Land rapid7#5324, fixes rapid7#5318

Meatballs1 · Meatballs1 · commit d2e1fdbbc367 · 2015-05-09T10:49:05.000+01:00
Fixes enum_domain_group_users when running as SYSTEM.
diff --git a/modules/post/windows/gather/enum_domain_group_users.rb b/modules/post/windows/gather/enum_domain_group_users.rb
@@ -7,24 +7,23 @@
 require 'rex'
 
 class Metasploit3 < Msf::Post
-
-  def initialize(info={})
-    super( update_info( info,
-        'Name'          => 'Windows Gather Enumerate Domain Group',
-        'Description'   => %q{ This module extracts user accounts from specified group
-          and stores the results in the loot. It will also verify if session
-          account is in the group. Data is stored in loot in a format that
-          is compatible with the token_hunter plugin. This module should be
-          run over as session with domain credentials.},
-        'License'       => MSF_LICENSE,
-        'Author'        =>
-          [
-            'Carlos Perez <carlos_perez[at]darkoperator.com>',
-            'Stephen Haywood <haywoodsb[at]gmail.com>'
-          ],
-        'Platform'      => [ 'win' ],
-        'SessionTypes'  => [ 'meterpreter' ]
-      ))
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Windows Gather Enumerate Domain Group',
+      'Description'   => %q( This module extracts user accounts from specified group
+        and stores the results in the loot. It will also verify if session
+        account is in the group. Data is stored in loot in a format that
+        is compatible with the token_hunter plugin. This module should be
+        run over as session with domain credentials.),
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Carlos Perez <carlos_perez[at]darkoperator.com>',
+          'Stephen Haywood <haywoodsb[at]gmail.com>'
+        ],
+      'Platform'      => [ 'win' ],
+      'SessionTypes'  => [ 'meterpreter' ]
+    ))
     register_options(
       [
         OptString.new('GROUP', [true, 'Domain Group to enumerate', nil])
@@ -38,18 +37,16 @@ def run
     cur_domain, cur_user = client.sys.config.getuid.split("\\")
     ltype = "domain.group.members"
     ctype = "text/plain"
-    domain = ""
 
     # Get Data
-    usr_res = run_cmd("net groups \"#{datastore['GROUP']}\" /domain")
-    dom_res = run_cmd("net config workstation")
+    usr_res = cmd_exec("net groups \"#{datastore['GROUP']}\" /domain")
 
     # Parse Returned data
     members = get_members(usr_res.split("\n"))
-    domain = get_domain(dom_res.split("\n"))
+    domain = get_env("USERDOMAIN")
 
     # Show results if we have any, Error if we don't
-    if ! members.empty?
+    if !members.empty?
 
       print_status("Found users in #{datastore['GROUP']}")
 
@@ -61,9 +58,9 @@ def run
 
       # Is our current user a member of this domain and group
       if is_member(cur_domain, cur_user, domain, members)
-        print_status("Current sessions running as #{cur_domain}\\#{cur_user} is a member of #{datastore['GROUP']}!!")
+        print_good("Current sessions running as #{cur_domain}\\#{cur_user} is a member of #{datastore['GROUP']}!")
       else
-        print_error("Current session running as #{cur_domain}\\#{cur_user} is not a member of #{datastore['GROUP']}")
+        print_status("Current session running as #{cur_domain}\\#{cur_user} is not a member of #{datastore['GROUP']}")
       end
 
       # Store the captured data in the loot.
@@ -72,7 +69,6 @@ def run
     else
       print_error("No members found for #{datastore['GROUP']}")
     end
-
   end
 
   def get_members(results)
@@ -90,41 +86,21 @@ def get_members(results)
       end
     end
 
-    return members
-  end
-
-  def get_domain(results)
-    domain = ''
-
-    results.each do |line|
-      if line =~ /Workstation domain \s+(.*)/ then domain = $1.strip end
-    end
-
-    return domain
+    members
   end
 
   def is_member(cur_dom, cur_user, dom, users)
-
     member = false
 
     if cur_dom == dom
       users.each do |u|
-        if u.downcase == cur_user.downcase then member = true end
+        if u.downcase == cur_user.downcase
+          member = true
+          break
+        end
       end
     end
 
-    return member
+    member
   end
-  def run_cmd(cmd)
-    process = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
-    res = ""
-    while (d = process.channel.read)
-      break if d == ""
-      res << d
-    end
-    process.channel.close
-    process.close
-    return res
-  end
-
 end
