Join GitHub today
Generate MSI Payloads #1569
[ Travis Failure is because Binary Files need Compiling/Creating ]
This allows generation of MSI payloads by replacing a buffer in an existing MSI template with a PE file. The template works with both x86 and x64 PE files
The buffer file can be any junk characters but should be larger than the intended PE file and I recommend a multiple of 4096.
This uses the improved MSI template I recently pulled for AlwaysInstallElevated (#1562) but instead of executing a separate payload.exe it contains a binary file within the MSI.
This EXE file gets extracted to c:\windows\installer\random.tmp and is then executed.
Users are required to enter administrative credentials or accept UAC prompt (if running as admin), but in return you get a SYSTEM shell. An extension to this work could be to work out how to create an MSI file which doesn't require Admin credentials by default. This would probably require a separate template.
If executed with msiexec /quiet then no UAC or Admin credentials prompt are presented to the user. If the user is Admin then you will receive a SYSTEM session. If a normal user then you will get normal user privileges.
The mechanism for replacing the buffer is relatively crude, the code only performs just enough logic to manipulate the MSI generated by my Wix template. No guarantee if changes to the template will be successful, but may be ok if no additional files or binary streams get added.
referenced this pull request
Mar 9, 2013
Now can choose if you want a UAC prompt MSI:
NonUAC MSI - no prompts required:
added a commit
this pull request
Sep 27, 2013
Thats expected, we purposefully fail installation to prevent it being registered as a new program and the msi files being cached. We have a static template so the GUID and the Version don't change which means that re-exploitation attempts would also fail if it installed correctly.
Exploits running it via msiexec /quiet /i payload.msi wont alert the user. Although it could be used for social engineering I envisage it being more useful for configuration management software that allows you to a deliver an msi across your entire corporate network :)