search

r00t-3xp10it / msf-auxiliarys

My collection of metasploit auxiliary post-modules
189 stars 90 forks source link

[ enigma_fileless_uac_bypass ] Download/instalation #4

Open r00t-3xp10it opened 7 years ago

r00t-3xp10it commented 7 years ago

Download/Install enigma_fileless post-modules


Module Author : pedr0 Ubuntu [r00t-3xp10it] Vuln discover : @enigma0x3 | @mattifestation Tested on : Windows 7 | Windows 8 | Windows 10 enigma_fileless_uac_bypass.rb: metasploit post-exploitation module POC: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking

Description:

Most of the UAC bypass techniques require dropping a file to disk (for example, placing a
DLL on disk to perform a DLL hijack). The technique used in this module differs from the
other public methods and provides a useful new technique that does not rely on a privileged
file copy, code injection, or placing a traditional file on disk.

As a normal user, you have write access to keys in HKCU, if an elevated process interacts
with keys you are able to manipulate, you can potentially interfere with actions a high
integrity process is attempting to perform (hijack the process being started). Due to the
fact that I was able to hijack the process, it is possible to simply execute whatever
malicious cmd.exe or powershell.exe command you wish ..

This means that code execution has been achieved in a high integrity process
(bypassing UAC) without dropping a DLL or other file down to the file system. This
significantly reduces the risk to the attacker because they aren’t placing a traditional
file on the file system that can be caught by AV/HIPS or forensically identified later ..

WARNING: This module will not work if target UAC level its set to 'Always Notify' ..



Download/Install:

1º - Download post-module from github using wget
wget https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/local%20privilege%20escalation/enigma_fileless_uac_bypass.rb

2º - Port post-module to metasploit database (KALI distros)
cp enigma_fileless_uac_bypass.rb /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb

3º - Start postgresql
service postgresql start

4º - Rebuild metasploit database
msfdb reinit

5º - Reload all modules into msf database
msfconsole -x 'db_status; reload_all'

6º - Load post-module
msf > use post/windows/escalate/enigma_fileless_uac_bypass

7º - read/access info/options
msf post(enigma_fileless_uac_bypass) > info
msf post(enigma_fileless_uac_bypass) > show advanced options



Video Tutorials:

Privilege escalation: https://www.youtube.com/watch?v=Ph7MajHbEVQ Simple command execution: https://www.youtube.com/watch?v=upmNEJRf5Z8



Credits:

UAC bypass method credits: @enigma0x3 @Mattifestation @SubTee https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking

Special Thanks: @Chaitanya (SSA Team Menber)

X0R1972 commented 6 years ago 
/usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb: SyntaxError /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:7: syntax error, unexpected '<'

<!DOCTYPE html> ^ /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:8: syntax error, unexpected '<'

^ /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:9: syntax error, unexpected '<' ^ /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:11: syntax error, unexpected '<' ^ /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb:11: syntax error, unexpected tIDENTIFIER, expecting end-of-input ----------------------------------------------------------------------- any idee how can i fix this ?
r00t-3xp10it commented 6 years ago

Thanks for your bug report ..it seems that sourcecode as one syntax error ..

Iam going to check the code and fix it ..thanks

X0R1972 commented 6 years ago

ok ., .i also read that you gonna publish the new venom..with new updates.. you do really good job..thank you

r00t-3xp10it commented 6 years ago

Yes ..iam having problems in testing new builds because it requires 2 pcs and at the moment i only have one ( venom dev ) thats the reason why i didnt release 1.0.15 yet ..

About this msf module ..i only now know about this issue, maybee some sourcecode update that ive done have mess things up .. tomorrow morning i will review the source code ..

Tell me that error appers when loading module to msfdb or executing it ?

X0R1972 commented 6 years ago

when loading module

r00t-3xp10it commented 6 years ago

hello man .. something is wrong in your distro, because i've tested just now the module and its working fine ..
bug report
bug report
bug report


steps needed to use the post-exploitation module



HINT: I sugest you download again the module (maybee the problem was in previous download)