module
Windows Escalate UAC Protection Bypass (Via dot net profiler)
| Disclosed | Created |
|---|---|
| 2017-03-17 | 2019-11-19 |
Disclosed
2017-03-17
Created
2019-11-19
Description
Microsoft Windows allows for the automatic loading of a profiling COM object during
the launch of a CLR process based on certain environment variables ostensibly to
monitor execution. In this case, we abuse the profiler by pointing to a payload DLL
that will be launched as the profiling thread. This thread will run at the permission
level of the calling process, so an auto-elevating process will launch the DLL with
elevated permissions. In this case, we use gpedit.msc as the auto-elevated CLR
process, but others would work, too.
the launch of a CLR process based on certain environment variables ostensibly to
monitor execution. In this case, we abuse the profiler by pointing to a payload DLL
that will be launched as the profiling thread. This thread will run at the permission
level of the calling process, so an auto-elevating process will launch the DLL with
elevated permissions. In this case, we use gpedit.msc as the auto-elevated CLR
process, but others would work, too.
Authors
Casey Smith
"Stefan Kanthak" stefan.kanthak () nexgo de
bwatters-r7
"Stefan Kanthak" stefan.kanthak () nexgo de
bwatters-r7
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.