2012-06-29 00:18:28 -05:00
|
|
|
# -*- coding: binary -*-
|
2011-01-19 16:01:12 +00:00
|
|
|
|
2021-01-05 13:07:53 +00:00
|
|
|
module Msf::Sessions
|
2011-01-19 16:01:12 +00:00
|
|
|
|
|
|
|
|
module Scriptable
|
|
|
|
|
|
|
|
|
|
def self.included(base)
|
|
|
|
|
base.extend(ClassMethods)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
module ClassMethods
|
|
|
|
|
#
|
|
|
|
|
# If the +script+ exists, return its path. Otherwise return nil
|
|
|
|
|
#
|
|
|
|
|
def find_script_path(script)
|
|
|
|
|
# Find the full file path of the specified argument
|
|
|
|
|
check_paths =
|
|
|
|
|
[
|
|
|
|
|
script,
|
|
|
|
|
::File.join(script_base, "#{script}"),
|
|
|
|
|
::File.join(script_base, "#{script}.rb"),
|
|
|
|
|
::File.join(user_script_base, "#{script}"),
|
2011-05-17 17:03:06 +00:00
|
|
|
::File.join(user_script_base, "#{script}.rb")
|
2011-01-19 16:01:12 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
|
|
full_path = nil
|
|
|
|
|
|
|
|
|
|
# Scan all of the path combinations
|
|
|
|
|
check_paths.each { |path|
|
2017-10-27 11:11:29 -05:00
|
|
|
if ::File.file?(path)
|
2011-01-19 16:01:12 +00:00
|
|
|
full_path = path
|
|
|
|
|
break
|
|
|
|
|
end
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
full_path
|
|
|
|
|
end
|
|
|
|
|
def script_base
|
|
|
|
|
::File.join(Msf::Config.script_directory, self.type)
|
|
|
|
|
end
|
|
|
|
|
def user_script_base
|
|
|
|
|
::File.join(Msf::Config.user_script_directory, self.type)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Override
|
|
|
|
|
#
|
|
|
|
|
def execute_file
|
|
|
|
|
raise NotImplementedError
|
|
|
|
|
end
|
|
|
|
|
|
2017-01-12 14:08:43 -06:00
|
|
|
#
|
|
|
|
|
# Maps legacy Meterpreter script names to replacement post modules
|
2017-01-29 14:10:34 -06:00
|
|
|
#
|
2017-01-12 14:08:43 -06:00
|
|
|
def legacy_script_to_post_module(script_name)
|
|
|
|
|
{
|
2022-08-14 22:10:40 +10:00
|
|
|
'arp_scanner' => 'post/windows/gather/arp_scanner',
|
2017-04-10 22:37:10 -05:00
|
|
|
'autoroute' => 'post/multi/manage/autoroute',
|
2017-01-12 14:08:43 -06:00
|
|
|
'checkvm' => 'post/windows/gather/checkvm',
|
2022-08-08 17:35:55 +10:00
|
|
|
'credcollect' => 'post/windows/gather/credentials/credential_collector',
|
2022-08-13 17:45:29 +10:00
|
|
|
'domain_list_gen' => 'post/windows/gather/enum_domain_group_users',
|
2022-08-14 21:44:09 +10:00
|
|
|
'dumplinks' => 'post/windows/gather/dumplinks',
|
2017-01-12 14:08:43 -06:00
|
|
|
'duplicate' => 'post/windows/manage/multi_meterpreter_inject',
|
|
|
|
|
'enum_chrome' => 'post/windows/gather/enum_chrome',
|
|
|
|
|
'enum_firefox' => 'post/windows/gather/enum_firefox',
|
|
|
|
|
'enum_logged_on_users' => 'post/windows/gather/enum_logged_on_users',
|
|
|
|
|
'enum_powershell_env' => 'post/windows/gather/enum_powershell_env',
|
|
|
|
|
'enum_putty' => 'post/windows/gather/enum_putty_saved_sessions',
|
|
|
|
|
'enum_shares' => 'post/windows/gather/enum_shares',
|
|
|
|
|
'file_collector' => 'post/windows/gather/enum_files',
|
|
|
|
|
'get_application_list' => 'post/windows/gather/enum_applications',
|
2019-02-15 08:51:11 +00:00
|
|
|
