Fixes enum_domain_group_users when running as SYSTEM.
bug/bundler_fix
Meatballs 2015-05-09 10:49:05 +01:00
commit d2e1fdbbc3
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
1 changed files with 28 additions and 52 deletions

View File

@ -7,15 +7,14 @@ require 'msf/core'
require 'rex' require 'rex'
class Metasploit3 < Msf::Post class Metasploit3 < Msf::Post
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Windows Gather Enumerate Domain Group', 'Name' => 'Windows Gather Enumerate Domain Group',
'Description' => %q{ This module extracts user accounts from specified group 'Description' => %q( This module extracts user accounts from specified group
and stores the results in the loot. It will also verify if session and stores the results in the loot. It will also verify if session
account is in the group. Data is stored in loot in a format that account is in the group. Data is stored in loot in a format that
is compatible with the token_hunter plugin. This module should be is compatible with the token_hunter plugin. This module should be
run over as session with domain credentials.}, run over as session with domain credentials.),
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
@ -38,15 +37,13 @@ class Metasploit3 < Msf::Post
cur_domain, cur_user = client.sys.config.getuid.split("\\") cur_domain, cur_user = client.sys.config.getuid.split("\\")
ltype = "domain.group.members" ltype = "domain.group.members"
ctype = "text/plain" ctype = "text/plain"
domain = ""
# Get Data # Get Data
usr_res = run_cmd("net groups \"#{datastore['GROUP']}\" /domain") usr_res = cmd_exec("net groups \"#{datastore['GROUP']}\" /domain")
dom_res = run_cmd("net config workstation")
# Parse Returned data # Parse Returned data
members = get_members(usr_res.split("\n")) members = get_members(usr_res.split("\n"))
domain = get_domain(dom_res.split("\n")) domain = get_env("USERDOMAIN")
# Show results if we have any, Error if we don't # Show results if we have any, Error if we don't
if !members.empty? if !members.empty?
@ -61,9 +58,9 @@ class Metasploit3 < Msf::Post
# Is our current user a member of this domain and group # Is our current user a member of this domain and group
if is_member(cur_domain, cur_user, domain, members) if is_member(cur_domain, cur_user, domain, members)
print_status("Current sessions running as #{cur_domain}\\#{cur_user} is a member of #{datastore['GROUP']}!!") print_good("Current sessions running as #{cur_domain}\\#{cur_user} is a member of #{datastore['GROUP']}!")
else else
print_error("Current session running as #{cur_domain}\\#{cur_user} is not a member of #{datastore['GROUP']}") print_status("Current session running as #{cur_domain}\\#{cur_user} is not a member of #{datastore['GROUP']}")
end end
# Store the captured data in the loot. # Store the captured data in the loot.
@ -72,7 +69,6 @@ class Metasploit3 < Msf::Post
else else
print_error("No members found for #{datastore['GROUP']}") print_error("No members found for #{datastore['GROUP']}")
end end
end end
def get_members(results) def get_members(results)
@ -90,41 +86,21 @@ class Metasploit3 < Msf::Post
end end
end end
return members members
end
def get_domain(results)
domain = ''
results.each do |line|
if line =~ /Workstation domain \s+(.*)/ then domain = $1.strip end
end
return domain
end end
def is_member(cur_dom, cur_user, dom, users) def is_member(cur_dom, cur_user, dom, users)
member = false member = false
if cur_dom == dom if cur_dom == dom
users.each do |u| users.each do |u|
if u.downcase == cur_user.downcase then member = true end if u.downcase == cur_user.downcase
member = true
break
end
end end
end end
return member member
end end
def run_cmd(cmd)
process = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
res = ""
while (d = process.channel.read)
break if d == ""
res << d
end
process.channel.close
process.close
return res
end
end end