Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add COM class ID hijack method for bypassing UAC #8789

Merged
merged 2 commits into from Aug 20, 2017
Merged

Add COM class ID hijack method for bypassing UAC #8789

merged 2 commits into from Aug 20, 2017

Conversation

OJ
Copy link
Contributor

@OJ OJ commented Jul 31, 2017
edited by busterb

This PR adds a module for bypassing UAC on Windows 7 through 10 utilising the COM hijacking method that @enigma0x3 discovered and used for persistence. The module was inspired by the content that was produced by @FuzzySecurity and his work for Defcon 25 that abused this work to bypass UAC.

The bypass works on all levels except for Always Notify (I've got something else coming for that soon based on work from @tyranid and @FuzzySecurity).

Pictures speak a thousand words:

bypassuac-02

bypassuac-03

The module has to drop a DLL on disk. Obviously with default MSF payloads, AV will probably fire. Some other things to note:

  • To bypass the 740 error when invoking the binaries directly, we're using cmd.exe to launch them. This will be a problem if cmd.exe is blocked, and so we might have to come up with another method for managing that.
  • There is a small sleep in the module that allows for the target program to run before any attempted clean up happens.

Verification

  • Create handlers/sessions on a Windows machine or two under the context of a local admin user (but don't run them elevated).
  • Run the module a few times to make sure that both of the methods are tested (ie. Computer Management and Event Viewer).
  • Sessions created with the module bypass UAC correctly (ie. getsystem works on the new session).
  • Make sure that errors are shown when payload architecture does not match the system architecture.
  • Make sure that all the authors and references are correct (this is important!)
  • Make sure the disclosure date is correct (I'm not sure what to put here).

Thanks to everyone mentioned for their prior work!

@OJ OJ added the module label Jul 31, 2017
@busterb busterb self-assigned this Aug 14, 2017
@OJ
Copy link
Contributor Author

OJ commented Aug 16, 2017

Documentation added. Should be good to go!

@busterb busterb merged commit 408a83a into rapid7:master Aug 20, 2017
busterb pushed a commit that referenced this pull request Aug 20, 2017
Land #8789, Add COM class ID hijack method for bypassing UAC
2eba188
@busterb
Copy link
Member

busterb commented Aug 20, 2017

Looks great, thanks @OJ

@busterb
Copy link
Member

busterb commented Aug 20, 2017
edited by tdoan-r7

Release Notes

A module for bypassing UAC on Windows 7-10 has been added to the framework. It utilizes the COM hijacking method that @enigma0x3 discovered and used for persistence. The module was inspired by the content that was produced by @FuzzySecurity and his work for Defcon 25 that abused this work to bypass UAC.

@OJ
Copy link
Contributor Author

OJ commented Aug 20, 2017 via email

@tdoan-r7 tdoan-r7 added the rn-enhancement release notes enhancement label Aug 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@busterb busterb

Labels
feature module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@OJ @busterb @tdoan-r7