'get_env' => 'post/multi/gather/env',
|
2017-01-12 14:08:43 -06:00
|
|
|
'get_filezilla_creds' => 'post/windows/gather/credentials/filezilla_server',
|
2022-08-14 21:58:28 +10:00
|
|
|
'get_pidgin_creds' => 'post/multi/gather/pidgin_cred',
|
2017-04-10 22:37:10 -05:00
|
|
|
'get_local_subnets' => 'post/multi/manage/autoroute',
|
2017-01-12 14:08:43 -06:00
|
|
|
'get_valid_community' => 'post/windows/gather/enum_snmp',
|
2017-01-29 14:10:34 -06:00
|
|
|
'getcountermeasure' => 'post/windows/manage/killav',
|
|
|
|
|
'getgui' => 'post/windows/manage/enable_rdp',
|
2017-01-12 14:08:43 -06:00
|
|
|
'getvncpw' => 'post/windows/gather/credentials/vnc',
|
|
|
|
|
'hashdump' => 'post/windows/gather/smart_hashdump',
|
|
|
|
|
'hostsedit' => 'post/windows/manage/inject_host',
|
|
|
|
|
'keylogrecorder' => 'post/windows/capture/keylog_recorder',
|
|
|
|
|
'killav' => 'post/windows/manage/killav',
|
2019-12-03 11:08:23 -06:00
|
|
|
'metsvc' => 'exploit/windows/local/persistence',
|
2017-01-12 14:08:43 -06:00
|
|
|
'migrate' => 'post/windows/manage/migrate',
|
2022-08-14 14:30:23 +10:00
|
|
|
'panda_2007_pavsrv51' => 'exploit/windows/local/service_permissions',
|
2019-03-01 19:43:38 +00:00
|
|
|
'pml_driver_config' => 'exploit/windows/local/service_permissions',
|
2017-01-12 14:08:43 -06:00
|
|
|
'packetrecorder' => 'post/windows/manage/rpcapd_start',
|
2019-12-03 11:08:23 -06:00
|
|
|
'persistence' => 'exploit/windows/local/persistence',
|
2017-01-12 14:08:43 -06:00
|
|
|
'prefetchtool' => 'post/windows/gather/enum_prefetch',
|
|
|
|
|
'remotewinenum' => 'post/windows/gather/wmic_command',
|
2017-01-26 16:26:00 -06:00
|
|
|
'schelevator' => 'exploit/windows/local/ms10_092_schelevator',
|
2017-01-12 14:08:43 -06:00
|
|
|
'screen_unlock' => 'post/windows/escalate/screen_unlock',
|
2017-01-29 14:10:34 -06:00
|
|
|
'screenspy' => 'post/windows/gather/screen_spy',
|
2017-01-12 14:08:43 -06:00
|
|
|
'search_dwld' => 'post/windows/gather/enum_files',
|
|
|
|
|
'service_permissions_escalate' => 'exploits/windows/local/service_permissions',
|
2022-08-16 18:04:50 +10:00
|
|
|
'sound_recorder' => 'post/multi/manage/record_mic',
|
2022-08-08 16:16:44 +10:00
|
|
|
'srt_webdrive_priv' => 'exploit/windows/local/service_permissions',
|
2017-01-12 14:08:43 -06:00
|
|
|
'uploadexec' => 'post/windows/manage/download_exec',
|
|
|
|
|
'webcam' => 'post/windows/manage/webcam',
|
|
|
|
|
'wmic' => 'post/windows/gather/wmic_command',
|
|
|
|
|
}[script_name]
|
|
|
|
|
end
|
|
|
|
|
|
2011-01-19 16:01:12 +00:00
|
|
|
#
|
2014-05-08 16:04:18 -05:00
|
|
|
# Executes the supplied script, Post module, or local Exploit module with
|
|
|
|
|
# arguments +args+
|
2011-01-19 16:01:12 +00:00
|
|
|
#
|
|
|
|
|
# Will search the script path.
|
|
|
|
|
#
|
|
|
|
|
def execute_script(script_name, *args)
|
2017-01-12 14:08:43 -06:00
|
|
|
post_module = legacy_script_to_post_module(script_name)
|
2017-01-29 14:10:34 -06:00
|
|
|
|
|
|
|
|
if post_module
|
|
|
|
|
print_warning("Meterpreter scripts are deprecated. Try #{post_module}.")
|
|
|
|
|
print_warning("Example: run #{post_module} OPTION=value [...]")
