Windows 7 Privilege Escelation & UAC Bypass Guide with SYSRET exploit thumbnail

Windows 7 Privilege Escelation & UAC Bypass Guide with SYSRET exploit

First and foremost, I would like to give credit to Rob Fuller, aka Mubix, for the tip on this awesome exploit; Be sure to check out his security blog, Room362. And of course @Ponez for for creating the Sysret vulnerability port for Windows.

Sysret Overview

The Sysret exploit is made possible due to a subtle difference in the way in which Intel processors implement error handling in their version of AMD’s SYSRET instruction. The SYSRET instruction is part of the x86-64 standard defined by AMD. If an operating system is written according to AMD’s spec, but run on Intel hardware, the difference in implementation can be exploited by an attacker to write to arbitrary addresses in the operating system’s memory. Click here for a more detailed description of the Sysret Exploit.

The flaw has already been exploited on 64-bit versions of Microsoft Windows 7, FreeBSD, NetBSD and there’s a chance Apple’s OS X may also be vulnerable, according to a blog on Xen.org, an open source community for users of the virtual service.

Using Sysret to Escalate Permissions in Windows 7: Tutorial Overview

This guide will show you how to use the Sysret exploit to escalate your user permissions (essentially bypassing UAC) on a 64bit Windows 7 (fully patched) machine. This exploit works on 64bit Intel Chips, including Windows and Linux.

Important Note: This tutorial assumes that that you either have direct access to the host machine, or have found a way to gain access (e.g., Metasploit).

Update 1: Beware of Explorer.exe

For the purposes of this tutorial, I choose to attach Sysret to a running explorer.exe process. It has been suggested that attaching anything to an open Windows Explorer process can become extremely problematic. I haven’t personally run into any problems, however, I have always just run what I need to run, and immediately disconnect/reboot. I would recommend doing the same thing. If this isn’t an option, I would suggest attaching Sysret to an alternate process.

Update 2:Metasploit Implementation

For those interested in running Sysret direct from a Metasploit Meterpreter shell, check out this tweet from @Mubix on running Sysret from Meterpreter.

 Windows 7 Privilege Escelation & UAC Bypass Guide with SYSRET exploit

Step 1: Download Sysret

Sysret can be downloaded via GITHub here: https://github.com/shjalayeri/sysret

Step 2: Upload/copy the Sysret executable onto the victim’s computer.

You can do this using a flash drive, via email, etc. If you are remotely connecting to the victim via Meterpreter, use the upload command. Here is a good starter tutorial on Metrepreter’s upload and shell commands.

For the this tutorial, I copied the Sysret executable to C:\Test

For the next step, Sysret can either attach itself to a running process, or being used to launch a specific executable.

sysret 02 win7 show commands Windows 7 Privilege Escelation & UAC Bypass Guide with SYSRET exploit

Step 3: Find a running process for Sysret

Sysret 01 win7 folder list

Running “TaskList” in the Windows command prompt will show you a list of running processes. I’ve had a lot of success attaching Sysret right to Explorer (in my case, PID 4572).

Sysret 03 win7 running procs

Step 4: Attach Sysret to Explorer and Escalate Permissions

Now that we know the process ID of Windows Explorer, attaching Sysret to it is a fairly simple process.

Sysret 04 win7 execution

Enjoy!

Now that Sysret has attached itself to explorer.exe, you should now have full administrator rights on your local Windows 7 host. Have fun.

Note: Sysret works on ANY 64bit host running an Intel chip. You should be able to apply the same principle in this article to escalate permissions on other operating systems.

Share
Please follow us

5 Comments

  • Noah says:

    Well… isn’t that ironic. I get a “requires elevation” error.

  • vivian says:

    follow the 3 steps. how can I know that I’ve got the administrator privilege?

  • vinnytroia says:

    Try accessing any of the administrator tools, or disk utility.

  • R3MiX says:

    Error 18: No more files. I’ve been trying this on an i5 machine.

  • 0Dave says:

    tried on a Xen VM…

    [+] Windows Kernel Intel x64 Sysret Vulnerability (MS12-042)

    [!] GetProcAddress failed with error 18 (There are no more files.
    )
    [+] Null page allocation failed!

    patched system 2014…so it’s non operational

Leave a Reply

Have questions? Give us a call for a free security consultation (314)-669-6569
Contact Us

Have a question? Send us a message. We'll get back to you soon.

[contact-form-7 404 "Not Found"]