Non-privileged code can be used to replace shortcuts on the Start Menu and intercept elevation of privileges. Because of the way the Start Menu is constructed, users can enumerate all of the shortcuts that appear on their menus because they have read access to the folders where the shortcuts reside. The Start Menu is composited of a common folder and the specific user's folder, preferring the user folder if duplicates exist.

Using COM and the .NET Framework, a stub EXE generator can be created that will check for the presence of privilege elevation before launching the original target process (in order to not alert the user to the fact that the target is infected). The .NET CLR is installed by default on Windows Vista and so can be used as part of the attack vector.

The proof-of-concept enumerates the shortcuts on the user's menu and the common menu and creates or modified user-local shortcuts to exploitable executables via proxy EXEs. It generates the proxy executables and then writes a text file to the Windows\System32 folder once a proxy executable has been run with elevation本文出自 51CTO.COM技术博客