You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Obtain a x64 meterpreter session on a x64 Windows 10 host under an admin user but in a non-elevated context (because we want to bypass UAC)
Use bypassuac_silentcleanup module with commands:
use exploits/windows/local/bypassuac_silentcleanup
set session 1
run
As we didn't select a payload, windows/meterpreter/reverse_tcp (-> x86) will be selected by default
Expected behavior
We get an elevated session. It should work even if the architecture is incorrect because the generated Powershell begins with an architecture detection gadget:
We don't get any elevated session because this UAC exploit messes with the %WINDIR% env variable (that's its goal!), so the architecture detection gadget fails to launch a new powershell.exe with the correct architecture for the payload, as it uses %WINDIR% in its path:
Steps to reproduce
As we didn't select a payload, windows/meterpreter/reverse_tcp (-> x86) will be selected by default
Expected behavior
We get an elevated session. It should work even if the architecture is incorrect because the generated Powershell begins with an architecture detection gadget:
See https://github.com/rapid7/rex-powershell/blob/3e79abf73709c9be2e6796da29927aaa171e1405/lib/rex/powershell/command.rb#L238-L244
Current behavior
We don't get any elevated session because this UAC exploit messes with the
%WINDIR%
env variable (that's its goal!), so the architecture detection gadget fails to launch a new powershell.exe with the correct architecture for the payload, as it uses%WINDIR%
in its path:Alternative solution: choosing the correct payload:
System stuff
Metasploit version
Framework: 5.0.62-dev
Console : 5.0.62-dev
I installed Metasploit with:
Kali package
OS
Kali
The text was updated successfully, but these errors were encountered: