Merge pull request Pennyw0rth#812 from Pennyw0rth/neff-fix-wmi

NeffIsBack · web-flow · commit 776b84af8584 · 2025-07-21T11:11:21.000+02:00
Fix command execution in wmi
diff --git a/nxc/protocols/wmi.py b/nxc/protocols/wmi.py
@@ -411,19 +411,20 @@ def wmi(self, wql=None, namespace=None):
     @requires_admin
     def execute(self, command=None, get_output=False):
         output = ""
-        if not command:
-            command = self.args.execute
 
-        if not self.args.no_output:
-            get_output = True
+        # Execution via -x
+        if not command and self.args.execute:
+            command = self.args.execute
+            if not self.args.no_output:
+                get_output = True
 
         if "systeminfo" in command and self.args.exec_timeout < 10:
             self.logger.fail("Execute 'systeminfo' must set the interval time higher than 10 seconds")
-            return False
+            return ""
 
         if self.server_os is not None and "NT 5" in self.server_os:
             self.logger.fail("Execute command failed, not support current server os (version < NT 6)")
-            return False
+            return ""
 
         if self.args.exec_method == "wmiexec":
             exec_method = wmiexec.WMIEXEC(self.remoteName, self.username, self.password, self.domain, self.lmhash, self.nthash, self.doKerberos, self.kdcHost, self.host, self.aesKey, self.logger, self.args.exec_timeout, self.args.codec)
@@ -436,10 +437,12 @@ def execute(self, command=None, get_output=False):
         self.conn.disconnect()
         if output == "" and get_output:
             self.logger.fail("Execute command failed, probabaly got detection by AV.")
-            return False
-        else:
+            return ""
+        elif self.args.execute and get_output:
             self.logger.success(f'Executed command: "{command}" via {self.args.exec_method}')
             buf = StringIO(output).readlines()
             for line in buf:
                 self.logger.highlight(line.strip())
             return output
+        elif get_output:
+            return output
diff --git a/nxc/protocols/wmi/proto_args.py b/nxc/protocols/wmi/proto_args.py
@@ -17,7 +17,7 @@ def proto_args(parser, parents):
     cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
     cgroup.add_argument("-x", metavar="COMMAND", dest="execute", type=str, help="Creates a new cmd process and executes the specified command with output")
     cgroup.add_argument("--exec-method", choices={"wmiexec", "wmiexec-event"}, default="wmiexec", help="method to execute the command. (default: wmiexec). [wmiexec (win32_process + StdRegProv)]: get command results over registry instead of using smb connection. [wmiexec-event (T1546.003)]: this method is not very stable, highly recommend use this method in single host, using on multiple hosts may crash (just try again if it crashed).")
-    cgroup.add_argument("--exec-timeout", default=5, metavar="exec_timeout", dest="exec_timeout", type=int, help="Set timeout (in seconds) when executing a command, minimum 5 seconds is recommended. Default: %(default)s")
+    cgroup.add_argument("--exec-timeout", default=3, metavar="exec_timeout", dest="exec_timeout", type=int, help="Set timeout (in seconds) when executing a command, minimum 5 seconds is recommended. Default: %(default)s")
     cgroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: utf-8). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
     return parser
 
diff --git a/nxc/protocols/wmi/wmiexec.py b/nxc/protocols/wmi/wmiexec.py
@@ -39,7 +39,6 @@ def __init__(self, target, username, password, domain, lmhash, nthash, doKerbero
         self.__exec_timeout = exec_timeout
         self.__registry_Path = ""
         self.__outputBuffer = ""
-        self.__retOutput = True
 
         self.__shell = "cmd.exe /Q /c "
         self.__pwd = "C:\\"
@@ -53,8 +52,7 @@ def __init__(self, target, username, password, domain, lmhash, nthash, doKerbero
         self.__win32Process, _ = self.__iWbemServices.GetObject("Win32_Process")
 
     def execute(self, command, output=False):
-        self.__retOutput = output
-        if self.__retOutput:
+        if output:
             self.execute_WithOutput(command)
         else:
             command = self.__shell + command
@@ -77,9 +75,16 @@ def execute_WithOutput(self, command):
         keyName = str(uuid.uuid4())
         self.__registry_Path = f"Software\\Classes\\{gen_random_string(6)}"
 
-        command = rf"""{self.__shell} {command} 1> {result_output} 2>&1 && certutil -encodehex -f {result_output} {result_output_b64} 0x40000001 && for /F "usebackq" %G in ("{result_output_b64}") do reg add HKLM\{self.__registry_Path} /v {keyName} /t REG_SZ /d "%G" /f && del /q /f /s {result_output} {result_output_b64}"""
+        commands = [
+            f"{self.__shell} {command} 1> {result_output} 2>&1",
+            f"{self.__shell} certutil -encodehex -f {result_output} {result_output_b64} 0x40000001",
+            f'{self.__shell} for /F "usebackq" %G in ("{result_output_b64}") do reg add HKLM\\{self.__registry_Path} /v {keyName} /t REG_SZ /d "%G" /f',
+            f"{self.__shell} del /q /f /s {result_output} {result_output_b64}",
+        ]
 
-        self.execute_remote(command)
+        for cmd in commands:
+            self.execute_remote(cmd)
+            time.sleep(0.5)
         self.logger.info(f"Waiting {self.__exec_timeout}s for command completely executed.")
         time.sleep(self.__exec_timeout)
 
@@ -90,13 +95,13 @@ def queryRegistry(self, keyName):
             self.logger.debug(f"Querying registry key: HKLM\\{self.__registry_Path}")
             descriptor, _ = self.__iWbemServices.GetObject("StdRegProv")
             descriptor = descriptor.SpawnInstance()
-            retVal = descriptor.GetStringValue(2147483650, self.__registry_Path, keyName)
+            retVal = descriptor.GetStringValue(0x80000002, self.__registry_Path, keyName)
             self.__outputBuffer = base64.b64decode(retVal.sValue).decode(self.__codec, errors="replace").rstrip("\r\n")
         except Exception:
             self.logger.fail("WMIEXEC: Could not retrieve output file, it may have been detected by AV. Please try increasing the timeout with the '--exec-timeout' option. If it is still failing, try the 'smb' protocol or another exec method")
 
         try:
             self.logger.debug(f"Removing temporary registry path: HKLM\\{self.__registry_Path}")
-            retVal = descriptor.DeleteKey(2147483650, self.__registry_Path)
+            retVal = descriptor.DeleteKey(0x80000002, self.__registry_Path)
         except Exception as e:
             self.logger.debug(f"Target: {self.__target} removing temporary registry path error: {e!s}")
