msf-auxiliarys icon indicating copy to clipboard operation
msf-auxiliarys copied to clipboard

Published 20 hours ago verified publisher icon r00t-3xp10it

[ enigma_fileless_uac_bypass ] Download/instalation

Open r00t-3xp10it opened this issue 7 years ago • 6 comments

Download/Install enigma_fileless post-modules


Module Author : pedr0 Ubuntu [r00t-3xp10it] Vuln discover : @enigma0x3 | @mattifestation Tested on : Windows 7 | Windows 8 | Windows 10 enigma_fileless_uac_bypass.rb: metasploit post-exploitation module POC: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking

Description:

Most of the UAC bypass techniques require dropping a file to disk (for example, placing a
DLL on disk to perform a DLL hijack). The technique used in this module differs from the
other public methods and provides a useful new technique that does not rely on a privileged
file copy, code injection, or placing a traditional file on disk.

As a normal user, you have write access to keys in HKCU, if an elevated process interacts
with keys you are able to manipulate, you can potentially interfere with actions a high
integrity process is attempting to perform (hijack the process being started). Due to the
fact that I was able to hijack the process, it is possible to simply execute whatever
malicious cmd.exe or powershell.exe command you wish ..

This means that code execution has been achieved in a high integrity process
(bypassing UAC) without dropping a DLL or other file down to the file system. This
significantly reduces the risk to the attacker because they aren’t placing a traditional
file on the file system that can be caught by AV/HIPS or forensically identified later ..

WARNING: This module will not work if target UAC level its set to 'Always Notify' ..



Download/Install:

1º - Download post-module from github using wget
wget https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/local%20privilege%20escalation/enigma_fileless_uac_bypass.rb


2º - Port post-module to metasploit database (KALI distros)
cp enigma_fileless_uac_bypass.rb /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb


3º - Start postgresql
service postgresql start


4º - Rebuild metasploit database
msfdb reinit


5º - Reload all modules into msf database
msfconsole -x 'db_status; reload_all'


6º - Load post-module
msf > use post/windows/escalate/enigma_fileless_uac_bypass


7º - read/access info/options
msf post(enigma_fileless_uac_bypass) > info
msf post(enigma_fileless_uac_bypass) > show advanced options



Video Tutorials:

Privilege escalation: https://www.youtube.com/watch?v=Ph7MajHbEVQ Simple command execution: https://www.youtube.com/watch?v=upmNEJRf5Z8



Credits:

UAC bypass method credits: @enigma0x3 @Mattifestation @SubTee https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking

Special Thanks: @Chaitanya (SSA Team Menber)

r00t-3xp10it avatar Apr 03 '17 14:04 r00t-3xp10it 

/usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb: SyntaxError /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:7: syntax error, unexpected '<'

^ /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:8: syntax error, unexpected '<'

^ /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:9: syntax error, unexpected ' ^ /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:11: syntax error, unexpected ' ^ /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:11: syntax error, unexpected tIDENTIFIER, expecting end-of-input ----------------------------------------------------------------------- any idee how can i fix this ?

X0R1972 avatar Nov 11 '17 23:11 X0R1972

Thanks for your bug report ..it seems that sourcecode as one syntax error ..

Iam going to check the code and fix it ..thanks

r00t-3xp10it avatar Feb 17 '18 02:02 r00t-3xp10it

ok ., .i also read that you gonna publish the new venom..with new updates.. you do really good job..thank you

X0R1972 avatar Feb 17 '18 03:02 X0R1972

Yes ..iam having problems in testing new builds because it requires 2 pcs and at the moment i only have one ( venom dev ) thats the reason why i didnt release 1.0.15 yet ..

About this msf module ..i only now know about this issue, maybee some sourcecode update that ive done have mess things up .. tomorrow morning i will review the source code ..

Tell me that error appers when loading module to msfdb or executing it ?

r00t-3xp10it avatar Feb 17 '18 03:02 r00t-3xp10it

when loading module

X0R1972 avatar Feb 17 '18 03:02 X0R1972

hello man .. something is wrong in your distro, because i've tested just now the module and its working fine ..
bug report
bug report
bug report


steps needed to use the post-exploitation module

  • 1º - service postgresql start
  • 2º - msfdb reinit
  • 3º - msfconsole -q -x 'db_status; reload_all'
  • 4º - use post/windows/escalate/enigma_fileless_uac_bypass



HINT: I sugest you download again the module (maybee the problem was in previous download)

r00t-3xp10it avatar Feb 21 '18 21:02 r00t-3xp10it