This module uses two different strategies to bypass UAC. The first strategy uses the ICMLuaUtil elevated COM interface to execute a new agent with high integrity level. This method works on 32-bit systems, from Windows 7 up to the latest version. The second one leverages on the Program Compatibility Assistant (PCA) and environment variables expansion to perform a Dll hijack and run a new agent with high integrity level. This method works on 64-bit systems, from Windows 7 up to the latest version, and it is compatible with the highest UAC level (Always Notify).
The .NET Runtime Optimization Service, part of the .NET Framework, is prone to a privilege escalation vulnerability, which can be exploited by some local non-admin users to execute arbitrary code with SYSTEM privileges. This exploit relies on a flaw on the file permissions of the service's executable file that allows it to be overwritten by some non-admin users. This module can be used from agents running with "Super User" privileges.
An error in the way the GetSanitizedParametersFromNonQuotedCmdLine() function in the Internet Explorer broker process handles command-line arguments when trying to launch a program can be exploited to escape from the Internet Explorer Protected Mode/Enhanced Protected Mode sandbox. This module allows an agent running in the context of iexplore.exe with Low Integrity Level/AppContainer Integrity Level to escalate privileges in order to install a new agent that will run with Medium Integrity Level.
The IESetProtectedModeRegKeyOnly() function in the ieframe.dll library of Microsoft Internet Explorer calls the RegCreateKeyEx registry function when running with Medium Integrity Level over a registry key that is writable by a sandboxed IE instance. This can be abused to overwrite IE's Elevation Policy by creating symbolic links in the Windows Registry in order to escape from the Internet Explorer Protected Mode sandbox. This module allows an agent running in the context of iexplore.exe with Low Integrity Level/AppContainer Integrity Level to escalate privileges in order to install a new agent that will run with Medium Integrity Level.
The Protected Mode of Microsoft Internet Explorer can be bypassed by exploiting a logical flaw when checking the Integrity Level of a file. This vulnerability allows an agent running in the context of iexplore.exe with Low Integrity Level to install a new agent that will run with Medium Integrity Level, by launching the browser against an HTML file having Untrusted Integrity Level. This module needs to re-exploit Internet Explorer with any web browser exploit that has been proved successful against the target (i.e an exploit that was able to install an agent on the target). The user must specify the URL of any web browser exploit (typically the same one used to install the Low Integrity agent) which is already running in Core Impact through the BROWSER EXPLOIT URL parameter.
When the "CreateWindow" function is called, the Windows kernel calls to user through callbacks pushing in the stack many arguments to be used for the callback function. One argument of these is the hParent Window. After that, the windows kernel re-uses this argument. If this argument is seted with the pseudo-handle 0xfffffffe or 0xffffffff by the callback function, the bug is triggered.
When the "CreateWindow" function is called, the Windows kernel calls to user through callbacks pushing in the stack many arguments to be used for the callback function. One argument of these is the hParent Window. After that, the windows kernel re-uses this argument. If this argument is modified by the callback function, the bug is triggered.
Subscribe to Privilege Escalation