search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.26k stars 14k forks source link

Review exploit/windows/winrm/winrm_script_exec #11456

Open bcoles opened 5 years ago

bcoles commented 5 years ago

Review the exploit/windows/winrm/winrm_script_exec module. This module is old and hasn't been maintained.

Why is CmdStager::Flavor deregistered, and instead a ForceVBS option used + a million other questions.

github-actions[bot] commented 4 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

bcoles commented 3 years ago

The parse_wql_response method in lib/msf/core/exploit/remote/winrm.rb should return something more reasonable than a Table, such as a Hash.

  def parse_wql_response(response)
    return nil if response.nil?
    xml = response.body
    columns = []
    rows =[]
    rxml = REXML::Document.new(xml).root
    items = rxml.elements["///w:Items"]
    items.elements.to_a("///w:XmlFragment").each do |node|
      row_data = []
      node.elements.to_a.each do |sub_node|
        columns << sub_node.name
        row_data << sub_node.text
      end
      rows << row_data
    end
    columns.uniq!
    response_data = Rex::Text::Table.new(
      'Header'    => "#{datastore['WQL']} (#{rhost})",
      'Indent'    => 1,
      'Columns'   => columns
    )
    rows.each do |row|
      response_data << row
    end
    return response_data
  end

Fortunately this method is used only in two locations which makes refactoring easier:

# grep -rn parse_wql_response modules/
modules/exploits/windows/winrm/winrm_script_exec.rb:148:    resp_tbl = parse_wql_response(resp)
modules/auxiliary/scanner/winrm/winrm_wql.rb:52:    resp_tbl = parse_wql_response(resp)

Clearly the XML parsing is also broken:

msf6 exploit(windows/winrm/winrm_script_exec) > rexploit 
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.191.192:4444 
[*] checking for Powershell 2.0
"<s:Envelope xml:lang=\"en-US\" xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/enumeration/EnumerateResponse</a:Action><a:MessageID>uuid:0200FAAE-911F-4A02-B4AC-7F0E5CBEB19C</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:35e95139-7199-ff86-0eb8-e361e25458d0</a:RelatesTo></s:Header><s:Body><n:EnumerateResponse><n:EnumerationContext></n:EnumerationContext><w:Items><w:XmlFragment xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:m=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\"><AddressWidth>64</AddressWidth></w:XmlFragment></w:Items><w:EndOfSequence/></n:EnumerateResponse></s:Body></s:Envelope>"
[-] Exploit failed: RuntimeError [BUG] Unexpected node test: <:child>: <[:qname, "w", "Items"]>
[*] Exploit completed, but no session was created.