A (super dupe cool) implementation of the CMSTP UAC bypass technique using Java and JNA.
This project is purely for educational and authorized testing purposes only. Unauthorized use of this program is highly unethical and illegal. Usage of this tool is completely your own responsibility, and I am not responsible for any misuse or damage caused by this program.
CMSTP.exe is a legitimate Windows binary that can be abused to bypass User Account Control (UAC) and execute code with elevated privileges. This technique is already widely known and has been documented by security researchers here: MITRE ATT&CK T1218.003
- Create a specially crafted INF configuration file (extension realistically doesn't matter)
- Execute
cmstp.exewith the configuration file - Automatically hide this window and interact with it using JNA
- Make
cmstp.exeexecute the current jar as admin - Start an elevated powershell without the user ever seeing a UAC prompt
- Account with Admin privileges
- Java 8 or higher
- JNA library (bundled using Shadow JAR)
First execute the following command to build a jar to build/libs/CMSTP-Elevator-1.0.jar:
./gradlew buildYou can then run this jar within build/libs using:
java -jar CMSTP-Elevator-1.0.jarThe process will then attempt to elevate its privileges amd spawn an elevated PowerShell window.