This Metasploit module is an implementation of fileless uac bypass using cmd.exe instead of powershell.exe (OJ msf module). This module will create the required registry entry in the current user's hive, set the default value to whatever you pass via the EXEC_COMMAND parameter, and runs eventvwr.exe (hijacking the process being started to gain code execution).
71a3e1287baa3b08f46554d9f2e3a7bd801f903a60a53f43baedfb3420e5dc82This post-exploitation Metasploit module requires a meterpreter session to be able to upload/inject our SearchIndexer.exe into WSearch (windows search) service. The WSearch service uses one executable.exe set in binary_path_name and runs it has local/system at startup, this enables local privilege_escalation/persistence_backdooring. To exploit this vulnerability a local attacker needs to inject/replace the executable file into the binary_path_name of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
147b40da2927d654ea96757dd433f77c12069174180fca4cf82bcd19c6113ae3
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed