Room362.com

Dave Kennedy and Kevin Mitnick submitted the "bypassuac" post module to Metasploit a while back (last DerbyCon?). Which is awesome and they did some fantastic work, but I had a few complaints as probably anyone did who used the module on a somewhat modern network.

"Old" module (post/windows/escalate/bypassuac):

I decided to give it a bit of a face lift:

"New" local exploit module (exploit/windows/local/bypassuac):

All of the credit for the availability of this module goes to @egyp7 though, without his epic addition of local exploits to Metasploit the majority of the updates to this module wouldn't be possible.

Anywho, on to the new features:

1) You can set any windows payload you want to use now:

and yes it supports EXE::Custom.

2) It lets you know if it will be able to bypass the current setting of UAC or not:

Even when you're going overkill with it:

(ASK module if UAC is disabled will just elevate without any kind of user prompt)

And of course it works as expected if UAC needs bypassing:

One thing I have yet to update is a simple check to make sure you are an admin that can actually bypass UAC. If you aren't, then you'll be leaving this lovely calling card behind for the user:

 

 

UPDATE: THIS IS ONLY WORKS WITH THE LOCAL ADMIN (ID 500) ACCOUNT AND PASSWORD

(MY MISTAKE FOR NOT TESTING MORE)

So the "-ish" is you need to have the username and pass of another account that has administrator rights the local administrator account on that box. But other than that, the following image should speak for itself. (no UAC prompt occurred during the following actions)

I plan on writing a Metasploit module to do this as all it really does is starts a process as a different user and that process executes ShellExecute's 'RunAs' verb. But until then, get CPAU here:

http://www.joeware.net/freetools/tools/cpau/

and Elevate here:

http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/

 and doing it manually with built in Windows Kung-Fu: