Metasploit-framework: `windows/manage/run_as` leaves files on disk with every run

Created on 6 Apr 2018 · 7Comments · Source: rapid7/metasploit-framework

Steps to reproduce

msf5 post(windows/manage/run_as) > set CMD ver
CMD => ver
msf5 post(windows/manage/run_as) > set CMDOUT true
CMDOUT => true
msf5 post(windows/manage/run_as) > set USER Administrator
USER => root
msf5 post(windows/manage/run_as) > set PASSWORD reallygoodpassword
PASSWORD => toor
msf5 post(windows/manage/run_as) > set SESSION 1
SESSION => 1
msf5 post(windows/manage/run_as) > set DOMAIN .
DOMAIN => .
msf5 post(windows/manage/run_as) > run

Note that when you run the command with CMDOUT set to True, the output is written to a randomly-generated text file in c:\windows\temp:

msf5 post(windows/manage/run_as) > run

[*] Executing CreateProcessWithLogonW...
[+] Process started successfully, PID: 900
[*] Command Run: cmd.exe /c ver > C:\Windows\Temp\AhEzUrlu.txt
[*] Command output:

Microsoft Windows [Version 10.0.16299.309]

[*] Post module execution completed

After completion, the file is left on disk:

msf5 post(windows/manage/run_as) > sessions -i 1 -C 'dir C:\\Windows\\Temp\\nzrzpzSv.txt'
[*] Running 'dir C:\\Windows\\Temp\\nzrzpzSv.txt' on meterpreter session 1 (192.168.108.217)
100666/rw-rw-rw-  46  fil  2018-04-06 13:44:08 -0500  C:\Windows\Temp\nzrzpzSv.txt

Expected behavior

The command should run and return output (which it does). But in the act of returning output, it shouldn't leave behind a text file on disk

Current behavior

Evidence is left on disk.

NOTE: Counterinuitively, in the event that you turn CMDOUT off, a zero-byte file is written to disk and left behind.

System stuff

Metasploit version

msf5 post(windows/manage/run_as) > version
Framework: 5.0.0-dev-4dc36c0591
Console  : 5.0.0-dev-4dc36c0591

I installed Metasploit with:

[X] Source install (please specify ruby version)

msf5 post(windows/manage/run_as) > ruby -v
[*] exec: ruby -v

ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-darwin17]

OS

Mac OS X 10.13.3 (fully patched)

bug module newbie-friendly

Source

asoto-r7

Most helpful comment

As a note, @Auxilus totally did what I'd intended, which was to give this bug out for anyone who wanted to fix a quick bug and fix it. That's why I tagged it #newbie-friendly, but then I absent-mindedly assigned myself. (/facepalm)

Customarily, though, when someone assigns themselves a bug, it's an indication that they want to fix it. That said, they may not be prioritizing it or they might get distracted, so don't let it keep you from taking something on. If you see something small, something tagged with #newbie-friendly, or that's been lingering for a bit, please take a stab at it!

TL;DR: Thanks @Auxilus! Keep doing what you're doing! 😄

asoto-r7 on 9 Apr 2018

👍3

All 7 comments

IOCs for the IOC god. ;)

wvu-r7 on 7 Apr 2018

@asoto-r7 https://github.com/rapid7/metasploit-framework/pull/9845

Auxilus on 9 Apr 2018

@Auxilus: FYI, when someone assigns themselves to a ticket, that usually means they're going to work on it. Did you coordinate with @asoto-r7 already?

wvu-r7 on 9 Apr 2018

No, sorry, I didn't knew that...

Auxilus on 9 Apr 2018

Unfortunately it's not really a good signal that they'll have time to work on it anytime soon, and github is limited in who can be assigned. (I just tried it, failed to assign to anyone but a committer). So thanks for help regardless :)