Custom Metasploit payload with UAC bypass
The machine I am attacking has anti-virus installed.
I have managed to use Veil Framework in order to create an initial reverse shell payload that is undetected by the AV. However, UAC is enabled on the Windows 7 target.
I am trying to use Metasploit’s exploit/windows/local/ask
in order to prompt the user, in the hope that they click yes to allow the payload to create another reverse shell with elevated privileges.
However, the default metasploit payloads are detected by the AV so I have used the payload/generic/custom
to set PAYLOADFILE
to my Veil generated .exe
. However, I get the following error message when running the exploit:
msf exploit(ask) > exploit
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[-] Exploit failed: NoMethodError undefined method `length' for nil:NilClass
I realise that there are other ways to bypass UAC:
exploit/windows/local/bypassuac
exploit/windows/local/bypassuac_injection
Although as part of this pen testing experiment I want the end user to allow the payload manually.
Is my syntax correct for the exploit:
msf exploit(ask) > show options
Module options (exploit/windows/local/ask):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no File name on disk
PATH no Location on disk, %TEMP% used if not set
SESSION 4 yes The session to run this module on.
TECHNIQUE EXE yes Technique to use (Accepted: PSH, EXE)
Payload options (generic/custom):
Name Current Setting Required Description
---- --------------- -------- -----------
PAYLOADFILE /usr/share/veil-output/compiled/payload_0907_cs.exe no The file to read the payload from
PAYLOADSTR no The string to use as a payload
Exploit target:
Id Name
-- ----
0 Windows
I’ve Googled the error but it appeared to return nothing relevant. I am going about this the right way?
|
Are you running it on the shell session? This module can only be run on a meterpreter session. github.com/rapid7/metasploit-framework/blob/… – void_in Jul 9 ’15 at 15:24
|
||
|
Yes, its on a meterpreter session. – SilverlightFox Jul 9 ’15 at 15:31
|
||
|
I’m assuming that you confirmed the payload works on the client environment? – schroeder♦ Jul 10 ’15 at 15:24
|
||
|
@schroeder: Yes, that payload works as is, as it is the one I used to get the initial shell. – SilverlightFox Jul 10 ’15 at 15:26
|
Ran into the same issue when reproducing. UPDATE: When using the Code changes
Use the exploitThe exact steps are:
|
|||||||||||||||||||||||||||||||||||||||||
|
Setting the Thanks to Michael’s answer in revision 3 didn’t work, however the code fix to the |
|||||||||||||
|