Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'ruby_smb/dcerpc/client'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::Remote::SMB::Client::Authenticated
10
  include Msf::Exploit::Remote::DCERPC
11
  include Msf::Auxiliary::Report
12
  include Msf::Exploit::Remote::MsSamr::Computer
13
  include Msf::OptionalSession::SMB
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'SAMR Computer Management',
20
        'Description' => %q{
21
          Add, lookup and delete computer / machine accounts via MS-SAMR. By default
22
          standard active directory users can add up to 10 new computers to the
23
          domain. Administrative privileges however are required to delete the
24
          created accounts.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => [
28
          'JaGoTu', # @jagotu Original Impacket code
29
          'Spencer McIntyre',
30
        ],
31
        'References' => [
32
          ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py'],
33
        ],
34
        'Notes' => {
35
          'Reliability' => [],
36
          'Stability' => [],
37
          'SideEffects' => [ IOC_IN_LOGS ]
38
        },
39
        'Actions' => [
40
          [ 'ADD_COMPUTER', { 'Description' => 'Add a computer account' } ],
41
          [ 'DELETE_COMPUTER', { 'Description' => 'Delete a computer account' } ],
42
          [ 'LOOKUP_COMPUTER', { 'Description' => 'Lookup a computer account' } ]
43
        ],
44
        'DefaultAction' => 'ADD_COMPUTER'
45
      )
46
    )
47

48
    register_options([
49
      OptString.new('COMPUTER_PASSWORD', [ false, 'The password for the new computer' ], conditions: %w[ACTION == ADD_COMPUTER]),
50
      Opt::RPORT(445)
51
    ])
52
  end
53

54
  def run
55
    send("action_#{action.name.downcase}")
56
  rescue MsSamrConnectionError => e
57
    fail_with(Failure::Unreachable, e.message)
58
  rescue MsSamrAuthenticationError => e
59
    fail_with(Failure::NoAccess, e.message)
60
  rescue MsSamrNotFoundError => e
61
    fail_with(Failure::NotFound, e.message)
62
  rescue MsSamrBadConfigError => e
63
    fail_with(Failure::BadConfig, e.message)
64
  rescue MsSamrUnexpectedReplyError => e
65
    fail_with(Failure::UnexpectedReply, e.message)
66
  rescue MsSamrUnknownError => e
67
    fail_with(Failure::Unknown, e.message)
68
  end
69

70
  def action_add_computer
71
    with_ipc_tree do |opts|
72
      add_computer(opts)
73
    end
74
  end
75

76
  def action_delete_computer
77
    fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
78
    with_ipc_tree do |opts|
79
      delete_computer(opts)
80
    end
81
  end
82

83
  def action_lookup_computer
84
    fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
85
    with_ipc_tree do |opts|
86
      lookup_computer(opts)
87
    end
88
  end
89

90
  # @yieldparam options [Hash] If a SMB session is present, a hash with the IPC tree present. Empty hash otherwise.
91
  # @return [void]
92
  def with_ipc_tree
93
    opts = {}
94
    if session
95
      print_status("Using existing session #{session.sid}")
96
      client = session.client
97
      self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)
98
      opts[:tree] = simple.client.tree_connect("\\\\#{client.dispatcher.tcp_socket.peerhost}\\IPC$")
99
    end
100

101
    yield opts
102
  ensure
103
    opts[:tree].disconnect! if opts[:tree]
104
  end
105
end
106

107