search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.46k stars 1.64k forks source link

Crash when running 'net user' command #127

Closed juushya closed 7 years ago

juushya commented 8 years ago

Steps to reproduce

cme -v
3.1.3 - 'Stoofvlees'

Run the following command:

Command string used

cme --verbose DC-victim -d VictimDomain -u DomainAdmin1 -p password -x 'net user DomainAdmin2 /domain'

CME verbose output (using the --verbose flag)

08-15-2016 18:17:06 CME          1.2.3.4:445 DC-victim      [*] Windows 6.1 Build 7601 (name:DC-victim) (domain:VictimDomain)
08-15-2016 18:17:06 CME          1.2.3.4:445 DC-victim      [+] VictimDomain\DomainAdmin1:password (Pwn3d!)
08-15-2016 18:17:06 DEBUG                                          Target system is 1.2.3.4 and isFDQN is False
08-15-2016 18:17:06 DEBUG                                          StringBinding: \\\\DC-victim[\\PIPE\\atsvc]
08-15-2016 18:17:06 DEBUG                                          StringBinding: DC-victim[49154]
08-15-2016 18:17:06 DEBUG                                          StringBinding: 1.2.3.4[49154]
08-15-2016 18:17:06 DEBUG                                          StringBinding chosen: ncacn_ip_tcp:1.2.3.4[49154]
08-15-2016 18:17:07 DEBUG                                          Executed command via wmiexec
08-15-2016 18:17:07 DEBUG                                          Executing command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\oNrlzI 2>&1
08-15-2016 18:17:07 DEBUG                                          Executing command: cmd.exe /Q /c cd  1> \\127.0.0.1\C$\Windows\Temp\mMqwzj 2>&1
08-15-2016 18:17:07 DEBUG                                          Executing command: cmd.exe /Q /c net user DomainAdmin2 /domain 1> \\127.0.0.1\C$\Windows\Temp\HVAsPy 2>&1
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 534, in run
    result = self._run(*self.args, **self.kwargs)
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-3.1.3-py2.7.egg/cme/connector.py", line 125, in connector
    output = connection.execute(args.command, get_output=get_output)
  File "/usr/local/lib/python2.7/dist-packages/crackmapexec-3.1.3-py2.7.egg/cme/connection.py", line 335, in execute
    return u'{}'.format(output.strip().decode('utf-8'))
  File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
    return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0xe0 in position 141: invalid continuation byte
<Greenlet at 0x440c9b0: connector('1.2.3.4', Namespace(command='net user DomainAdmin2 /domai, <cme.database.CMEDatabase instance at 0x48cc998>, None, None, None)> failed with UnicodeDecodeError

08-15-2016 18:17:10 [*] KTHXBYE!

OS

Linux 3.5.0-54-generic #81~precise1-Ubuntu SMP 
x86_64 x86_64 x86_64 GNU/Linux

Target OS

Windows 2003 Server R1 (Windows 6.1 Build 7601)

Issue description

'net user' command is run as Domain Administrator.

byt3bl33d3r commented 8 years ago

can you give me the output of the net user command? This is a Unicode issue which is still a problem throughout the tool.

juushya commented 8 years ago

Hi,

Here's the snipped output of 'net group "Domain Admins" / DOMAIN command:

Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
admin.1            DomainAdmin2          DomainAdmin1              
admin.2
...
...

The command completed successfully.

This user is a valid, active user (Domain Admin).

Open-Sec commented 7 years ago

Just change to ISO-8859-1 at connection.py (line 478) and it works. At least for 3.1.5 version.