Land rapid7#3265 - Windows Post Manage Change Password

wchen-r7 · wchen-r7 · commit 54346f3f92fd · 2014-04-15T18:45:48.000-05:00
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
@@ -84,6 +84,13 @@ def self.create_dll(dll_path = 'netapi32')
         ['LPVOID','buffer','in']
     ])
 
+    dll.add_function('NetUserChangePassword', 'DWORD', [
+      ["PWCHAR","domainname","in"],
+      ["PWCHAR","username","in"],
+      ["PWCHAR","oldpassword","in"],
+      ["PWCHAR","newpassword","in"]
+    ])
+
     return dll
   end
 
diff --git a/modules/post/windows/manage/change_password.rb b/modules/post/windows/manage/change_password.rb
@@ -0,0 +1,78 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Post
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                 => "Windows Manage Change Password",
+      'Description'          => %q{
+        This module will attempt to change the password of the targetted account.
+        Its main purpose is when you have valid credentials on a remote host but
+        they require a password change before you can login e.g.
+        'System error 1907 has occurred.'
+      },
+      'License'              => MSF_LICENSE,
+      'Platform'             => ['win'],
+      'SessionTypes'         => ['meterpreter'],
+      'Author'               => ['Ben Campbell']
+    ))
+
+    register_options(
+      [
+        OptString.new('SMBDomain', [false, 'Domain or Host to change password on, if not set will use the current login domain', nil]),
+        OptString.new('SMBUser', [true, 'Username to change password of']),
+        OptString.new('OLD_PASSWORD', [true, 'Original password' ]),
+        OptString.new('NEW_PASSWORD', [true, 'New password' ]),
+      ], self.class)
+  end
+
+  def run
+    unless client.railgun
+      print_error('This module requires a native windows payload that supports railgun.')
+      return
+    end
+
+    domain = datastore['SMBDomain']
+    username = datastore['SMBUser']
+    old_password = datastore['OLD_PASSWORD']
+    new_password = datastore['NEW_PASSWORD']
+    print_status("Changing #{domain}\\#{username} password to #{new_password}...")
+    result = client.railgun.netapi32.NetUserChangePassword(
+      domain,
+      username,
+      old_password,
+      new_password
+    )
+
+    case result['return']
+    when 0x05
+      err_msg = 'ERROR_ACCESS_DENIED'
+    when 0x56
+      err_msg = 'ERROR_INVALID_PASSWORD'
+    when 0x92f
+      err_msg = 'NERR_InvalidComputer'
+    when 0x8b2
+      err_msg = 'NERR_NotPrimary'
+    when 0x8ad
+      err_msg = 'NERR_UserNotFound'
+    when 0x8c5
+      err_msg = 'NERR_PasswordTooShort'
+    when 0
+      print_good('Password change successful.')
+    else
+      err_msg = "unknown error code: #{result['return']}"
+    end
+
+    if err_msg
+      print_error("Password change failed, #{err_msg}.")
+    end
+
+  end
+
+end
+
