modules/post/windows/manage/remove_host.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Manage Host File Entry Removal',
'Description' => %q{
This module allows the attacker to remove an entry from the Windows hosts file.
},
'License' => BSD_LICENSE,
'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
core_channel_close
core_channel_eof
core_channel_open
core_channel_read
core_channel_tell
core_channel_write
]
}
}
)
)
register_options(
[
OptString.new('DOMAIN', [ true, 'Domain name to remove from the hosts file.' ])
]
)
end
def run
hosttoremove = datastore['DOMAIN']
# remove hostname from hosts file
fd = client.fs.file.new('C:\\WINDOWS\\System32\\drivers\\etc\\hosts', 'r+b')
# Get a temporary file path
meterp_temp = Tempfile.new('meterp')
meterp_temp.binmode
temp_path = meterp_temp.path
print_status("Removing hosts file entry pointing to #{hosttoremove}")
newfile = ''
fdray = fd.read.split("\r\n")
fdray.each do |line|
unless line.match("\t#{hosttoremove}$")
newfile += "#{line}\r\n"
end
end
fd.close
meterp_temp.write(newfile)
meterp_temp.close
client.fs.file.upload_file('C:\\WINDOWS\\System32\\drivers\\etc\\hosts', meterp_temp)
print_good('Done!')
end
end