|
|
|
|
|
end
|
|
|
|
|
|
2011-01-19 16:01:12 +00:00
|
|
|
mod = framework.modules.create(script_name)
|
2014-05-06 01:21:11 -05:00
|
|
|
if mod
|
2011-04-26 21:57:01 +00:00
|
|
|
# Don't report module run events here as it will be taken care of
|
|
|
|
|
# in +Post.run_simple+
|
2011-06-20 20:54:46 +00:00
|
|
|
opts = { 'SESSION' => self.sid }
|
|
|
|
|
args.each do |arg|
|
|
|
|
|
k,v = arg.split("=", 2)
|
2014-06-17 17:40:50 -05:00
|
|
|
# case doesn't matter in datastore, but it does in hashes, let's normalize
|
|
|
|
|
opts[k.downcase] = v
|
2011-06-20 20:54:46 +00:00
|
|
|
end
|
2014-05-06 15:33:51 -05:00
|
|
|
if mod.type == "post"
|
2014-05-06 01:21:11 -05:00
|
|
|
mod.run_simple(
|
|
|
|
|
# Run with whatever the default stance is for now. At some
|
|
|
|
|
# point in the future, we'll probably want a way to force a
|
|
|
|
|
# module to run in the background
|
|
|
|
|
#'RunAsJob' => true,
|
|
|
|
|
'LocalInput' => self.user_input,
|
|
|
|
|
'LocalOutput' => self.user_output,
|
|
|
|
|
'Options' => opts
|
|
|
|
|
)
|
2014-05-06 15:33:51 -05:00
|
|
|
elsif mod.type == "exploit"
|
2014-05-06 01:21:11 -05:00
|
|
|
# well it must be a local, we're not currently supporting anything else
|
2014-05-07 11:29:36 -05:00
|
|
|
if mod.exploit_type == "local"
|
2014-05-06 01:21:11 -05:00
|
|
|
# get a copy of the session exploit's datastore if we can
|
|
|
|
|
original_exploit_datastore = self.exploit.datastore || {}
|
2014-05-08 16:04:18 -05:00
|
|
|
copy_of_orig_exploit_datastore = original_exploit_datastore.clone
|
2014-06-17 17:40:50 -05:00
|
|
|
# convert datastore opts to a hash to normalize casing issues
|
|
|
|
|
local_exploit_opts = {}
|
2014-07-09 17:05:35 -05:00
|
|
|
copy_of_orig_exploit_datastore.each do |k,v|
|
2014-06-17 17:40:50 -05:00
|
|
|
local_exploit_opts[k.downcase] = v
|
|
|
|
|
end
|
2014-05-06 01:21:11 -05:00
|
|
|
# we don't want to inherit a couple things, like AutoRunScript's
|
2014-05-09 15:57:36 -05:00
|
|
|
to_neuter = %w{AutoRunScript InitialAutoRunScript LPORT TARGET}
|
2014-05-08 16:04:18 -05:00
|
|
|
to_neuter.each do |setting|
|
2014-06-17 17:40:50 -05:00
|
|
|
local_exploit_opts.delete(setting.downcase)
|
2014-05-08 16:04:18 -05:00
|
|
|
end
|
2014-05-06 01:21:11 -05:00
|
|
|
|
2014-05-08 16:04:18 -05:00
|
|
|
# merge in any opts that were passed in, defaulting all other settings
|
|
|
|
|
# to the values from the datastore (of the exploit) that spawned the
|
|
|
|
|
# session
|
2014-06-17 17:40:50 -05:00
|
|
|
local_exploit_opts = local_exploit_opts.merge(opts)
|
2014-05-06 01:21:11 -05:00
|
|
|
|
2017-10-27 11:11:29 -05:00
|
|
|
mod.exploit_simple(
|
2014-09-28 09:03:55 +01:00
|
|
|
'Payload' => local_exploit_opts.delete('payload'),
|
|
|
|
|
'Target' => local_exploit_opts.delete('target'),
|
|
|
|
|
'LocalInput' => self.user_input,
|
|
|
|
|
'LocalOutput' => self.user_output,
|
|
|
|
|
'Options' => local_exploit_opts
|
|
|
|
|
)
|
2014-05-06 01:21:11 -05:00
|
|
|
|
|
|
|
|
end # end if local
|
|
|
|
|
end # end if exploit
|
|
|
|
|
|
2014-05-06 15:33:51 -05:00
|
|
|
else
|
2011-01-19 16:01:12 +00:00
|
|
|
full_path = self.class.find_script_path(script_name)
|
|
|
|
|
|
|
|
|
|
if full_path.nil?
|
2018-03-26 17:56:44 -05:00
|
|
|
print_error("The specified #{self.type} session script could not be found: #{script_name}")
|
2017-12-20 06:42:50 -06:00
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
execute_file(full_path, args)
|
|
|
|
|
framework.events.on_session_script_run(self, full_path)
|
|
|
|
|
rescue StandardError => e
|
2023-11-14 18:20:14 +00:00
|
|
|
elog("Could not execute #{script_name}: #{e.class} #{e}", error: e)
|
2017-12-20 06:42:50 -06:00
|
|
|
print_error("Could not execute #{script_name}: #{e.class} #{e}")
|
2011-01-19 16:01:12 +00:00
|
|
|
end
|
2014-05-06 15:33:51 -05:00
|
|
|
end
|
2011-01-19 16:01:12 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
