Fix winrm mixin from revert merge
David Maloney
parent
b2563dd6c2
commit
ac6fdf24a2
|
|
@ -42,7 +42,7 @@ module Exploit::Remote::WinRM
|
|||
c = connect(opts)
|
||||
to = opts[:timeout] || timeout
|
||||
ctype = "application/soap+xml;charset=UTF-8"
|
||||
resp, c = send_request_cgi(opts.merge({
|
||||
resp = send_winrm_request(opts.merge({
|
||||
'uri' => opts['uri'],
|
||||
'method' => 'POST',
|
||||
'ctype' => ctype,
|
||||
|
|
@ -61,7 +61,7 @@ module Exploit::Remote::WinRM
|
|||
end
|
||||
|
||||
def winrm_run_cmd(cmd, timeout=20)
|
||||
resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
|
||||
resp = send_winrm_request(winrm_open_shell_msg,timeout)
|
||||
if resp.nil?
|
||||
print_error "Recieved no reply from server"
|
||||
return nil
|
||||
|
|
@ -76,17 +76,17 @@ module Exploit::Remote::WinRM
|
|||
return retval
|
||||
end
|
||||
shell_id = winrm_get_shell_id(resp)
|
||||
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
|
||||
resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout)
|
||||
cmd_id = winrm_get_cmd_id(resp)
|
||||
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
|
||||
resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
|
||||
streams = winrm_get_cmd_streams(resp)
|
||||
resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout)
|
||||
resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id))
|
||||
resp = send_winrm_request(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout)
|
||||
resp = send_winrm_request(winrm_delete_shell_msg(shell_id))
|
||||
return streams
|
||||
end
|
||||
|
||||
def winrm_run_cmd_hanging(cmd, timeout=20)
|
||||
resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
|
||||
resp = send_winrm_request(winrm_open_shell_msg,timeout)
|
||||
if resp.nil?
|
||||
print_error "Recieved no reply from server"
|
||||
return nil
|
||||
|
|
@ -101,9 +101,9 @@ module Exploit::Remote::WinRM
|
|||
return retval
|
||||
end
|
||||
shell_id = winrm_get_shell_id(resp)
|
||||
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
|
||||
resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout)
|
||||
cmd_id = winrm_get_cmd_id(resp)
|
||||
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
|
||||
resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
|
||||
streams = winrm_get_cmd_streams(resp)
|
||||
return streams
|
||||
end
|
||||
|
|
@ -219,94 +219,6 @@ module Exploit::Remote::WinRM
|
|||
::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))
|
||||
end
|
||||
|
||||
def send_request_ntlm(data, timeout = 20)
|
||||
opts = {
|
||||
'uri' => datastore['URI'],
|
||||
'data' => data,
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD']
|
||||
}
|
||||
ntlm_options = {
|
||||
:signing => false,
|
||||
:usentlm2_session => datastore['NTLM::UseNTLM2_session'],
|
||||
:use_ntlmv2 => datastore['NTLM::UseNTLMv2'],
|
||||
:send_lm => datastore['NTLM::SendLM'],
|
||||
:send_ntlm => datastore['NTLM::SendNTLM']
|
||||
}
|
||||
ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options)
|
||||
workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
|
||||
domain_name = datastore['DOMAIN']
|
||||
ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name,
|
||||
workstation_name,
|
||||
ntlmssp_flags))
|
||||
to = opts[:timeout] || timeout
|
||||
begin
|
||||
c = connect(opts)
|
||||
ctype = "application/soap+xml;charset=UTF-8"
|
||||
# First request to get the challenge
|
||||
r = c.request_cgi(opts.merge({
|
||||
'uri' => opts['uri'],
|
||||
'method' => 'POST',
|
||||
'ctype' => ctype,
|
||||
'headers' => { 'Authorization' => ntlm_message_1},
|
||||
'data' => opts['data']
|
||||
}))
|
||||
resp = c.send_recv(r, to)
|
||||
unless resp.kind_of? Rex::Proto::Http::Response
|
||||
return [nil,nil]
|
||||
end
|
||||
return [nil,nil] if resp.code == 404
|
||||
return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate']
|
||||
# Get the challenge and craft the response
|
||||
ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1]
|
||||
return [nil,nil] unless ntlm_challenge
|
||||
|
||||
#old and simplier method but not compatible with windows 7/2008r2
|
||||
#ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge)
|
||||
#ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true})
|
||||
ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge)
|
||||
blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2)
|
||||
challenge_key = blob_data[:challenge_key]
|
||||
server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error
|
||||
#netbios name
|
||||
default_name = blob_data[:default_name] || ''
|
||||
#netbios domain
|
||||
default_domain = blob_data[:default_domain] || ''
|
||||
#dns name
|
||||
dns_host_name = blob_data[:dns_host_name] || ''
|
||||
#dns domain
|
||||
dns_domain_name = blob_data[:dns_domain_name] || ''
|
||||
#Client time
|
||||
chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || ''
|
||||
spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost}
|
||||
resp_lm,
|
||||
resp_ntlm,
|
||||
client_challenge,
|
||||
ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key,
|
||||
domain_name, default_name, default_domain,
|
||||
dns_host_name, dns_domain_name, chall_MsvAvTimestamp,
|
||||
spnopt, ntlm_options)
|
||||
ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'],
|
||||
resp_lm, resp_ntlm, '', ntlmssp_flags)
|
||||
ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3)
|
||||
# Send the response
|
||||
r = c.request_cgi(opts.merge({
|
||||
'uri' => opts['uri'],
|
||||
'method' => 'POST',
|
||||
'ctype' => ctype,
|
||||
'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"},
|
||||
'data' => opts['data']
|
||||
}))
|
||||
resp = c.send_recv(r, to, true)
|
||||
unless resp.kind_of? Rex::Proto::Http::Response
|
||||
return [nil,nil]
|
||||
end
|
||||
return [nil,nil] if resp.code == 404
|
||||
return [resp,c]
|
||||
rescue ::Errno::EPIPE, ::Timeout::Error
|
||||
end
|
||||
end
|
||||
|
||||
def accepts_ntlm_auth
|
||||
parse_auth_methods(winrm_poke).include? "Negotiate"
|
||||
end
|
||||
|
|
@ -329,6 +241,17 @@ module Exploit::Remote::WinRM
|
|||
return "/root/cimv2/"
|
||||
end
|
||||
|
||||
def send_winrm_request(data, timeout=20)
|
||||
opts = {
|
||||
'uri' => datastore['URI'],
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD'],
|
||||
'ctype' => "application/soap+xml;charset=UTF-8"
|
||||
}
|
||||
send_request_cgi(opts,timeout)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue