyama
https://github.com/SoyaAoyama