Module: Msf::Post::Windows::WMIC

Includes:
File, ExtAPI
Included in:
ShadowCopy
Defined in:
lib/msf/core/post/windows/wmic.rb

Instance Method Summary collapse

Methods included from ExtAPI

#load_extapi

Methods included from File

#append_file, #cd, #directory?, #exist?, #expand_path, #file?, #file_local_digestmd5, #file_local_digestsha1, #file_local_digestsha2, #file_local_write, #file_remote_digestmd5, #file_remote_digestsha1, #file_remote_digestsha2, #file_rm, #pwd, #read_file, #rename_file, #rm_f, #upload_file, #write_file

Instance Method Details

#initialize(info = {}) ⇒ Object


12
13
14
15
16
17
18
19
20
21
22
# File 'lib/msf/core/post/windows/wmic.rb', line 12

def initialize(info = {})
  super

  register_options([
                       OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
                       OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
                       OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication' ]),
                       OptAddress.new("RHOST", [ true, "Target address range", "localhost" ]),
                       OptInt.new("TIMEOUT", [ true, "Timeout for WMI command in seconds", 10 ])
                   ], self.class)
end

#parse_wmic_result(result_text) ⇒ Object


83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# File 'lib/msf/core/post/windows/wmic.rb', line 83

def parse_wmic_result(result_text)
  if result_text.blank?
    return nil
  else
    pid = nil
    return_value = nil

    if result_text =~ /ProcessId = (\d+);/
      pid = $1.to_i
    end

    if result_text =~ /ReturnValue = (\d+);/
      return_value = $1.to_i
    end

    return {:return => return_value, :pid => pid, :text =>result_text}
  end
end

#wmic_command(cmd, server = datastore['RHOST']) ⇒ Object


66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# File 'lib/msf/core/post/windows/wmic.rb', line 66

def wmic_command(cmd, server=datastore['RHOST'])
  result_text = wmic_query("process call create \"#{cmd.gsub('"','\\"')}\"", server)

  parsed_result = nil
  unless result_text.blank?
    vprint_status("[#{server}] WMIC Command Result:")
    vprint_line(result_text)
    parsed_result = parse_wmic_result(result_text)
  end

  if parsed_result == nil
    vprint_error("[#{server}] WMIC Command Error")
  end

  return parsed_result
end

#wmic_query(query, server = datastore['RHOST']) ⇒ Object


24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/msf/core/post/windows/wmic.rb', line 24

def wmic_query(query, server=datastore['RHOST'])
  extapi = load_extapi

  result_text = ""

  if datastore['SMBUser']
    if server.downcase == "localhost" || server.downcase.starts_with("127.")
      raise RuntimeError, "WMIC: User credentials cannot be used for local connections"
    end
  end

  if extapi
    session.extapi.clipboard.set_text("")
    wcmd = "wmic #{wmic_user_pass_string}/output:CLIPBOARD /INTERACTIVE:off /node:#{server} #{query}"
  else
    tmp = session.fs.file.expand_path("%TEMP%")
    out_file = "#{tmp}\\#{Rex::Text.rand_text_alpha(8)}"
    wcmd = "wmic #{wmic_user_pass_string}/output:#{out_file} /INTERACTIVE:off /node:#{server} #{query}"
  end

  vprint_status("[#{server}] #{wcmd}")

  # We dont use cmd_exec as WMIC cannot be Channelized
  ps = session.sys.process.execute(wcmd, nil, {'Hidden' => true, 'Channelized' => false})
  session.railgun.kernel32.WaitForSingleObject(ps.handle, (datastore['TIMEOUT'] * 1000))
  ps.close

  if extapi
    result = session.extapi.clipboard.get_data.first
    if result[1].has_key? 'Text'
      result_text = result[1]['Text']
    else
      result_text = ""
    end
  else
    result_text = Rex::Text.to_ascii(read_file(out_file))[1..-1]
    file_rm(out_file)
  end

  return result_text
end

#wmic_user_pass_string(domain = datastore['SMBDomain'], user = datastore['SMBUser'], pass = datastore['SMBPass']) ⇒ Object


102
103
104
105
106
107
108
109
110
111
112
113
114
# File 'lib/msf/core/post/windows/wmic.rb', line 102

def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
  userpass = ""

  unless user.nil?
    if domain.nil?
      userpass = "/user:\"#{user}\" /password:\"#{pass}\" "
    else
      userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "
    end
  end

  return userpass
end