Windows Escalate UAC Protection Bypass
This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.
Rank
- Normal
Authors
- David Kennedy "ReL1K" < kennedyd013 [at] gmail.com >
- mitnick < >
Vulnerability References
Development
Similar Modules
- post/windows/escalate/droplnk
- post/windows/escalate/getsystem
- post/windows/escalate/ms10_073_kbdlayout
- post/windows/escalate/ms10_092_schelevator
- post/windows/escalate/net_runtime_modify
- post/windows/escalate/screen_unlock
- post/windows/escalate/service_permissions
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/escalate/bypassuac
msf post(bypassuac) > set SESSION [INTEGER]
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/escalate/bypassuac
msf post(bypassuac) > set SESSION [INTEGER]
Module Options
| LHOST | Listener IP address for the new session |
| LPORT | Listener port for the new session (default: 4444) |
| SESSION | The session to run this module on. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |