Windows Management Instrumentation (WMI) is Microsoft’s implementation of Web-Based Enterprise Management (WBEM), which uses Managed Object Format (MOF) to create Common Information Model (CIM) classes. The security community was actually unfamiliar with the evilness of this technology until the birth of Stuxnet, which used a MOF file to exploit a vulnerability allowing the attacker to create files via a fake Printer Spooler service. This technique was later reverse-engineered and demonstrated in Metasploit’s ms10_061_spoolss.rb module, and that significantly changed how we approach write-privilege attacks. Generally speaking, if you find yourself being able to write to system32, you can most likely take advantage of this technique.
To to able to use the
WBemExec mixin, you must meet these requirements:
- Write permission to C:\Windows\System32\
- Write permission to C:\Windows\System32\Wbem\
- The target must NOT be newer than Windows Vista (so mostly good for XP, Win 2003, or older). This is more of a limitation from the API, not the technique. Newer Windows operating systems need the MOF file to be pre-compiled first.
First, include the
WbemExec mixin under the scope of your
MetasploitModule class. You will also need the
EXE mixin to generate an executable:
include Msf::Exploit::EXE include Msf::Exploit::WbemExec
Next, generate a payload name and the executable:
payload_name = "evil.exe" exe = generate_payload_exe
And then generate the mof file using the
generate_mof method. The first argument should be the name of the mof file, and the second argument is the payload name:
mof_name = "evil.mof" mof = generate_mof(mof_name, payload_name)
Now you’re ready to write/upload your files to the target machine. Always make sure you upload the payload executable first to
upload_file_to_system32(payload_name, exe) # Write your own upload method
And then now you can upload the mof file to
upload_mof(mof_name, mof) # Write your own upload method
Once the mof file is uploaded, the Windows Management Service should pick that up and execute it, which will end up executing your payload in system32. Also, the mof file will automatically be moved out of the mof directory after use.