PowerShell.com
Library » Script Library » Security » Slideshow

Security Slideshow

  1. # security proof-of-concept 
  2. # by Dr. Tobias Weltner 
  3. # launches arbitrary software remotely on behalf of 
  4. # the currently logged on person 
  5. # requires Windows Vista/Server 2008 or better 
  6. # requires local admin rights on the target 
  7.  
  8. function Start-ProcessInteractive
  9.   param
  10.   $filepath = 'powershell.exe'
  11.   $arguments = '-noprofile -command Get-Date | Out-File $env:windir\testfile.txt'
  12.   [Parameter(Mandatory=$true)] 
  13.   $computername 
  14.   
  15.  
  16.  
  17. function Execute-Tool($path) { 
  18.     $r = (Invoke-Expression $path) 2>&
  19.     if ($LASTEXITCODE -ne 0) { Throw $r[0].Exception.Message
  20.   
  21.  
  22.   $computername | ForEach-Object
  23.     try { 
  24.     $username = Get-WmiObject Win32_ComputerSystem -ComputerName $_ |  
  25.     Select-Object -ExpandProperty UserName 
  26.     } catch {} 
  27.     $computer = $_ 
  28.      
  29.     if ($username -eq $null) { 
  30.       Write-Warning "On $computername no user is currently physically logged on." 
  31.       $username = Read-Host "Enter username of logged on user at the remote system" 
  32.      
  33.      if ($username -ne '') { 
  34.  
  35.        
  36. $xml = @" 
  37. <?xml version="1.0" encoding="UTF-16"?> 
  38. <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> 
  39.   <RegistrationInfo /> 
  40.   <Triggers /> 
  41.   <Settings> 
  42.     <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> 
  43.     <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> 
  44.     <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> 
  45.     <AllowHardTerminate>true</AllowHardTerminate> 
  46.     <StartWhenAvailable>false</StartWhenAvailable> 
  47.     <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> 
  48.     <IdleSettings /> 
  49.     <AllowStartOnDemand>true</AllowStartOnDemand> 
  50.     <Enabled>true</Enabled> 
  51.     <Hidden>false</Hidden> 
  52.     <RunOnlyIfIdle>false</RunOnlyIfIdle> 
  53.     <WakeToRun>false</WakeToRun> 
  54.     <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> 
  55.     <Priority>7</Priority> 
  56.   </Settings> 
  57.   <Actions Context="Author"> 
  58.     <Exec> 
  59.       <Command>$filepath</Command> 
  60.       <Arguments>$arguments</Arguments> 
  61.     </Exec> 
  62.   </Actions> 
  63.   <Principals> 
  64.     <Principal id="Author"> 
  65.       <UserId>$username</UserId> 
  66.       <LogonType>InteractiveToken</LogonType> 
  67.       <RunLevel>HighestAvailable</RunLevel> 
  68.     </Principal> 
  69.   </Principals> 
  70. </Task> 
  71. "
  72.  
  73.        
  74.        
  75.       $jobname = 'remotejob{0}' -f (Get-Random
  76.        
  77.       try { 
  78.         $xml | Out-File "$env:temp\tj1.xml" 
  79.         Execute-Tool "schtasks /CREATE /TN $jobname /XML $env:temp\tj1.xml /S $computer" 
  80.         Start-Sleep -Seconds
  81.         Execute-Tool "schtasks /RUN /TN $jobname /S $computer" 
  82.         Execute-Tool "schtasks /DELETE /TN $jobname /s $computer /F" 
  83.       
  84.       catch { 
  85.         Write-Warning "$_ (trying to access user '$username' on system '$computer')" 
  86.       
  87.     
  88.   
 
Loading...
View all files
Concentrated Tech NSoftware Dell Compellent Sponsored by Idera and Concentrated Tech and NSoftware and Dell Compellent
Copyright 2011 PowerShell.com. All rights reserved.