Auth successful,Execution command error

[flowerwind]

goWMIExec_win_v0.0.1-dev-e.exe -target "192.168.13.103:135" -username "administrator" -hash 976b0b02b3e232e15f934c78b87402ac -command "C:\Windows\system32\cmd.exe /c whoami"
1.6061078325528357e+09 info wmiexec/wmiexec.go:176 Successfully connected to host and sent an RPC request packet
1.6061078325528357e+09 info wmiexec/wmiexec.go:188 Resolved names, all network string bindings for host:
1.606107832553833e+09 info wmiexec/wmiexec.go:197 WIN-MLS4E80HOTO
1.6061078325571969e+09 info wmiexec/wmiexec.go:197 192.168.13.103
1.6061078325571969e+09 info wmiexec/wmiexec.go:205 Using first value as target hostname: WIN-MLS4E80HOTO
1.6061078325601912e+09 info wmiexec/wmiexec.go:300 WMI Access possible!
1.6061078325601912e+09 info wmiexec/wmiexec.go:340 Connecting to 192.168.13.103:49154
1.6061078325641837e+09 error wmiexec/wmiexec.go:476 Error: 2147944183
github.com/C-Sto/goWMIExec/pkg/wmiexec.(*wmiExecer).Exec
/home/runner/work/goWMIExec/src/github.com/C-Sto/goWMIExec/pkg/wmiexec/wmiexec.go:476
github.com/C-Sto/goWMIExec/pkg/wmiexec.WMIExec
/home/runner/work/goWMIExec/src/github.com/C-Sto/goWMIExec/pkg/wmiexec/wmiexec.go:786
main.main
/home/runner/work/goWMIExec/src/github.com/C-Sto/goWMIExec/main.go:41
runtime.main
/opt/hostedtoolcache/go/1.x/x64/src/runtime/proc.go:203
panic:

goroutine 1 [running]:
main.main()
/home/runner/work/goWMIExec/src/github.com/C-Sto/goWMIExec/main.go:43 +0x65c

[C-Sto]

that error code is: 0x800706F7 RPC_X_Bad_Stub_Data, which means the server didn't understand the stub that was sent over. This could be because my encoder is broken somewhere (likely), but it also could be that the server doesn't support the process create things (unlikely) - but it's hard to tell because the error message isn't particularly useful (which is my fault).

Is this a test lab environment? is the behavior consistent?

[flowerwind]

I have tested it separately on my local machine (Win10 10.0.18363) and virtual machine (win2008serverR2 6.1.7601 Service Pack 1 Build 7601), reporting the same error.

[shadow1ng]

I have the same err,, whether it use hash or password.

win.exe -target 10.10.10.3 -username administrator -hash xxxxx -command whoami
1.6074018130555408e+09  info    wmiexec/wmiexec.go:176  Successfully connected to host and sent an RPC request packet
1.6074018130555408e+09  info    wmiexec/wmiexec.go:188  Resolved names, all network string bindings for host:
1.6074018130555408e+09  info    wmiexec/wmiexec.go:197          AD2
1.607401813056513e+09   info    wmiexec/wmiexec.go:197          10.10.10.3
1.607401813056513e+09   info    wmiexec/wmiexec.go:205  Using first value as target hostname: AD2
1.6074018134495134e+09  info    wmiexec/wmiexec.go:300  WMI Access possible!
1.6074018134495134e+09  info    wmiexec/wmiexec.go:340  Connecting to 10.10.10.3:49154
1.6074018142953405e+09  error   wmiexec/wmiexec.go:476  Error: 2147944183
github.com/C-Sto/goWMIExec/pkg/wmiexec.(*wmiExecer).Exec
        /home/runner/work/goWMIExec/src/github.com/C-Sto/goWMIExec/pkg/wmiexec/wmiexec.go:476
github.com/C-Sto/goWMIExec/pkg/wmiexec.WMIExec
        /home/runner/work/goWMIExec/src/github.com/C-Sto/goWMIExec/pkg/wmiexec/wmiexec.go:786
main.main
        /home/runner/work/goWMIExec/src/github.com/C-Sto/goWMIExec/main.go:41
runtime.main
        /opt/hostedtoolcache/go/1.x/x64/src/runtime/proc.go:203
panic:

goroutine 1 [running]:
main.main()
        /home/runner/work/goWMIExec/src/github.com/C-Sto/goWMIExec/main.go:43 +0x65c

[C-Sto]

yeah ok, I'll try and find some time to dig into this at some point in the near future - any additional details would be great

[C-Sto]

the bad stub error is being caused by a bad padding value in either the client name (the attacking machine) or the server name (the victim machine)...somewhere. I've 'fixed' the server name problem in this commit 15e254d, the client name problem can be resolved by using -clientname and specifying a value that ends up being the right length (I think odd length values here will work). I'll leave this issue open since it's a terrible, hacky fix, but it should at least work now.

[shadow1ng]

1.6253210733894873e+09  info    wmiexec/wmiexec.go:176  Successfully connected to host and sent an RPC request packet
1.6253210733897834e+09  info    wmiexec/wmiexec.go:188  Resolved names, all network string bindings for host:
1.6253210733897834e+09  info    wmiexec/wmiexec.go:197          WIN-D121TOD6D5E
1.6253210733903065e+09  info    wmiexec/wmiexec.go:197          192.168.192.129
1.625321073390828e+09   info    wmiexec/wmiexec.go:205  Using first value as target hostname: WIN-D121TOD6D5E
1.6253210733939745e+09  info    wmiexec/wmiexec.go:300  WMI Access possible!
1.6253210733940475e+09  info    wmiexec/wmiexec.go:340  Connecting to 192.168.192.129:49154
1.625321073396762e+09   error   wmiexec/wmiexec.go:476  Error:  800706f7
github.com/C-Sto/goWMIExec/pkg/wmiexec.(*wmiExecer).Exec
        D:/goWMIExec/pkg/wmiexec/wmiexec.go:476
github.com/C-Sto/goWMIExec/pkg/wmiexec.WMIExec
        D:/goWMIExec/pkg/wmiexec/wmiexec.go:806
main.main
        D:/goWMIExec/main.go:40
runtime.main

go run main.go -t 192.168.192.129 -u administrator -pwd xxxxx -c whoami

不过用在127.0.0.1时，能成功过了。不过能回显whoami之类的命令嘛？

[C-Sto]

No - you won't be able to see output of the command, only the PID. The hostname is 15 chars long, - let me see if I can reproduce.

[shadow1ng]

当用户名是中文时，使用改工具容易报错。
wmiexec.py 可以读取到回显结果

[C-Sto]

wmiexec.py uses SMB, and shells out to cmd.exe to execute commands:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py#L269

that is not going to be supported in goWMIExec (though you can do the same operations manually if you really want)

[shadow1ng]

sometime overtime too long