Bypassuac/psh option #2585
Bypassuac/psh option #2585
Conversation
This will give the option to drop an exe or use psh if uac is turned off. The lib can be used for post exploitation to drop an exe or use powershell and then execute it with the runas command. I have used the lib for both bypassuac and ask.
|
@b00stfr3ak you have |
This reverts commit 5ceda7c.
| include Msf::Exploit::EXE | ||
| include Msf::Exploit::Powershell | ||
|
|
||
| def execute_exe(filename=nil,path=nil,upload=nil) |
There was a problem hiding this comment.
Not a blocker, but Ruby style says that method definitions should be written like:
def foo(a = nil, b = 'adfadf', ...)
IOW, spaces between arguments, and spaces on either side of the = when used.
There was a problem hiding this comment.
Also, I'm not sure of the value in this upload variable. On the one hand, it seems like you are using it as a boolean to control whether or not to upload the payload and therefore you should just use a native true/false default value rather than nil, but on the other hand, no falsey value ever makes sense here because you just print and return so perhaps you should not even make this an option.
Removed upload var, it really served no purpose.
|
This needs merging with upstream changes but should then be good to go. |
|
The update doesn't seem to be successful, it reverts the runas.rb lib to previous version and the bypassuac changes are no longer there :( |
|
Yeah I mucked up. Fixing and testing now. Should be up shortly.
|
|
I have managed to do a clean request: I will give that a test if you like and land that to save you re-merging stuff |
|
Hmm, if set UAC to the lowest option, there's no need to ask as I'm already flagged as an administrator, is there a specific level that needs configuring? |
Changed names to look like shell_execute_(option), to make it more defined on what it does.
Also removed upload option
Changed runas method to use the new runas lib. Also did some rubocop changes.
|
Hmm, Didn't look into seeing if everything is run as admin if UAC is turned off. If that is the case then I don't think doing the run does anything besides give you another shell (might not be a bad thing). |
|
Well it doesn't give you the other shell as the current module logic just says you are an admin and UAC is disabled and exits :) |
For some reason the handler was closing before the command could complete. Added the time out from bypassuac and now both psh and exe work perfectly.
|
@Meatballs1 you're right don't know why it was doing that. |
|
@Meatballs1 I see what you mean, validate_environment! checks if is already admin and fails/stops execution if true so it never reaches runas. So I can remove the runas parts in bypassuac, and the rest can be merged if that works for you. |
|
So I think our options are
Or
|
|
I think perhaps just remove it if it is redundant? But there may be some subtlety we are missing. @mubix Is there some reason Shell Execute Runas is required when DoNotPrompt is set? Would a normal file execution not execute in the administrators group? |
|
bump |
|
Will leave existing functionality as is, and get the refactors in. If @mubix lets us know why it was like that originally we can remove if needed :) |
|
@Meatballs1 @b00stfr3ak - It suggests the ask module because if it's low, no need try try bypassuac, ASK will just run it elevated without ever prompting the user. Less stuff on the system, no need to upload crypto.dll |
This will give the option to drop an exe or use psh if uac is turned off. The lib can be used for post exploitation to drop an exe or usepowershell and then execute it with the runas command. I have used the lib for both bypassuac and ask. #2551