@@ -19,13 +19,15 @@ def options(self, context, module_options):
1919 CMD Command to execute
2020 USER User to execute command as
2121 """
22- self .cmd = self .user = self .time = None
22+ self .cmd = self .user = self .task = self . time = None
2323 if "CMD" in module_options :
2424 self .cmd = module_options ["CMD" ]
2525
2626 if "USER" in module_options :
2727 self .user = module_options ["USER" ]
28-
28+ if "TASK" in module_options :
29+ self .task = module_options ["TASK" ]
30+
2931 name = "schtask_as"
3032 description = "Remotely execute a scheduled task as a logged on user"
3133 supported_protocols = ["smb" ]
@@ -51,6 +53,7 @@ def on_admin_login(self, context, connection):
5153 connection .domain ,
5254 self .user ,
5355 self .cmd ,
56+ self .task ,
5457 connection .kerberos ,
5558 connection .aesKey ,
5659 connection .host ,
@@ -79,7 +82,7 @@ def on_admin_login(self, context, connection):
7982
8083
8184class TSCH_EXEC :
82- def __init__ (self , target , share_name , username , password , domain , user , cmd , doKerberos = False , aesKey = None , remoteHost = None , kdcHost = None , hashes = None , logger = None , tries = None , share = None ):
85+ def __init__ (self , target , share_name , username , password , domain , user , cmd , task2 , doKerberos = False , aesKey = None , remoteHost = None , kdcHost = None , hashes = None , logger = None , tries = None , share = None ):
8386 self .__target = target
8487 self .__username = username
8588 self .__password = password
@@ -99,6 +102,7 @@ def __init__(self, target, share_name, username, password, domain, user, cmd, do
99102 self .logger = logger
100103 self .cmd = cmd
101104 self .user = user
105+ self .task = task2
102106
103107 if hashes is not None :
104108 if hashes .find (":" ) != - 1 :
@@ -181,7 +185,13 @@ def gen_xml(self, command, fileless=False):
181185 <Command>cmd.exe</Command>
182186"""
183187 if self .__retOutput :
184- self .__output_filename = f"\\ Windows\\ Temp\\ { gen_random_string (6 )}
188+ if self .task is None :
189+ self .__output_filename = f"\\ Windows\\ Temp\\ { gen_random_string (6 )}
190+ else :
191+ self .__output_filename = f"\\ Windows\\ Temp\\ { self .task }
192+
193+
194+ #self.__output_filename = f"\\Windows\\Temp\\{gen_random_string(6)}"
185195 if fileless :
186196 local_ip = self .__rpctransport .get_socket ().getsockname ()[0 ]
187197 argument_xml = f" <Arguments>/C { command } \\ \\ { local_ip } \\ { self .__share_name } \\ { self .__output_filename }
@@ -208,13 +218,16 @@ def execute_handler(self, command, fileless=False):
208218 dce .set_credentials (* self .__rpctransport .get_credentials ())
209219 dce .connect ()
210220
211- tmpName = gen_random_string (8 )
212-
221+ #tmpName = gen_random_string(8)
222+ if self .task is None :
223+ tmpName = f"{ gen_random_string (8 )}
224+ else :
225+ tmpName = f"{ self .task }
213226 xml = self .gen_xml (command , fileless )
214227
215228 self .logger .info (f"Task XML: { xml } )
216229 taskCreated = False
217- self .logger .info (f"Creating task \\ { tmpName } )
230+ self .logger .display (f"Creating task \\ { tmpName } )
218231 try :
219232 # windows server 2003 has no MSRPC_UUID_TSCHS, if it bind, it will return abstract_syntax_not_supported
220233 dce .set_auth_level (RPC_C_AUTHN_LEVEL_PKT_PRIVACY )
@@ -266,7 +279,7 @@ def execute_handler(self, command, fileless=False):
266279 tries = 1
267280 while True :
268281 try :
269- self .logger .info (f"Attempting to read { self .__share } \\ { self .__output_filename } )
282+ self .logger .display (f"Attempting to read { self .__share } \\ { self .__output_filename } )
270283 smbConnection .getFile (self .__share , self .__output_filename , self .output_callback )
271284 break
272285 except Exception as e :
0 commit comments